General Data Protection Regulation (GDPR) In Effect May 25 – Are You Ready?
On May 25, the General Data Protection Regulation (GDPR) officially goes into effect, spurring organizations across the world to review how they control, collect, and share personal data belonging to EU citizens. To get a “local” perspective, we asked #MCSMN member Olga Schibli to weigh in on the changes. Ms. Schibli is a University Fellow at University of Applied Sciences Northwestern Switzerland, School of Business. Her expertise lies in management and health care marketing. She is a member of Swiss Communication and Marketing Association of Public Health, working with individual hospitals and providing postgraduate programs on management in health care.
Switzerland is located in the heart of European Union (EU) and is not an EU member. Surrounded by EU, Switzerland is strongly affected by EU laws and regulations. The new EU General Data Protection Regulation (GDRP) regulations were adopted on April 14, 2016 and, after a transitional period of two years, it will be applicable on May 25, 2018 to all EU member states.
The purpose of the GDPR is to protect information that falls under Personally Identifying Information (PII), like e-mail addresses, date of birth, name, etc. The personal data should be used according to a law and in good faith, should be processed in a secure and confidential way, and cannot be accessed without authorization. GDPR should serve to prevent “denial-of-service” attacks and prevent damage to computer and electronic communications systems. As an example, it covers aspects like pseudonymization of data, encryption of personal data, confidentiality and availability of personal data, transparency of data storage as well as email marketing. The penalty for not following the regulations is hard—either four percent of the annual income or up to 20 million Euros.This applies also to all countries outside of EU.
For EU citizens, this means strengthening of their rights and their confidence in the EU. There are many concerns that mobile apps save private data without owners’ consent and that businesses may pass on this data. In the future, all personal data must be deleted immediately upon request. Generally, the GDPR principles cover a very broad range and it is expected that in order to protect personal data, companies will innovate and develop processes and technologies. Currently, this is one of the most far-reaching and effective security and privacy policies ever undertaken by EU.
The GDPR greatly affects email marketing. This means the process of how personal data is collected, stored, used, and consent needs to be reviewed.
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her . . . Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent.” (Recital 32)
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” (Article 7)
There are few options for email marketers:
- Delete existing mailing lists and start over, or ask existing contacts to opt-in and consent to receive emails.
- Define EU and non-EU citizens in the existing mailing lists. I personally find it almost impossible to differentiate. For example, many people living in Switzerland have double citizenship in Switzerland and EU.
For Switzerland, this means that all the mailing lists must be reviewed and no email should be sent without an explicit agreement of the recipient. Swiss hospitals had to adapt their IT and HR infrastructures, web platforms, mailing lists, etc. However, this is not only about mailings. As an employer, you should be aware how and where you store the data of your employees, clients, and patients. When a person leaves the organization or hospital, companies must assess where his/her data will be stored and eventually deleted. Should the company use clients’ data for behavioral or other analysis, it is obliged to obtain the agreement for the use of the user data. Even the user’s agreement to terms and conditions might not be enough.
“For us, as for many companies in Switzerland, it means precise monitoring of our handling with data. We have carried out an audit and initiated a series of measures. Various marketing platforms have been affected and have had to be changed, adjusted or replaced (CRM, CMS, newsletter tools, etc.). Policies will be adapted accordingly.” - Julien Buro, Head Marketing, Hirslanden Private Hospital Group (Switzerland)
“At the moment, I can’t tell you anything about how this will be. There is a contradiction between medical confidentiality and the GDPR.” - Marketing director (Switzerland)
“Even though the extent of the impact of the EU data protection regulation on the marketing communication of Swiss hospitals, which comes into force at the end of May, is not entirely clear, the new regulation will also require a certain amount of work for Swiss hospitals. Existing marketing communication measures have to be designed in compliance with the EU law, even if they are addressed to citizens of EU countries.” - Oliver Schneider, Head Marketing & Communication, Cantonal Hospital Solothurner Spitäler AG (Switzerland)
“So far we have not been affected by GDPR and have not changed our procedures in e-mail marketing since the implementation.” - Head of Marketing at a small chain of urology practices (Switzerland)
Generally, all the hospitals in Switzerland are strongly focused on “referral management," which means ongoing contact with referral doctors. The referral doctors have to be informed via email about news and changes in the hospitals. Also, patient data is sent to doctors and this is a sensitive issue now because a large part of the doctors and patients are EU citizens or have a double citizenship.
“We will conform to the system. No email marketing anymore without explicit approval. This is an example of what has changed with us now.”- Julien Buro, Head Marketing, Hirslanden Private Hospital Group (Switzerland)
The general opinion of a few people from marketing departments is that Switzerland and Germany already have very strong systems that regulate mailing process and for other EU member states this can be a different situation in GDPR execution.
"Very underestimated, with far-reaching consequences for existing contacts, even more bureaucracy.” - Stephan Rotthaus, founder, Klinik Marketing Kongress (Germany)
I asked a few people in my field what they think about GDPR. To my surprise, only those who had directly to do with GDPR knew about it. Generally, people are not well informed about the new data protection law or businesses are starting to take action just now.
“For us as a company, we are only at the level of gathering information. We want to present it at an extra meeting and then discuss.” - Marcus Knoll, business consultant in health care (Switzerland)