Four months in, the European Union's GDPR privacy rule still reverberates through privacy and data use policies around the globe. Even the rock band Rage Against the Machine, which built a decades-long music career on being aggressively anti-establishment in both politics and sound, submitted to the machine by posting a GDPR compliance form to which fans must testify before signing up for the group's newsletter.
GDPR for U.S. companies has its merits, one expert says, despite the compliance effort it requires.
"If Rage Against the Machine can buy into it, anyone can," said Michael Piddock -- founder and CEO of Glisser Ltd., a British-based slide-share and live audience-polling services vendor -- in a presentation at HubSpot's Inbound 2018 user conference where he offered advice on GDPR for U.S. companies. His company had to come up with compliance strategies to collect data at live events on behalf of its customers, each of which comprises its own large-scale data collection undertaking.
But not everyone has embraced GDPR with the same creative humor as Rage Against the Machine.
Some organizations ask customers to sign off on every possible use of their data, creating terrible user experiences in the process.
GDPR for U.S. companies can mean pulling up a drawbridge and blocking all European users, as some companies have determined that European customers are not worth pursuing. Still others have stuck their head in the sand and are pretending the regulations don't affect them -- and have yet to design a compliance policy.
"Don't think that just because you serve a primarily U.S. market that GDPR doesn't affect you," Piddock said. "It does affect you if you have any clients or prospects from Europe, or people with dual citizenships who would be affected by GDPR."
However, that isn't necessarily a bad thing for companies who use email and other online marketing channels, as it can not only make a company think out its privacy and customer data-handling policies, but it can also help build goodwill with customers by showing the company cares about protecting customer privacy.
Piddock offered four tips on getting up to speed with GDPR for U.S. companies that may not see how compliance could be beneficial.
"The first thing I think you need to do is to be working on the evidence that you are taking [GDPR] seriously," Piddock said. "That way, if regulators do come knocking, you have this data in place to say, 'look, we really are taking this seriously.'"
How extensively companies document the process of becoming compliant should be proportional to the size of the business and the risk associated with GDPR for U.S. companies. Larger organizations with lots of personal data are most at risk, while smaller companies that store less data are not taking on much risk. Still, Piddock suggests that all organizations give these regulations some thought.
Improve data housekeeping
Considering that a big part of the GDPR ruling concerns data retention and the length of time that an organization can hold data, this also serves as a good opportunity to do some database housekeeping.
"We looked at GDPR as an opportunity to go back through our entire email database and actually be a lot more critical about those people who weren't engaged, who weren't responding, who weren't interacting with us," Piddock said.
Consider alternatives to storing data
Another approach to complying with GDPR for U.S. companies is to reconsider how much data your organization needs to store in the first place. The Glisser team uses LinkedIn and Facebook as a way to gather and communicate with a community of people without storing personal data themselves.
"I question why we need to store extensive patron information around professional engagements when people are storing it and keeping it updated themselves on LinkedIn," Piddock said. "Let tools like LinkedIn or Facebook do the heavy lifting around the volume of data that they're storing. You can actually keep your CRMs fairly lean."
Know the rules
Finally, Piddock said that an important thing to remember is that getting customer consent is only one of six legal ways to justify holding onto customer data under GDPR. In the same way that companies have to keep a list of customers who have unsubscribed from email communications, companies also have to hold onto some of the data for customers who did not agree to GDPR so that they will know not to market to them.
"When you think about it like that, you actually have a right to store a decent amount of information in order to process it better," Piddock said. "You can continue to store the data that you need."
With Canada and California considering their own data privacy regulations, it will only become more important that companies based outside of the European Union comply with GDPR, whether or not they have European customers. But this also creates an opportunity for your organization to be ahead of its competitors in regard to customer data management and privacy.
"GDPR is actually a positive thing for marketers," Piddock said. "It is an opportunity to create content and it is an opportunity for you to understand the rules, prove your worth within your organization and prove [to customers] that you are taking this seriously."