Data Privacy and Security
Friday The 25th—Who Will Survive the Rise of GDPR?
The following is a work of fiction. Any similarity to actual businesses, or actual industry events, is purely coincidental. Braze cannot provide legal advice to our clients or to anyone else.
At the end of May, something’s coming. Something big.
Europe’s General Data Protection Regulation (GDPR) comes into effect on May 25th and has the potential to fundamentally reshape how organizations think about personal data and how to use it. If you’re already taking GDPR seriously, and are looking for concrete ways to think through your path to compliance, check out our exclusive GDPR: 17 Things to Know guide. However, if you’re new to GDPR and want a better sense of what’s at stake, read on for a spooktacular journey to that most dreaded of days… Friday the 25th.
You land in SFO on the morning of May 25th, on a half-empty red-eye from New York. Sleepy-eyed. A little grumpy. Your rolling luggage clicking and bumping as you exit the plane and “yeah-yeah” your way past the flight attendant’s cheery “Have a great visit in San Francisco.” And as you make your way through the glass-walled terminal, passing coffee kiosks just opening for the day, and confused tourists consulting folding maps as big as they are, an uneasy feeling washes over you. Maybe it’s the time difference or the early hour. Maybe it’s the thick, gray clouds filling the sky. But something feels off.
Then you’re at the taxi stand outside of terminal three, the first raindrops of the day hitting your phone’s screen as you check your email and text your husband a GIF from the opening credits of Full House to let him know you’ve landed safely. You feel a tap on your shoulder and turn—it’s Glenn, the CMO over at EmpathyRocket. He gives you a hug, asks after your kids, and starts telling you about this panel he’s going to be on at the TechQuake Conference downtown.
“I know,” you tell him. “I’m on it, too.”
He laughs, and apologizes. Then, a little sheepish, offers to share a cab. You smile politely, take him up on it. But as you’re loading your suitcases into the back of the cab, you turn to ask him if you’re taking up too much of the trunk when you see him staring at his phone, his face suddenly white. “What?” you say. “Is everything okay?”
He blinks, dazed, and looks toward you like he’s seen a ghost. “It’s my CEO,” he tells you. “He just texted that I have to fly right back to Cleveland because our company got fined millions over a marketing program that violated GDPR.” Then, pursing his lips: “…what’s GDPR?”
In Europe, they take privacy seriously. Very seriously. And while the United States has generally been pretty laissez-faire when it comes to securing and enforcing privacy protections for consumers in today’s mobile-first, internet-everywhere age, that kind of come-what-may approach doesn’t fly in Brussels.
Back in 1995, the European Union (EU) implemented the Data Protection Directive (Directive), which was designed to govern how organizations used personal data inside the EU. But while that regulation was revolutionary for its time, the Directive was passed back in 1995, when the modern internet was still taking shape and the kind of data collection that smartphones and other mobile devices make possible today did not exist. The GDPR seeks to protect EU data subjects’ data and privacy rights in today’s mobile-first world.
So, back in 2011, gears started turning in Europe. The European Data Protection Supervisor put out an official opinion calling for the EU to do more to ensure that “existing general principles of data protection are still valid in a society which undergoes fundamental changes due to rapid technological developments and globalisation” and called for legislative changes to make that happen. That kicked off a process of debate and consideration that led to the 2016 passage of GDPR—changing the data privacy and security landscape, and implementing major new rules and restrictions affecting organizations working with the personal data of EU data subjects.
Under GDPR, which is scheduled to come into effect on May 25, 2018, all EU data subjects will gain the right to exercise more control over how their personal data is gathered and used by companies and other organizations worldwide. That includes the right to know when their data is being collected, to see that data, to have inaccurate data corrected, the right to have their data erased or the use of it frozen, among other rights—and these new rights apply even if the organization isn’t based in Europe, even if the data in question was collected years and years ago. (Yes, it’s THAT broad.)
When Friday, May 25th, dawns, the world changes. Companies that don’t comply with GDPR face fines of up to 20 million euros or 4% of their total global revenue, whichever is greater. And under the regulation, complaints can be filed by supervisory bodies in each EU nation, as well as by individual EU data subjects. What does that mean? That if your personal data policies irk a single person from the EU, your company could watch its whole year’s profit margin walk out the door.
