Digital Marketing.

The EU's upcoming General Data Protection Regulation is already affecting everything from the way companies handle e-discovery to how they train their employees.

But there is still much left for companies to do in order to be compliant by the late May enforcement date. Many companies' marketing efforts, for instance, may need to be revamped given the regulation's mandates.

“There are really two provisions that impact marketing pretty directly,” said Lisa Loftis, a principal consultant, customer intelligence, at software company SAS and speaker at Legalweek's “GDPR & Global Marketing: Adapting Your Strategy for Success”  Feb. 1 session in New York.

The first provision, Loftis said, requires companies to obtain consent from EU citizens before using or storing their personal data. “The GDPR mandates that consent has to be freely given, be specific, informed, and unambiguous, and require a clear and affirmative action,” she noted.

“That means that marketing can't rely on soft opt-in processes anymore, they can't rely on the omissions of an opt-out,” Loftis explained. “And they can't have a simple blanket kind of opt-in check box for all of the types of communications and solicitations that they typically do.”

What's more, since consent records will be auditable by EU authorities, consent is “going to have to be stored and tracked.”

The second GDPR provision that affects marketing mandates companies be “very clear to customers on how personal data is collected and how personal data is used,” Loftis added.

But providing clarity on data processing and management is not always simple in marketing efforts that use 21st century technology. Loftis noted that artificial intelligence and machine-learning platforms that regularly process data can contain “black box algorithms,” where the “decision parameters aren't readily transparent, and you don't know what kind of decisions are being made on that data.”

Suffice to say, the GDPR will likely force companies to transform the way their entire marketing efforts are done.

“It requires companies to fundamentally rethink how they collect and use data,” said Doug McPherson, general counsel and chief administrative officer of advertising technology company OpenX.

But while the changes needed under the GDPR may be a heavy lift for many marketing practices, Loftis sees little urgency among U.S. companies to start compliance efforts.

“I think that most of them will not be prepared,” Loftis said. “Large companies tell me they are adopting a kind of wait-and-see attitude in terms of becoming compliant with this.”

Some companies, however, are still even unaware that the EU personal data they hold—even though it is geographically outside of the EU—still falls under the purview of the GDPR.

“There is still a misperception out there by a lot of U.S. digital marketers that this is an EU regulation that doesn't apply to them,” McPherson said.

To be sure, though the mandates of consent and clarity are arguably the most impactful GDPR provisions for marketers, they are far from the only ones that marketers will need to heed.

In addition to “the amount of data they collect and limiting the time they retain it,” McPherson noted that companies' marketing teams will also need to “create internal and external policies that cover a wide number of areas that they haven't developed a lot of processes around, including data security, data breach notification, [and] data retention.”

For Loftis, it's imperative then that marketers recognize every specific change the GDPR will bring to their operation. To that end, she hopes her Legalweek session will help “marketers both in the U.S. and in the EU really understand what the impacts of GDPR are going to be for them.”