Are You Ready for GDPR, Europe’s Upcoming Data Privacy Requirements?

Privacy is probably one of the least appealing topics in marketing. But this one’s a doozy. On May 25, 2018, any company that is not compliance with the European Union’s new opt-in regulations is at risk of a fine of up to 20 million euros, or 4 percent of their global topline revenue.

European UnionPrivacy is probably one of the least appealing topics in marketing. But this one’s a doozy. On May 25, 2018, any company that is not compliance with the European Union’s new opt-in regulations is at risk of a fine of up to 20 million euros, or 4 percent of their global topline revenue. Yipes! Most B2B marketers have customers worldwide. The General Data Protection Regulation is something we cannot ignore.

The interesting thing about this new regulation is, it’s not about marketing per se. They are not just focused on prospecting, like the CAN-SPAM and Do Not Call regulations in the U.S. It’s about consumer control of their data, and their comfort that it’s being protected.

Linnette J. Attai, whose consultancy PlayWell, LLC, specializes in compliance, explains that the consumer is the data “subject,” and the firm with whom he does business is the data “controller.” The controller decides how the data will be used and protected, and may be supported by a “processor,” like an agency or data services provider. The controller must be able to demonstrate that the subject has agreed to the controller’s data usage and storage plans.

The data elements likely to be at issue include a name, a photo, an email address, bank details, posts on social media, medical information, or a computer IP address.

As business sellers, we may be in somewhat better shape than our consumer marketing counterparts. First of all, an existing business relationship implies consent on the part of the customer. Furthermore, the reg requires businesses to buy only from firms who are compliant. So your existing customers are probably already hounding you to amend their contracts to include GDPR language, says Attai. And if a new contact at the existing account gets involved in the relationship, they may be covered under your existing contracts. Or you could provide the required notices, ask that person to check a box on an online form, and be done with it.

But for a “net new” account, it’s murkier. In the course of business with a new customer — for example, in your contract — you need to gather their agreement as to how you will use their information. But apparently it does not always mean that you must get GDPR compliance in advance to make cold contact with prospects. Most EU prospecting data—email and direct mail lists—already include opt-in permissions. Look for prospecting data that was opted in under GDPR specifications.

GDPR also specifies various technical elements, like security levels, auditability, cross-border data transfer, and procedures for reporting data breaches. B2B firms are going to need help determining how to comply.

One helpful resource is Pauline Murphy, managing director of 1 Stop Data Limited, in the UK. She specializes in B2B prospecting, and operates a multi-language call center in Ireland that calls into the EU and the Middle East. Alongside lead generation and data hygiene calling, she offers GDPR compliance services. Seems like a nifty solution to me, since you get both a demonstrable compliance along with an extra marketing touch, plus a chance to update your customer records and add new contact names.

So, what should we all be doing? That’s the funny thing. Since the regs are new, no one is entirely sure what exactly needs to be done. But most experts advise that you take steps, and don’t dawdle. If the regulators want to make an example of a company next May, let’s not let it be yours. Get started with and

A version of this article appeared in Biznology, the digital marketing blog.

Brexit Backlash and 7 Ways Bold Decisions Fail

The United Kingdom made a bold decision to leave the European Union on Thursday, the so-called “Brexit” vote. By Tuesday, news stories were already piling up that … maybe it wouldn’t? How many times have you seen that in a business?

The United Kingdom made a bold decision to leave the European Union on Thursday, the so-called “Brexit” vote. By Tuesday, news stories were already piling up that … maybe it wouldn’t?

Was John Oliver trying to describe Brexit ... whatever Brexit turns out to be?
Was John Oliver trying to describe Brexit … whatever Brexit turns out to be?

Now there’s talk of a petition to hold a second Brexit vote since the results were so close.* Beyond that, Prime Minister David Cameron is resigning without initiating the exit from the E.U., and it’s possible his successor won’t either. In fact, there are many ways that Brexit, despite success as non-binding referendum, might not happen at all.

How many times have you seen that in a business? There are conversations, meetings, you think a decision has been made! … only to find out no one’s following through on it and the “decision” wasn’t worth the breath behind its words?

We glorify bold business decisions, but it’s easier to get behind them than follow through on them. There are many forces that work against a bold decision, and in the Brexit backlash we can see some of them in stark relief.

Here are seven things you must do to support a bold decision, that the U.K has not done thus far in Brexit.

1. Get Broad Support — Brexit Did Not

Perhaps the biggest weakness of the Leave faction in the British referendum was its narrow margin of victory: Less than 4 percent. With over 33 million voters, the margin was less than 1.5 million. That’s not so close as to be illegitimate or demand a recount, but it’s not enough to support continued difficult action.

All bold decisions come with a price, and that price will chip way at support; 51 percent for becomes 51 percent against very quickly.