You’re in your hotel room a block from the Tenderloin, looking out the full-length windows onto Union Square. It’s 10am on the East Coast and you’re in the middle of a Skype call with your director of engagement marketing, the woman who headed up SoulPatchr’s GDPR compliance project in consultation with the company’s general counsel.
Shira tells you not to worry, that they’ve crossed all the “t”s and dotted all the “i”s when it comes to GDPR—and you know that she’s probably right. Your company spent a year and tens of thousands of dollars planning for today. Hired outside lawyers. Made changes to your app. Investigated whether beard shape counts as biometric data. Updated all your contracts with partners. And yet. Seeing that look on Glenn’s face, the moment when he realized that everything was going down the drain, that he might not have a job when landed back in Cleveland—it was chilling. Might as well double check one last time.
After the call and a quick shower and an egregious cup of hotel-room instant coffee, you’re in the elevator—checking your step count and the weather forecast on your smartwatch—when the doors open on 12 and Suzanne, the CMO at Spooky Brands, steps in.
She’s on the panel, too, and the two of you used to work together at Microsoft a million years ago. You compliment her hair (which really does look nice) and by the time the elevator opens onto the lobby, you’re telling her about what happened to Glenn, how he’d never even heard of GDPR before it came and upset everything for him. Suzanne shakes her head, says that there are always things that slip through the cracks—but a law that big? It’s crazy. You laugh, and agree.
The two of you are walking toward the Powell Street BART stop, passing a Burmese restaurant and a pop-up selling artisanal mayonnaise, when Suzanne gets a call from her company’s general counsel. “Yeah, I know,” she says into the mouthpiece, sounding irritated. “Thank God we’re not based in Europe, right?” A long pause. A skeptical look. “That can’t be right, can it?” Then, turning to you, she asks in a whisper: “Does GDPR still apply to Europeans if they’re not living in Europe?”
You stare at her. “Um,” you say, “yeah. It definitely does.”
She swallows hard. “Shit.”
GDPR is an EU regulation, but its implications don’t stop at Europe’s borders.
At its core, GDPR is designed to ensure that European Union data subjects have real agency when it comes to their personal data and how it’s used. In order to make that happen, European authorities significantly expanded the data-related rights that EU data subjects enjoy, compared to those set down in the DPD.
But in today’s globalized, highly-connected digital landscape, privacy protections that only apply in a single country or even a single political union can’t fully protect anybody’s privacy. Accordingly, one of the biggest changes in GDPR is how much the regulation has expanded where those rights apply.
That’s key: while some laws and regulations are specific to a particular region or country, this one is different. Under the regulation, there’s no legal distinction between the obligations facing a Milan-based company and one run out of Detroit. All told, nearly 80% of U.S. companies could find themselves liable for GDPR-related fines if they fail to take the necessary steps to comply.
What does that mean for organizations in other countries? That means that treating GDPR like a European thing that only European companies have to worry about is a great way to get burned—so don’t.
Then you’re deep inside Moscone South, in one of the little auditoriums dotting the center’s subterranean depths. You’re seated on stage next to the other CMOs—Kelly from Adapult.io, Rupert from MyDye, Ravi from EZtargetZ, and Chantal from BudgetBling—half-listening while the moderator, a senior journalist from Wired, goes over what he’s going to ask and to whom.
As Ravi and Kelly (who know each other from Stanford) argue about who gets to answer the question about combatting discrimination in the tech industry, you try to focus. Try to make yourself pay attention to the panel’s flow and your place in it. But your eyes keep drifting back to the two empty seats to your left, placards still hanging on them, reminding you who should be sitting there.
It’s a little too easy to imagine that you’ve forgotten something, something essential. To think that you might be next. And though you know that you shouldn’t, you slip your phone out of your bag and start Slacking your assistant, asking him to go around and subtly take the department’s temperature on the GDPR front. You’re still typing when the moderator calls you out. “Planning to just wing it up here? See where the panel takes you?” You blush, apologize. Say that you’ve just got a lot on your mind, and nod toward the empty chairs. The moderator nods knowingly. “Got it. Day of Reckoning, huh?”
