The General Data Protection Regulation will become enforceable on May 25, 2018. Many American companies are scrambling to prepare themselves for its enactment and working to understand what the new legislation entails. In the following post, we’ll break down what the GDPR includes, discuss its implications in the context of influencer marketing, and provide helpful tips marketers can follow to prepare for its looming enactment.
Put plainly, the GDPR is a new piece of European Union regulation that aims to protect European consumers by providing them increased rights pertaining to personal data. The regulation includes a number of measures that will force businesses of all types (brands, publishers, marketers) to alter the ways they engage with European consumers.
The General Data Protection Regulation (GDPR) was developed by the European Union over the course of four years and was officially approved on April 14, 2016. The regulation was passed with the primary intention of giving European consumers more control over their personal data, which the EU defines as, “Any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person.” Notable examples of personal data include a person’s name, photo, email address, or social media posts.
Most notably, the GDPR requires that businesses gain a European consumer’s explicit consent before collecting his/her personal data. A request to collect and process a user’s data must also be presented in a way that is clear and accessible without, “…long illegible terms and conditions full of legalese.” Aside from the strengthened conditions regarding user consent, the GDPR includes six new data subject rights, each of which we’ll break down in depth below.
1. Breach notification
In the event that a company experiences a data breach, it’s required to inform users within 72 hours of first realizing the breach has occurred if the breach is likely to, “Result in a risk for the rights and freedoms of individuals.”
2. Right to access
If asked by a consumer, a business must confirm whether or not his/her personal data is being processed, where, and for what reason. The business or “data controller” must also provide a copy of the person’s personal data, without monetary change, in electronic form.
3. Right to be forgotten
If asked, businesses must delete a consumer’s personal data, stop disseminating his/her data, and stop third parties from processing it. This right to be forgotten is also known as “data erasure.”
4. Data portability
Similar to the right to access, consumers will now be able to access the personal data that concerns them from a business. This personal data must be presented in a way that is easy to clear and accessible.
5. Privacy by design
The GDPR also outlines that data protection must be included at the onset of designing an online system (e.g. Facebook) instead of as an addition. The regulation explicitly orders, “…controllers to hold and process only the data absolutely necessary for the completion of its duties.”
6. Data protection officers
Businesses or “data controllers” must designate a data protection officer who will be responsible for keeping an internal record of the personal data its business collects and processes. This person must be appointed on the basis of their knowledge of data protection laws and practices.
Although the GDPR is a European Union regulation created for European citizens exclusively, it applies to any business that directly or indirectly serves European citizens. This means that any company, European or not, that offers goods or services to European users, or in any way monitors the behavior of European users, must follow the new regulation.
Beginning on May 25th, companies must gain explicit consent to use the consumer data of approximately 500 million people. The European Union has also made it clear that failure to abide by the regulation will result in hefty fines. The maximum fine for GDPR non-compliance is approximately $24 million or 4% of a company’s annual sales (whichever is greater).
Many have discussed the GDPR’s impact on tech giants like Facebook and Google that collect swaths of user data in order to sell it to advertisers or deliver behaviorally targeted ads. According to The New York Times, both companies have tasked hundreds of employees to make sense of the GDPR, update the ways users can access privacy settings, and redesign features that collect large amounts of user data.
Google has reportedly redesigned several of its user consent agreements and altered its technology so that a user’s data can be easily removed, per the GDPR’s right to be forgotten. As one of the world’s largest ad networks, it’s been forced to significantly alter its business in becoming more forthright with the ways it collects and uses personal data.
The GDPR is also likely to significantly impact Facebook’s ability to generate ad revenue. Collecting and using personal data to create and deliver behaviorally targeted ads is at the center of the platform’s business model. Once the GDPR becomes enforceable, Facebook will no longer be able to analyze European user news feed posts to create targeted-ads, unless a user’s posts are public or viewable by friends of friends. Although Facebook has access to an unimaginable volume of personal data, it will no longer be able to use it for advertising without obtaining explicit consent from users. According to an official Facebook blog post published on April 17, 2018 (see below) the platform has updated its terms and data policy in preparation for the GDPR.
For years, social platforms and ad networks have run business according to a model in which users trade privacy for access. In order to use services like Google and Facebook for free users give away their personal data. Overwhelmingly, the GDPR serves to disrupt this model. As a result, social platforms and ad networks may find it more difficult to generate ad revenue because access to user data will be limited, and thus less information will be available to craft effective advertising.
Related Post: Facebook’s Algorithm Changes: Disaster For Influencers?
According to a recent survey, among companies preparing for GDPR compliance, 60% plan to spend at least $1 million in order to abide by the new regulation. To prepare for the GDPR, brands should first determine whether they have or may ever in the future serve European users. If the answer is yes, marketers should examine how they gather, store, and use consumer data.
In the event that a brand may collect or process European user data, or already has, it should obtain explicit consent to collect and process users’ personal information. In gaining consent, marketers should also be transparent and clear in the way they use a user’s personal information and for what purposes.
Marketers should make any necessary changes to marketing contracts and explicitly define who is contractually obligated to gain a user’s consent before using his/her personal data. This may be particularly important to influencer platforms and third-party apps that access personal information through social media platforms.
The GDPR’s enforcement will likely position influencer marketing as a more appealing option for brands. The regulation challenges the effectiveness of native social media advertising by restricting the ways platforms can use personal data. As such, brands may increasingly turn to alternative forms of social media marketing, namely working with social media influencers.