2. Manage Expectations

I’m not going to belabor this one, since it’s going to be one of the first takeaways on any list about sales or management. But I also don’t want to naively breeze over the natural tension here: You build support for a bold decision by talking up the benefits and minimizing the costs and other downsides. Many votes are swayed by the emotion behind your argument and your attitude, and not the simple pros and cons. That’s just the way people are, and just the way politics and business are done.

But there are limits to how far you can push that sunshine before it comes back to burn you. If you say “The money’s going here,” when in fact it’s going there, people who notice that will be upset.

This happened in the Brexit campaigning. An important campaign point for leaving the E.U. was that a £350 million payment the U.K. makes to the E.U. could be put to the National Health Service instead. Hours after the election, Leave leader Nigel Farage backtracked on it.

That’s exactly how 51 percent in favor turns into 51 percent in opposition.

3. Decisions Must Be Binding

This is another obvious one, but again, it’s an issue that’s epidemic in business. The Brexit referendum was non-binding, which opens the door to leadership simply ignoring it.

Now, theoretically that leadership would be voted out in the next election, assuming Brexit remains a determining issues for voters. But that’s a big assumption, especially when the majority is thin. Add some pain from the bold decision — people start to think about how following that decisions means losing revenue from another area, or workforce may be reallocated in ways that are unfavorable to them, or your political leader may immediately say you were stupid for believing his campaign promise — and non-bound supporters start wriggling out of the work it takes to enact the decision.

4. Be Moving Before the Hammer Falls

All births are painful, and your bold decisions are no different. The hammer is coming down, and if you haven’t taken action on the decision by the time it hits, then that pain is all your decision will be known for.

The day after the Brexit vote, markets crashed and the world economy lost $3 trillion over the weekend, with the U.K itself taking the hardest hits. There is speculation the British economy may slip into a recession from just this one vote. It’s being called “The Brexit Crash.”

Privacy or Trade Barrier? Searching for a New ‘Safe Harbor’

The Court of Justice of the European Union has ruled that the European Union-United States “Safe Harbor” Agreement, which allowed collection of E.U. citizen data by U.S. entities because the two governments had analogous levels of privacy protection, is no longer valid.

First, there is no legal advice in this blog post (there never is) … just a little bit of reporting.

The Court of Justice of the European Union on October 6 ruled that the European Union-United States “Safe Harbor” Agreement, operating since 2000, was no longer valid. The “Safe Harbor” had enabled cross-border data flows regarding EU citizens to the United States because the U.S. was deemed to have inadequate privacy protections under the EU Data Protection Directive of 1995 (which took effect in 1998). The “Safe Harbor” provided needed protection cover. That is no longer the case.

In its decision, the Court also ruled that individual data protection authorities in 28 EU member states have new powers to deem any cross-border data transfer mechanism as non-EU regulation compliant — even if the European Commission may feel otherwise.

According to a recent Webinar (October 9), the nullification of the Safe Harbor affects more than 4,000 U.S. companies alone that have relied on it. While the Court reportedly wants data to continue to flow between the world’s two largest markets, it sees an immediate need for a new level set of privacy protection in the United States, and is committed to providing guidance as soon as possible as to how such protections can be afforded and data flows and data processing reinstated. The rub is not with U.S. companies per se – the trouble originates with U.S. government surveillance and law enforcement agencies in the wake of Edward Snowden’s 2013 revelations.

As one Professor wrote:
The Court reiterates even more clearly that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. Indeed, as noted already, the Court ruled that mass surveillance of the content of communications breaches the essence of the right to privacy and so cannot be justified at all. (Surveillance of content which is targeted on suspected criminal activities or security threats is clearly justifiable, however).
rs Technica, Oct. 15, 2015

In the wake of the decision, privacy advocates reportedly have given three months for a new U.S. and EU “Safe Harbor 2.0” agreement. Otherwise, they will seek coordinated action by EU data protection commissioners against individual companies operating under the previous Safe Harbor, which again is immediately invalid. Alternatively, businesses are left to model contract clauses or binding agreements with national data protection authorities — not challenged by the court’s decision — to maintain (where present) or reinstate (where newly concluded) personal data flows outside the EU. Risk assessors must be busy.

U.S. and European governments have been working on a new Safe Harbor 2.0 for at least two years, according to Andrea Glorioso, counselor, digital economy/cyber, Delegation of the European Union to the United States. No one is certain when such a revised Safe Harbor agreement may be finalized, but, given the ramifications of the EU court’s decision, it’s in no one’s interest to let this carry on for long.

And a little bit of opinion: Mass surveillance by government and law enforcement — to combat crime and terrorism, for example — and responsible data collection and use by the private sector in the pursuit of economic growth are not the same subject, and should not be linked. Let’s hope a new Safe Harbor will differentiate the two — and not just for Europeans. It’s not as if American citizens are free from worry about what European governments may be up to, and that’s a concern that extends inside our own borders, too.