After the run-through, you’re standing in a branded coffee nook, sending your sister photo after photo of the line for the men’s room—which stretches all the way into Moscone North—and pondering what the nook’s sponsor, FiberMonk, could possible be selling. On-demand fruit deliveries, you decide, just as the neon-green fluorescents short out overhead, draping the nook in darkness and pulling your eyes toward the corner of the room, where Ravi sits, laptop out, still arguing with Kelly.
“Look, we’re in compliance, okay?” he tells her, an angry vein standing out on his temple.
“Yeah?” she says. “That’s what Glenn and Suzanne thought.”
He groans, shakes his head. “You’re imagining things—GDPR didn’t even go into effect until this morning.”
“That doesn’t matter! The minute it DID go into effect, it applied to all that data you guys already collected on EU data subjects. You’re not grandfathered in, so all that stuff has to be in compliance, too.”
He gives her a deeply skeptical look.
You edge closer, managing to spill coffee on your blazer as you do. And watch, intrigued, nervous, as Kelly pulls out her tablet, pulls up a website and thrusts the device into her friend’s hands. Pointing insistently at something on the screen. Raising her eyebrows dramatically.
Ravi’s eyes go wide. “Shit. Seriously?” She nods. And he sits there silently for a moment. Rubs his forehead. Fidgets with his AirPods. Then says, quietly, “How did you guys handle it?” A hollow laugh. “You know, for my next job.”
But she waves him off. “You’ll be fine. All you’ve got to do is argue that you have a legitimate interest that justifies the processing you’re doing. That’s what everybody in Ad Tech is doing.” Kelly reaches over with her stylus and traces a lipstick-red oval around the section of the regulation referencing Legitimate Interest. “I mean, we don’t even interact with consumers—how are we supposed to get consent to track their data? It’s a nonstarter.”
Ravi frowns: “Really? I thought….”
“Well,” he says, “our counsel told us that we weren’t eligible to use the legitimate interest exception. You know, because you have to be able to prove that your company’s legitimate interest outweighs, like, the privacy rights of European data subjects. Which is pretty hard. So she told us we had to focus on making sure we got consent instead.”
Kelly stares at him. “For real?” she asks. He nods. “That’s… a problem,” she says. A pause. “Should we both call our…?”
Ravi grimaces. “Probably?”
And you watch from the corner of the coffee nook as they turn away from each other, pull out their phones, and start placing calls.
Personal data lies at the heart of GDPR. To comply with the regulation, organizations need to do more than just be thoughtful about how they collect, manage, and act on individual’s personal data—they also need to have a clear understanding of what constitutes “personal data” under GDPR and when they’re allowed to “process” it.
One of GDPR’s big innovations is its broad view of what constitutes the processing of personal data. “Personal data” isn’t just traditional identifiers like national ID numbers or email and physical addresses; the regulation also covers a wide swath of less obvious things, including IP addresses, location data, and biometric data like fingerprints. Under GDPR, any information that can directly or implicitly be used to identify someone is considered personal data—only truly anonymous data is exempted. Similarly, “processing” has a broad definition under the regulation: in essence, if you’re collecting, holding onto, sharing, or acting on any EU data subject’s personal data, you’ve “processed” it under GDPR. And once the regulation goes into effect, it applies to any personal data your organization has collected on EU data subjects from time immemorial; you can be found noncompliant over data you collected in the 1970s just as easily as you can for the data you collect today.
The broad definitions of personal data and processing and the fact that GDPR doesn’t distinguish between new and old data processing makes compliance tricky. For most businesses, just ceasing all data collection in Europe and throwing their existing customer data into the fire isn’t an option if they want to stay in business. But if you do process customer data associated with an EU data subjects, you have to have a good reason—and that good reason has to be included on the list of six good reasons set down by the regulation.
- Consent — An individual has given unambiguous, informed, explicit consent for the processing of their personal data
- Contract — Your organization may process an individual’s personal data in order to fulfill a contract with that individual
- Legal Obligation — Your organization may process personal data as required to comply with applicable law
- Vital Interests — Your organization is permitted to process personal data
- Public Task — Your organization may process personal data if that processing is in the public interest
- Legitimate Interests — Your organization may process an individual’s personal data as part of a legitimate business interest that outweighs the interests of the individual that the data is associated with
For a lot of brands, GDPR is going to require a very difficult adjustment. And some companies are signaling that they may not go without a fight. There are already reports that a number of ad tech vendors focused on location are planning to argue that their use of EU data subjects’ personal data falls under GDPR’s legitimate interest exception (#6), an arguable claim that could open them (and their clients) up to a world of financial hurt. That makes it essential for brands depending on ad tech today to reach prospects and customers to think through their engagement strategy and how it needs to change in order to ensure compliance.
