TMSA Blog

Are Your Privacy Policies Compliant with GDPR?

Written by TMSA Staff | May 30, 2018 4:00:00 AM

As a marketing, communications and sales professional in North American transportation and logistics, you likely manage the private information of your customer, prospects, workforces and/or key stakeholders. If so, the General Data Protection Regulation should stop you in your tracks.

Particularly if you’re managing relationships, data, and marketing activities involving targets in the European Union (EU).

“While most of TMSA’s member companies are based in North America and are primarily focused on marketing and sales activities on this continent, many do work in the global marketplace,” says Brian Everett, TMSA’s CEO. “It’s critical that you’re aware of this new regulation and make sure you’re compliant.”

What is the GDPR?
Starting in May 2018, this EU regulation governs consumers’ private information and could have a major impact on how businesses globally handle privacy. According to Everett, the GDPR creates regulatory teeth into longstanding governmental guidance about how EU member states handle personally identifiable information. This level of regulatory overview of personal data is unprecedented and will require companies in the global transportation, logistics and supply chain space to ensure the highest levels of privacy protection - or suffer the consequences legally, in brand damage, and financially.

Does GDPR Impact Companies in Transportation and Logistics?
The GDPR is the latest in a series of EU parliamentary measures designed to place the highest levels of protection around personal data. The reason for its creation? The protection of natural persons in relation to the processing of personal data is a fundamental right.

Whereas American regulations and laws tend to favor business over the consumer, the EU has always promoted a consumer-first point of view. Here’s a brief summary on EU developments as they relate to privacy: Starting with the Organization for Economic Co-operation and Development Guidelines adopted in September 1980, which were based predominantly on the Protection of Privacy and Transborder Flows of Personal Data, then Directive 95/46/EC — also known as Data Protection Directive. That guidance was agreed on by the EU member states and the U.S. through a Safe Harbor agreement, and then tested through two major legal challenges - resulting in the need for GDPR. The EU continues to be aggressive about protecting consumer privacy. Through the GDPR, it hopes to lead the way globally with a broad, comprehensive law backed by unprecedentedly high fines of up to 4 percent of a company’s total global revenue — steep fines that could easily cripple businesses that breach related policies.

How Does GDPR Impact American Organizations?
Recognizing that data can travel well beyond the borders of the EU, GDPR provides protection to EU citizens no matter where their data travels. What does this mean? Any company in the industry, anywhere, that has a database that includes EU citizens is legally bound by these rules. Businesses of all scopes and sizes are affected — carriers, 3PLs, tech companies, railroads, OEMs, port authorities, ocean carriers, etc. No one is exempt.

In order to comply, American companies can either block EU users altogether (an impossible choice for a multinational brand in transportation or logistics) OR have processes in place to ensure full compliance.

What Does GDPR Involve?
Essentially GDPR protects user data in virtually every possible way. It operates through an understanding that data collection and processing provides the basic engine that most businesses run on - but its goal is to protect related data every step of the way while giving the customer, prospect or stakeholder ultimate control over what happens to it.

In order to be GDPR-compliant, an organization must not only handle consumer data carefully but also provide consumers with various ways to control, monitor, check and delete any information pertaining to them that they want. Companies looking to stay in compliance must implement processes and resources to ensure that when data is handled, it remains protected. To comply with this requirement, GDPR promotes pseudonymization, anonymization and encryption.

Anonymization is the encryption or removal of identifiable information so that it can never be tied back to a user. Pseudonymization is somewhere between identified and anonymous. With pseudonymization, the data components are anonymized and separated but can be put back together. For instance, a system might assign a user one identifier for location and another for browser that can only be tied back to the user if it is put together with their date of birth, which is kept separately. The regulation promotes pseudonymization over anonymization.

According to GDPR, companies must ensure that customers have control over their data by including safeguards to protect their rights. At its core, the protections have to do with processes and communications that are clear and concise and are done with the explicit and affirmative consent of the data subjects.

Are American companies prepared?
No one really knows how GDPR will be enforced on American soil. We likely won’t know until we see the first legal test case. For multinational companies with legal entities operating in Europe, the supervisory authorities can hold the EU representatives accountable. Also the U.S. Commerce Department-created EU-US Privacy Shield framework was implemented specifically to comply with transatlantic data protection requirements. But it won’t be understood how it plays out until a U.S. company is found non-compliant. But some TMSA member companies with operations and/or interests abroad are beginning to take this seriously.

It’s likely that companies will have to adapt standard marketing processes, such as data mining, location targeting and remarketing. They’ll also need to think of new ways to handle data. But businesses that already take user privacy seriously and have safeguards in place will be in a better position when the regulation fully kicks in, regardless of how it’s enforced. It’s also clear that we will see an increasing number of new, compliance-oriented products and services being developed for the foreseeable future.

What can a company do to prepare? Here are some basic points to consider when developing a plan:

Make sure to encourage collaboration between your Marketing, Sales and IT departments. This dovetails nicely into the theme of the 2018 TMSA Logistics Marketing & Sales Conference coming up in a few weeks, “Align For Growth.” When it comes to issues like the threat of cybercrime and the necessity for specific monitoring and implementation strategies, your IT department clearly will become your new best friend. Those who use martech technology also will have increased reason to invest in and use secure and customized IT solutions to stay on the right side of the regulations — and the right side of the consumers’ trust.

Hire a Data Protection Officer – or Secure the Contracted Services of One. The GDPR assigns liability to the data processors and controllers and does not require smaller operations to hire a data officer. But it’s an investment that’s worth some serious consideration. The potential damage to your company’s bottom line is not worth the risk. If nothing else, the GDPR has a singular message: Consumer information needs to remain private. Anything you can do to remain compliant will help you overall.

Conduct a Thorough audit of Your Current Data Security System. Ensure compliance by doing an accurate assessment of your current data processes. This will enable you to identify high-risk areas and fix any potential problem areas before enforcement begins.

Educate Your Staff. Although most of the responsibility falls to your security staff, anyone who handles data needs to be educated about GDPR - including staff members who interact with new customers or users, those that maintain CRM systems and automation platforms, and even data entry personnel.

Implement Tools that Ensure Privacy. There are many companies that have pseudonymization solutions and other ways to remain compliant. Work with your DPO and IT department to find the solution is best for your organization.

Make Sure to Work with Partners Who are GDPR-Compliant. This includes your email service provider, your CRM service and your marketing and PR agencies. You can be held responsible for breaches made by contractors and partners you work with. It’s critical to ensure all aspects of your data processing are in compliance.

Interested in learning more?
Join TMSA
 and visit the Members Only Section for more valuable resources and whitepapers.
And check out the TMSA Blog for more related articles!