Many companies feared the enforcement of the General Data Protection Regulation (GDPR). It would create numerous barriers for direct marketing and violations would be fined with enormous penalties. Did the doomsday scenarios come true or is it business as usual?

Direct marketing would never be the same after May 25 2018. The enforcement of the GDPR would protect the data of EU-citizens, but complicate things for companies. The GDPR-stress was fueled by the announced fines up to 20 million euro or 4 percent of the annual turnover.

Privacy sensitive information, not encrypted: 20.000 euro fine

What can we learn from the first GDPR fines? Up to now 59.000 breaches were reported. Only 91 of these breaches were fined. For example the German social platform Knuddels. The breach exposed 800.000 e-mail addresses and almost 2 million user names. Furthermore Knuddel had stored passwords as plain text. Because they didn’t take the right technical measures, Knuddel received a fine of 20.000 euro. Encryption of the data could have saved them the fine and reputational damage.

Not honest about data breaches: 600.000 euro fine

In November Uber was fined 600.000 euro from the Dutch Data Protection Authority. The taxi platform had not reported a big data breach of 57 million users. Furthermore, Uber paid hackers to keep the breach of names, e-mail addresses and phone numbers under the radar.

Not transparent: 50 million fine

Google received the highest fine. The search giant had to pay 50 million euro to the French data protection watchdog CNIL for failing to provide users with information on its data use policies. Subsequently Google didn’t give users enough control over how their information was used.

What changed?

The fines are a clear example of what organizations should and shouldn’t do to be GDPR-compliant. What does this mean for marketeers? Not much. They already needed explicit consent to mail people. A so called opt-in. Opt-in databases can be rented and used for campaigns. Databases with personal data that have been created before the GDPR, can be used and traded without any difficulty.

So business as usual?!

In most countries in the EU it’s business as usual. We might see more changes when the ePrivacy regulation will make it’s appearance in 2019. Great Britain, France and Sweden might go to an opt-in regime for B2B email marketing. And the Netherlands will put a ban on unsolicited telemarketing to consumers. But overall not much has changed or will change. Nevertheless it’s still important to take care of data privacy throughout the organization: from IT to marketing and accounting. Makes sure all processes and procedures are GDPR-compliant.

GDPR-compliant campaigns

The reasons why companies such as Google and Uber were fined make clear what organizations should do to be GDPR-compliant. Apart from that, not much has changed. Nevertheless the GDPR has some grey areas. Of course your organization pays attention to privacy and you want to keep it that way. BoldData helps your campaigns to comply with the latest rules and regulations. Need advice or want to buy a GDPR proof business database for your direct marketing campaign? We’re here to help! Contact us via +31(0)20 705 2360 or info@bolddata.nl.