You’re riding the endless escalator to the second floor of the Moscone Center, en route to the morning’s keynote on GDPR compliance. Chantal’s at your side, chatting happily about all of BudgetBling’s GDPR preparations and all the hard—but satisfying—calls that she had to make. “Honestly,” she says with a devilish grin, “I’m really just going to this thing because part of me wants to see the looks on all the faces of the people who put off preparing.”
You nod at that and fake a laugh. Silently repeating to yourself that you’re okay, your company is okay. That everything’s going to be okay.
The two of you slip into the auditorium a few minutes into the keynote address, which is being delivered by an elderly expert on European regulations with a very distracting hairpiece. Somehow he’s already deep in the weeds, walking people through the difference between data controllers and data processors under GDPR—and the specific responsibilities that each kind of organization has under the regulations. Chantal looks over at you and theatrically rolls her eyes, like she can’t believe that anybody needs to reminded about such elementary stuff.
Overhead, the lights flicker. The speaker clicks and clicks and clicks a button on the projector remote, the black-and-white slide behind him performing a dramatic build. WITH GDPR, it says. NO. BUSINESS. IS. SAFE. A chill runs through you. Chantal scoffs and takes a snap of the slide to send to her colleagues. “Well,” the speaker allows, “that may be a bit of an overstatement. But only a bit. GDPR’s been in effect for—” He checks his watch. “—a little more than 15 hours, and we’re already seeing a significant number of companies at risk for failing to comply. It’s only going to hit harder from here. If you’re not compliant, you’d better get compliant, and fast. And if you are compliant, you need to be investing the time and resources it takes to stay that way.” A shrug. “Just my two cents.”
“Anyway,” he says, with a self-deprecating laugh, “enough of my Cassandra act. Let’s get back to the fundamentals.” And clicks ahead to a slide that reads CONTROLLERS ARE LIABLE IF THEY USE NON-COMPLIANT PROCESSORS and, a second later, PROCESSORS ARE LIABLE IF THEY USE NON-COMPLIANT SUB-PROCESSORS. Next to you, Chantal chokes for a moment on a swallow of La Croix Pamplemousse. “What?” she says. Startled. Frightened. The speaker glances up, unamused. “That’s right, young lady,” he says. “But if you could please save your questions for the end….”
If your organization is engaging with the personal data of EU data subjects, GDPR applies to you. But HOW it applies to you depends on the role you play in processing that data. Under GDPR, not all companies are treated equally. To comply effectively, brands have to know whether they’re a data controller, a data processor, or a data sub-processor under the regulation.
As a rule, if your organization is the one making the final decision related to what personal data is being used from a given EU data subject, you’re probably a data controller. If, on the other hand, your organization processes personal data, but you do it on behalf of a client, that means you’re likely considered a data processor under GDPR; and if you process data on behalf of a partner or client who, in turn, processes data for a data controller, you’re considered to be a sub-processor.
In real life, the dynamic could look like this: there’s a hotel chain based in France that’s looking to gather information on their current and potential customers—they’re a controller. The agency that chain hires to analyze their customer data would be a processor, while the analytics software vendor who the agency depends on to support the analysis of that personal data would be a sub-processor.
Under GDPR, it’s not enough to ensure that your organization is compliant—you have to make sure that any third parties who engage with the personal data under your control are also complying with the regulation. Because the stakes are so high, it’s a smart move for controllers (and processors, for that matter) to ensure that these obligations are reflected in the contracts they sign with other organizations involved in their processing of EU data subject personal data.
Then you’re at the back of a restaurant on Howard Street, struggling to get through a meal. Your hands trembling around a tea cup. The cup clinking and clinking against the china saucer. Cocktail jazz playing overhead; fragments of Kesha drifting in from the bar next door.
