"It's the Data, Stupid"

I recently got an email from Yahoo. The subject of the email was “Important Security Information for Yahoo Users”. The title seemed pretty innocuous, but the subtitle, in all caps, was less reassuring: “UPDATED NOTICE OF DATA BREACH”. Anyone familiar with data privacy scandals may be aware of the fact that in August 2013 an “unauthorized party” stole user data from Yahoo. It took Yahoo over four years to fess up to the breach in December of 2016.

Nearly a year after the public announcement, and only four years after the transgression, I was notified that my account—including names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers—was also “likely affected”. Sure, I don’t use my Yahoo account for anything other than Flickr access, but a whole lot can be reconstructed with a seemingly small amount of data if someone is really interested. The news prompted some furious password changes on my part and a whole lot of hoping that things won’t turn out badly.

Data security and protection is as big an issue in the U.S. as it is all over the world. Back in 2015, EUPS-affiliated practitioner and cybersecurity expert Dan Caprio wrote about the sunsetting of Safe Harbor, a process that essentially allowed U.S. data providers to operate in the European market, so long as they followed certain rules. Europe is notorious for having more stringent data privacy laws than the U.S. This includes explicit opt-in for email communications, double opt-in procedures, confirmed cancellation from company databases, and non-commercialisation of user data lists.

One of the biggest questions that have emerged in this age of promo codes, smartphones and digital wallets, is how to deal with differing approaches to data privacy among European countries. Take Germany, for example. After the tragedies of World War II and 41 years under the GDR, German citizens are rightfully wary of the (ab)use of their personal data—not only by private organizations but by the government itself. They have some of Europe’s strictest laws (based on the Bundesdatenschutzgesetz (BDSG) or federal data protection act, which require explicit double opt-in procedures for email communications as well as dedicated German servers, among other things.

On the other hand, have you ever received a promotional offer via SMS from a company or service provider? In France, those SMS messages by law have to have a “STOP” response command to opt-out of communications, and aren’t even delivered by France’s telecommunications networks after 10:00 PM or on public holidays. Ever received an SMS from "Sephora" and not a phone number? In Italy marketers have to register with the Autorità per le Garanzie nelle Comunicazioni (AGCOM), the Italian equivalent of the FCC in order to send messages with an alpha numeric alias.

With so many differing standards throughout Europe and across the world, the European Commission decided to propose the General Data Protection Regulation (2016/679), commonly referred to as GDPR, and the Data Protection Directive (2016/680), which were ultimately accepted by the European Parliament and the Council of the EU and entered the EU’s Official Journal of laws in 2016.

The underlying idea of these laws is to reinforce an individual’s rights, strengthen the EU internal market, ensure stronger enforcement of rules, streamline international transfers of personal data, and set global data protection standards. This last point is an extremely important one as, once again, the European Union, and the weight of its collective single market, has proven itself to be a rule maker and not a rule taker. Multinational companies, even those that already adhere to Safe Harbor, will have to make sure that they are abiding by EU standards to avoid hefty fines other penalties.

Why should this information matter to an EUPS alum? After the EUPS program, I did a stint at the European Parliament’s Committee on Foreign Affairs (AFET) in Brussels before heading back to Italy for a career in communications and digital marketing. As a Digital Marketing professional based out of Europe and doing business within Europe, GDPR has direct implications on how I do my job. In reality, GDPR has an effect on anyone who is “marketing goods or services and/or tracking the behaviors of EU citizens” (here’s looking at you, cookie privacy bar).

My campaigns, which focus heavily on user acquisition, lead nurturing, and form creation are directly in the firing line of these new EU standards. As a result, I need to keep up-to-date with the various cloud marketing providers that I use for my clients’ campaigns to make sure they’re compliant. The fine is a hefty one for those who breach regulation (a max of €20 million or 4% of worldwide company turnover), and my pockets aren’t that deep. Some technological partners of ours like Mailchimp and Google update us on a regular basis of their new European data centers as well as compliance questions. Others, perhaps based out of the U.S. and elsewhere, have a bit more to do in order to keep up with European regulations. Changes that come along with GDPR also affect proprietary platforms that store user or customer data, which is exactly the case for my company’s online Marketing ROI platform Nive Dive, who need to verify how and where data is stored or transferred.

Marketers, tech companies, and cloud SaaS providers are all looking anxiously towards May 2018, when GDPR and the Data Protection Directive will come into force. While it may seem far off for consumers seeking stronger protections, for many in the MarTech industry, it feels more like a race against the clock.

Christina Craver is a Marketing Strategist at Real Web Srl, a boutique digital marketing agency based in Trento, Italy, specializing in marketing automation technologies. She graduated from the JMU M.A. in Political Science EUPS program in 2012, with a focus on economics.