On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will take effect. This regulation enhances the protection of the personal data of EU citizens by regulating the use and storage of personal information on EU citizens. According to Hubspot, just 36% of marketers have heard of the GDPR, while 15% of companies have done nothing about it and are at risk of non-compliance. For marketers, we must be aware of these new rules from a legal standpoint to protect our business. Here’s what you need to know*:

What is the GDPR?

The GDPR’s aim is to protect EU citizen’s data privacy while reshaping the way organizations approach data storage. This new regulation requires companies to provide EU contacts the opportunity to consent to having their data stored. EU contacts also have the right to access their information at any time and they have the right to ask companies to no longer store their information.

Are you a US-based marketing wondering why you should care?

The reasons are quite simple:

1. Even if you are not in the EU, if you collect or store information on EU citizens, the GDPR will apply to you.
2. The penalty for failing to comply with GDPR can result in fines up to €20 million or 4% of your company’s global annual revenue. That’s not something produce companies should take lightly!

Here are a few steps to consider to become compliant:

There are multiple components to achieving compliancy and we’ve listed the GDPR’s key points below:

1. Privacy Policy

Does your company have a privacy policy in place? If the answer is no then we highly recommend that you seek an attorney’s counsel to put a privacy policy in place ASAP, whether the GDPR applies to you or not. If your answer is yes then kudos to you! You should still review and consider adding specific language regarding the tracking and use of your website’s cookies if you don’t have this already. For example, do you use Google Analytics? Your Privacy Policy should include information about this. If it doesn’t, it’s time to update it.

2. Consent

Under the GPDR, a contact needs to be informed that their data will be stored and used by a company when they’re submitting any form (Hint: do you have any forms, like a contact us form on your website?). Their consent will need to be freely given and specific, and the language used to obtain this consent must be clear and easy to understand. Hubspot has created a step-by-step guide to help marketers achieve this aspect of the new regulation.

3. Cookies

To become compliant, organizations need to stop collecting cookies, or they must obtain consent to continue collecting and tracking cookies. Your company will need to receive informed consent and document each contact’s consent if you chose to continue tracking cookies. (Hint: Google Analytics uses cookies.)

4. Right to Access

This key point simply states that contacts have the right to request their data from a company. This data should be provided free of charge and in an electronic format.

5. Right to Be Forgotten

Contacts have the right to request that a company erases their personal data. This will also impact third parties that have received a contact’s information (Cambridge Analytica, anyone?). A way to implement this step is through end-of-relationship or unsubscribe links that are required in email communication already under US law, but under the GDPR when a contact unsubscribes you’ve got to fully erase them from storage, not just stop sending them emails.

6. Breach Notification

Notifying all of your contacts of a potential breach of their information is mandatory under the GPDR if the breach is likely to “result in a risk for the rights and freedoms of individuals.” Notifications must be sent out within 72 hours once a company is aware of a breach, but it is highly encouraged to notify those impacted as quickly as possible.

As US-based marketers, we’ve learned that there are steps we can take simply as a best practice that will comply with the GDPR, so we highly encourage other fresh produce marketers to read up on the law and consult with an attorney if they work within the EU or have European contacts in their database. If you’re a fresh produce marketer and you’re wanting further guidance, please feel free to reach out to us. While we aren’t versed in legalese, we will do our best to consult you and point you in the right direction!

The full text of the law can be found here.

*Please note that we are not attorneys here at DMA Solutions, so we highly recommend that you obtain additional legal counsel if your company transacts within the EU, if you have European contacts in your database, or if a branch of your company is located in the EU. This post comes from our perspective as marketers and is meant to help you become aware of steps you may need to take.

{{cta(’36ef1282-0ee1-4280-8ffa-73deb9b5492a’)}}