Another year, another player in the consumer privacy game. When GDPR came into effect, we remember the mad dash to update privacy policies, the massive shifts in data management, and the overarching anxiety around the complexities to ensure compliance. However, the consumer privacy protections didn’t stop there. Not long after GDPR went into effect, along came its “little brother,” CCPA. This August, Brazil will add itself to the list of countries protecting their consumers with privacy legislation.
LGPD– The Basics
On August 16, 2020, LGPD (the “GDPR of Brazil”) will go into effect. This new privacy legislation applies to businesses regardless of location who collect and process personal data of individuals while in Brazil.
The good news is that if your organization has already taken action to become compliant with GDPR, you likely have most of the framework in place to comply with this new legislation. However, it is important to read up and take note of the differences and subtle nuances between GDPR and LGPD. For example, LGPD is more stringent on their requirements around the need for data protection officers, but their fines in general aren’t quite as harsh.
Penalties– They Are Real
Regardless of the legislation, if you think that the penalties for non-compliance aren’t actually enforced, think again. British Airways was fined €204,600,000 by the United Kingdom for GDPR violations, citing “Insufficient technical and organisational measures to ensure information security.” Similarly, Marriott International, Inc was fined €110,390,200 by the United Kingdom for the same data mismanagement infringement. Read: privacy legislation penalties are very real, and they can be exorbitantly costly to an organization.
Though the undertaking to become– and stay– compliant can be incredibly complex and can feel overwhelming, the risk of not being compliant is too high. Some of the substantial fines that have already been handed out should serve as warnings to organizations who still have gaps in their compliance.Though the undertaking to become– and stay– compliant can be incredibly complex and can feel overwhelming, the risk of not being compliant is too high. Click To Tweet
The Impact for Marketing Operations
The fact is, whether LGPD applies to you or not, it’s only a matter a time before data collection, usage, and storage requirements become standard operating procedures. As marketers, the overall increase in data regulation means that we need to be mindful of collection and storage practices amidst the ever-changing rules of compliance. Getting your processes and systems in place now will better prepare you for what will inevitably come.
Remember, these regulations are put in place to protect the consumer (and will help build trust with your brand). As such, individuals need to know how you’re going to use the information that you’re collecting, as well as trust that it will be safely stored. With that in mind, marketing operations should be managing and monitoring:
- Opt-in consent: This is required if you want to retain personal data, and, you’ll want to review all data collection points to ensure you have proper verbiage on each. On the backend, retain careful records (including date, timestamping, opt-in source and IP address, if available) to verify the consent. Read more about the requirements for consent.
- Lead scoring and profiling: Lead scoring and propensity to purchase calculations (especially if using to schedule follow-up sales calls) are classified as user profiling, which also requires consent.
- Data enhancement: Any data enhancements to your records have to be declared. *Note: if you’re using a third-party source for data enhancement, they need to also be compliant with the existing privacy regulations as well.
- Data management: Each privacy legislation carries a host of consumer rights and protections. Marketers need to not only know what the requirements are, but be prepared to accommodate each.
- Record disposal: If you have records without opt-in consent, they need to be deleted. Consumers can also withdraw consent or request to be deleted– if this happens, you’ll need to dispose of these records as well.
For more in-depth, actionable steps to take toward compliance, download our GDPR toolkit.
Assessing Your Compliance Vulnerabilities
Consumer privacy and the legislation that comes with it has become a mainstay. As marketers, learning how to operate in a compliance-regulated world is now the reality– not only to gain trust from your audience, but also to avoid costly fines.As marketers, learning how to operate in a compliance-regulated world is now the reality– not only to gain trust from your audience, but also to avoid costly fines. Click To Tweet
With a new legislation on the horizon, it’s a good time to take an inward look at your own organization. Are your marketing efforts structured for compliance? If you’ve not yet done any preparations to align with the legal requirements or you are unsure if you are impacted at all, assessing your areas of vulnerability is a good start.
To do so, a database audit will help identify how many records you have in Brazil, EU, California or whichever legislation is your focus. In this process, you may also discover your database needs cleaning up— standardizing data fields, and removing junk or outdated records, as these records pose a potential risk to your organization.
Once you know your vulnerability and the extent of your exposure, then you can make more informed decisions about how to proceed next: get your systems and processes in order to comply, or, remove the impacted records entirely from your database.
Should you decide to move forward with aligning your organization with LGPD, GDPR, or CCPA compliance requirements, you’ll quickly discover the legislations are complex, nuanced, and involved. And if you’re feeling overwhelmed– you’re not alone. In fact (a little shameless self-promotion), Perkuto was contacted by a consulting firm who wanted to be GDPR compliant, and over the span of 18 days, our team was able to deliver key findings and concrete recommendations in a comprehensive report, to align with GDPR requirements and accomplish their objectives. We all need a little help from time to time– and understanding the ins and outs of compliance regulations are certainly not in the job description of most marketers. (If you’d like to discuss your specific situation with our compliance team, please give us a shout.)
LGPD might be the newest regulation, but it’s certainly not the last. As consumer privacy legislations continue to pop up (and organizations are handed hefty compliance-related fines), we’re reminded that marketing amidst privacy regulations is our new reality. Whether we like it or not, it’s our job as marketers to ensure our systems and processes align with the requirements.
*Note: While we’re good marketers, we are not attorneys. Be smart and cover your bases; make sure you enlist your real legal team to review and approve all policies and procedures related to LGPD, GDPR and CCPA.