What Publishers Need to Do About GDPR
The EU’s General Data Protection Regulation (GDPR) goes into effect May 25, 2018. That’s only six months away, but I’m surprised by how many publishers don’t know about GDPR, don’t think it affects them, or they think they’re compliant, but they’re not.
We’d much rather focus on the fun part of publishing: creating great content, building our audience, and growing revenue. But legal compliance is now a core requirement of doing business online and GDPR takes online privacy to an entirely new level.
What is GDPR?
At its core, GDPR is a new set of European Union consumer protection regulations designed to protect the data privacy of EU citizens. The UK is also included … even with Brexit.
But don’t think this only affects publishers with an office or headquarters in Europe. The EU-US Privacy Shield Framework and the Judicial Redress Act mean that even U.S. companies could be subject to certain class action lawsuits from Europe related to GDPR.
GDPR is built on the concept of “privacy by design” and goes way beyond both the U.S. CANSPAM and the Canadian Anti-Spam Law (CASL). It requires publishers to get affirmative consent from someone prior to collecting ANY data about them. It also requires that you keep a record of such consent and give the individual the ability to revoke consent at any time, and to access, correct, or completely erase ALL data you have about them.
And, unlike most previous privacy regulation, GDPR extends beyond personally identifiable information (PII) such as email, name, demographics, purchases, etc. It also includes non-personally identifiable information such as anonymous cookies, IP, or digital fingerprinting. In the eyes of GDPR, there is no difference between PII and non-PII data … it’s all personal data.
Penalties for non-compliance can be severe … up to 4% of a company’s annual revenue. But potential GDPR penalties aren’t the only reason publishers should pay attention. Some advertisers (especially in the B2B markets) are already asking publishers if they are GDPR compliant and might withhold campaigns in the second half of 2018 if a publisher is not.
Of course, larger national and international media companies have more legal exposure than a regional lifestyle magazine for example, but technically all publishers are subject to GDPR. Even small publishers have some European web traffic, email addresses, or other data. (By the way, you can’t tell if you have European email addresses because they can use Gmail, Yahoo, etc.)
How Can Publishers Comply with GDPR?
In my role as SVP of digital for several publicly traded and private equity companies, I’ve had to learn more about online legal compliance than I’ve wanted to. But before we go any further, I must tell you that I’m not a legal expert. Each publishing company is different, so be sure to consult with your own legal counsel about GDPR compliance and your legal exposure.
That being said, here are some tips that can help you prepare for GDPR:
Track people’s consent and give them the ability to revoke it – You must have a way to track who has given you consent, what they consented to, and when they gave consent. You must also give people a way to revoke their consent at any time.
Give people the ability to access and fix their data – Under GDPR, you must be able to provide a person with a copy of all the data that you have collected about them. You must also have a way for them to change any inaccurate data about them.
Give people the right to be forgotten – Finally, you must also allow people to request that all their data be removed from your systems and put a process in place to follow through on that request.
Realize that you cannot grandfather existing people – GDPR does not make allowances for pre-existing relationships or existing data that has been collected. You must get consent not only for new people, but for everyone in your database.
GDPR Extends Beyond Your Own Systems
Personal data collection goes beyond your own systems. Your email service provider, CRM provider, circulation fulfillment company, ecommerce system, etc. are all considered virtual extensions of your customer database. You’ll want to talk with those providers to see how they are preparing for GDPR and how you will need to interact with them.
As a publisher, getting, tracking, and managing consent can be a daunting task to do by yourself. Fortunately, there are some systems available that are reasonably priced and can handle much of the heavy lifting for you. Please feel free to contact me if you’d like more information.
I realize this is a lot to take in. GDPR is going to force all media companies to take a close look at how they collect and manage people’s data. If you’re already prepared for GDPR, then you’re way ahead. If you’re not prepared … please don’t wait any longer. Consult with your legal counsel immediately because May 25, 2018 is not that far away.
Related story: The Coming Advertising Tsunami of 2018, Pt. 1