GDPR: The Basics for Financial Marketers

As financial marketers prep for GDPR, we breakdown the must-know facts.
As the world gears up for the May 25 kick-off of the General Data Protection Regulation (GDPR), it’s becoming increasingly clear that one question remains: is anyone ready? Literally—anyone?
It’s been about a month since Facebook CEO and Founder Mark Zuckerberg sat before Congress (albeit in a booster seat) to answer legislators’ questions during two congressional hearings that dealt with issues surrounding users’ data privacy. The request came after British political consulting firm Cambridge Analytica mishandled the data of more than 87 million Facebook users through a “personality quiz” on the platform. The firm has been linked to then-candidate Donald Trump’s campaign, which has since raised questions about how political companies collect data; how the data is used; and how social media content is paid for. Oh, and the consulting firm has since filed for Chapter 7 bankruptcy.
Just days before the GDPR takes effect, Zuckerberg told European Parliament the tech giant would be fully compliant by the impending deadline. But they may be the only one.
“Very few companies are going to be 100 percent compliant on May 25,” Jason Straight, an attorney and chief privacy officer at United Lex, a company that sets up GDPR compliance programs for businesses, told The Verge. The article also sites a survey of over 1,000 companies conducted by the Ponemon Institute in April, where half of the companies said they won’t be in compliance by the deadline. When broken down by industry, 60 percent of tech companies admitted they weren’t prepared, according to the article. If you’re one of the many companies that isn’t quite sure how the GDPR could affect your business, if at all, we’ve got you covered.  Here’s everything we know about the law and how it could influence marketers, thus far:

What is GDPR?

The GDPR aims to update a set of data privacy rules that were last touched in the mid-90s and puts the power back in the hands of the consumer. The regulation includes 99 articles (available here), but a few key takeaways are as follows:

“Right to be forgotten”: This new provision gives consumers the right to ask for data about them to be removed.

Child-protection: Companies are no longer able to collect data about children under the age of 16 without parental consent.

Timely reporting: Companies are now obligated to report data breaches to both authorities and customers within 72 hours.

Who must comply with GDPR?

The GDPR are a set of data collection regulations created by the European Union but their jurisdiction touches companies globally—including those in the United States.  

“‘Even if you don’t have an office in Europe, if you’re delivering ads to Europeans, European regulators will likely expect that you are subject to GDPR,’” J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), a nonprofit organization focused on privacy, told AdWeek.

When is GDPR D-Day?

May 25

What happens if you don’t comply?

Companies who don’t comply with the law are subject to some pretty substantial fines (and bad PR, but that’s a different conversation). Come May 25, companies will be charged 20 million euros or 4 percent of a company’s global revenue, depending on which is larger, for failure to comply.
Given that so few companies say they’ll be prepared in time, we may see these punishments play out a bit differently in reality — particularly for US companies. But the severity of the fines indicate that regulators are not messing around.

How has tech responded to GDPR?

Big brands like Facebook and Google have already moved towards compliance and consumer data protection. In addition to updating its advertising policies, Facebook is also implementing a tool that will allow consumers to control how much of their data is being collected. The company also plans to double its online security employees this year.

Similarly, Google’s created its own landing page addressing the issue and outlining how it plans to protect users’ data under the new GDPR.

These changes are hugely important, not just to us as Internet-dwellers, but as industry professionals. As marketing and PR consultants, much of our work exists on social media platforms such as Facebook, Instagram and others; or in digital mediums, such as email marketing and CRM management. We act as advertisers, content creators, data connoisseurs, and experts in audience engagement for our clients and for Vested itself; being at the forefront of policies that affect how we continue to do our work successfully is a must.

Stay tuned as we continue to explore how these policies are implemented and what it means in the future.

Bonus material! Here’s a quick guide to what’s happening with Facebook:

  1. Identity confirmation: Any advertiser running a political or “issue”-related ad will have to be verified by Facebook. If the advertiser doesn’t pass this verification, the ads will not run. Facebook doesn’t spell out what constitutes an “issue,” nor does it list which issues will be identified as such.

    People who manage large pages will also be verified through the new policy, which will “make it harder for people to run pages using fake accounts, or to grow virally and spread misinformation or divisive content,” Zuckerberg wrote.
  2. Payment transparency: Political and issue ads will also now be labeled as such and advertisers will be forced to show who’s paid for the content. For now, this feature is only be implemented in the US but will be rolled out around the world over the next few months.
  3. Multiple ad feature: Users will now be able to see all of the ads a page is running through a new tool within the platform. It’s currently being tested in Canada but will launch globally this summer, Zuckerberg wrote. Previously, users were only able to see the ad that was served to them at the time in which it was served.

Back To Blog