The GDPR European data privacy law has finally come into force today. And it’s apparently just overtaken Beyoncé in Google searches - no mean feat for a piece of EU legislation when you consider Beyoncé has over 115 million social media followers!
The lead-up to GDPR’s implementation has generated considerable confusion amongst businesses in Europe — which is showing no signs of abating just yet — so it’s no wonder it’s caused even more confusion for companies in North America.
But, contrary to misconceptions, it does not mean Europe is now a more difficult place to do business.
Complex regulations
GDPR (the General Data Protection Regulation) is certainly a complex set of rules. And, in theory, any company dealing with European citizens — no matter where the business itself is based — could be hit by penalties up to €20 million (or 4% of worldwide turnover) in the worst cases of non-compliance.
But despite this, and contrary to widely-held belief, the regulations are not unduly restrictive or onerous as long as you get the right advice and take a proportionate, practical approach.
Security measures
The GDPR measures requiring data to be held and processed securely, and for any security breaches to be reported, are simply good basic business management.
A well-managed company should already have these systems in place for its own protection. If GDPR prompts you to take a second look at your security procedures and tighten up a few areas, that’s no bad thing.
The requirement to be able and willing to disclose, update or delete people’s data on request is also perfectly reasonable and should not pose companies with any great difficulties.
The misconception of consent
By far the most confusion surrounds the legal bases for processing personal data — particularly the popular belief that you now need to jump the huge hurdle of gaining consent from everyone you deal with in Europe.
If this were true, I’d agree Europe would have suddenly become a difficult market in which to operate.
You can’t realistically run a North American company with a European operation without processing the personal data of European citizens. It’s vital for marketing your business on the continent, for managing European partners and suppliers, for taking customer orders, for delivering products and for providing after-sales support.
There’s also no doubt that gaining consent is tough to achieve: unless they’re at the point of buying, few people will actively give you permission to process their details.
But it’s simply not true that permission is always (or even often) needed: consent is just one amongst six lawful bases for data processing under GDPR.
The flexibility of legitimate interests
GDPR provides other legal grounds if, for example, it’s necessary to process personal data for you to fulfil your contract to provide goods or services.
And the most flexible legal basis of all is ‘legitimate interests’. This says you can process personal data, without permission, if you have a genuine purpose in doing so (which can include a commercial objective) and it doesn’t unduly harm the interests of the ‘data subject’.
In practice, this means you can handle European citizens’ details if it’s necessary to running your business and won’t be overly intrusive. And this extends to direct marketing to Europeans, which you can lawfully carry out under GDPR — without permission — as long as you give your identity, have a clear privacy policy and give people a simple way to opt out if they wish.
Complicating factor
There is one complicating factor that may affect certain marketing activities of North American companies selling to European consumers.
The European Privacy & Electronic Communications Regulations (PECR), which have been in force since 2003 and now sit alongside GDPR, have always said you do need consent to send marketing information to private individuals by email or text.
Because GDPR sets the bar for consent higher — requiring it to be expressly given rather than implied — this now means you need to avoid emailing and texting consumers without their permission.
But this relates only to email and text messages — and only to consumers: it doesn’t apply to business-to-business marketing at all.
Opportunity to thrive
So, GDPR is finally here. But it certainly does not mean Europe has become a hostile place for international companies to do business.
Contrary to popular myth, you don’t necessarily need consent to deal with European citizens, including email marketing to them if they’re business contacts.
The crucial point is to have simple, proportionate measures in place to ensure you’re covered. The UK’s Information Commissioner’s Office (ICO) has published a helpful 12-step guide, which is relevant right across Europe.
If you have a clear grasp of the regulations — or the right advice — and take a common-sense approach, GDPR should pose no regulatory barriers to the opportunity for your business to thrive in Europe.
Get in touch if you have any experiences or views to share about GDPR, or if we can help you with your business expansion or technology partnership plans in Europe.