Across from you, Rupert from MyDye is trying to make himself eat a sandwich. But you can tell from the way he keeps chewing and chewing the same sad bite that he can’t taste his food. That he’s just as tied-up inside as you are. “Remember the first time you heard about GDPR?” he says with a grim smile. “How far away it all felt?” You nod. “And now,” he continues, “all those weeks and months later, all that work and money and stress, here we are. May 25th. But there’s this…”
You laugh. “…nagging feeling?” you suggest. “Like maybe you missed something?”
He laughs, too, sounding pained. “Exactly,” he says. “But what?”
A sudden, dark thrill rushes through you. “Let’s play a game,” you say. “You guess what my team forgot, and I’ll guess what yours did.”
Rupert shivers. “I don’t know….” He looks down at his half-eaten sandwich, at the napkin he’s unconsciously twisted into a makeshift knot. “Oh,” he says, exhaling, “why not?” Then fixes you with a careful, searching look. “If I had to place a bet,” he begins, “I’d wager that you bunch neglected to encrypt the personal data you collect.” You start to open your mouth, then pause. Thoughtful. “Really?” he says, shocked and a little titillated. You roll your eyes, and explain to him that GDPR technically doesn’t require you to encrypt data—it’s just a recommendation. A good recommendation, sure. But not mandatory. He frowns, a little disappointed. But lets it go.
Your turn. You set down your tea and look at Rupert, really look at him. The sallow skin. The sleepless eyes. This isn’t the face of someone who loses sight of the dangers that come with customer data, the potential fines and liabilities. And suddenly, you know. “Doesn’t MyDye have a Paris office?” you ask.
He nods, not following. “Yes, we do—they call us MonColorant. So what?”
You raise your eyebrows. “I bet that you forgot about your EU employees,” you say.
He stares at you: “How do you mean?”
“You forgot that you have to make sure that the way you handle THEIR data complies with GDPR,” you tell him. Rupert stops mid-swallow, a pained, defeated look on his face. His whole career flashing in front of his eyes. “Oh, Rupert, no,” you say. “Not really?” He nods, his eyes suddenly wet.
Modern marketing is built on data. Whether it’s the cookies your company collects when people visit your website, the engagement data you collect regarding your mobile messaging, or point-of-sale information that accrues when customer buy something at one of your brick and mortar locations, it’s possible to know more about who your audience is, how they behave, and what they care about than ever before. That’s transformed marketing—but it’s also made the new restrictions enshrined in GDPR more painful for organizations to comply with than they would have been 25 years ago.
But while consumers’ personal data has gotten the lion’s share of the attention when it comes to public discussions of GDPR, the regulation doesn’t stop there—it applies not just to the personal data of current or prospective customers of a given organization, but to the personal data of any EU data subject. Period. Full stop. That means, for instance, that organizations have to ensure that the way they treat their EU employees’ personal data is just as compliant with GDPR as the way they handle customer data.
You fix your makeup in the ladies’ room mirror. You stand on a crowded street corner, smiling as your daughter tells you over the phone about the drawing of a elephant she made in art. You text your assistant and your general counsel and your therapist one last time, just in case. And then, when the time comes, you walk back into the conference center, make your way down the escalators, past the endless crowds of people, through the long, neon-lit corridors, and onto the auditorium’s brightly-lit stage. Smiling a forced smile as you pass six empty chairs and take your place to the moderator’s right.
He looks down at his notes, then back up at you. You shrug, like nothing surprises you anymore. “You know,” he says, turning to the audience, “I wouldn’t normally do this, but I’m starting to think that maybe we should just scrap the program and talk about GDPR.” He turns your way: “Thoughts?”
You exhale long and slow. “Sure. Might as well.”
Given the potential downsides to non-compliance, it’s natural to feel a little bit nervous about the new world this regulation is ushering in. But while GDPR brings new risks, it also presents opportunity for brands that respond effectively and invest the time and effort it takes to ensure compliance. Why? Because (spoiler alert) a lot of competitors won’t. And brands that fail to comply—or that let themselves get paralyzed by fear of the new regulation—are going to find themselves falling behind in the market, surpassed by forward-looking competitors who adapt to the changing times.
Don’t let that happen to you. It’s still possible to get out in front of this regulation and to do the work that will set your organization up for real, sustainable success in a post-GDPR world. Not sure where to start? Why not take a look at our exclusive 17 Things to Know guide to plan a happy ending for your brand?
Disclaimer: This is a work of fiction. Braze cannot provide legal advice to its clients or to anyone else.