With only days left until the D day, May 25, when GDPR comes into full force, we decided to filter out the most important facts on the upcoming legislative change. This article is aimed at our fellow marketers, as well as small businesses to inform and guide them through this massive change in approach to data privacy and security. That being said, we emphasize that this is only a guide and should not be taken as a substitute for a proper legal advice. Particularities of implementation depend on a case-to-case basis. For that, please consult your lawyer. If you want an overview of GDPR, though, in a form of yet another infographic, then you are at the right place.
- What is GDPR
- GDPR Key Facts
- GDPR Scope
- GDPR Key Definitions
- Rights and Responsibilities
- Enforcement and Penalties
- GDPR & Digital Marketing Industry
In an online world, for web users and consumers, personal data acts as a currency. In fact, The Economist called personal data the world’s most valuable resource, due to an impact it makes to the way companies enhance customer experience.
By sharing personal data, users gain access to services and content. Users‘ digital footprint became a valuable resource. Websites, calls, e-mails, even locations, and pictures: all is being recorded, measured, collected and processed afterward. For marketers, data is a vital resource, a key to success of our campaigns; allowing us to serve the right content to the right person. Marketers are accustomed to handling a large amount of data. However, according to State of European Privacy Report, conducted by Symantec, 41% of marketers admit to not fully understand both, the law and the best practices of handling consumer’s personal data. And yet, it is our duty to process and store the data we are given responsibly.
Users are getting increasingly aware of the flaws in their personal data management. Mistrust has been on the rise. Consumer Privacy study conducted in 2016 by TRUSTe/NCSA found that 92% of online users are concerned about their personal data’s security and privacy. Rightfully so. With personal data being so valuable, it’s prone to misuse and theft – which can (and has) lead to some serious, unpleasant consequences for the user and the data controller. For that reason, the talks of personal data privacy and security have been developing for a while now. Users became vocal, demanding to know what is their data being used for and how securely is it being stored.
In order to address those concerns, the European Union introduced a new set of laws designed to safeguard personal data and inform the decisions of marketers in all its member states. Starting with May 25, 2018, the General Data Protection Regulation (GDPR) will come into full force across the EU.
WHAT IS GDPR
The General Data Protection Regulation (GDPR) is a new digital privacy regulation, which means it is legally binding. It will directly concern organizations based in the 28 member states of the European Union and the three additional countries in the European Single Market. Nevertheless, it also involves any organization in the world which stores and processes EU citizen’s data.
GDPR is about standardizing wide range of different privacy legislation across the EU into one central set of regulations. The goal is to provide best practice regulations on data handling and compliance. GDPR is designed to strengthen individuals‘ rights and create better transparency and control. It will ensure that web users are aware and in control of the personal data they share with data collectors.
In practice, this means that companies will now be required to have default privacy settings built into their digital products and websites. The way companies seek permission to use personal data also changes. Instead of implicit permission, they need to obtain an explicit permission from a user. They will also be required to regularly conduct privacy impact assessments, appoint personnel to be in charge of data, document the ways they use personal data and improve the way and the timeframe they communicate data breaches.
A regulation which states in its introduction that „the processing of personal data should be designed to serve mankind“ is not fooling around, and as such, it should be taken very seriously. Failing to comply with GDPR can lead to some serious trouble for companies, for the fines are draconian, up to €20 million or 4% of the company’s global turnover – whichever is greater!
GDPR was adopted in April 2016 – and will officially be enforced from May 25, 2018. The period between is given as a transitional period – for the companies to adjust to the new rules and become in compliance with the new regulation. It is considered the most far-reaching change to data security in a generation.
GDPR has been a long-awaited and well-needed regulation. The current EU data privacy regulations are still based on the 1995 data protection directive (first adopted in 1980). This directive, naturally, does not include any of the new technologies which appeared after (social media, smartphones, advanced web technology), which renders it outdated. On top of that, it is only a directive, which does not make it legally binding – so countries and companies can simply choose not to follow it.
However, with May 25, it all changes. GDPR brings a shift to the ways we collect and manage personal data. It puts individuals‘ rights first, protecting their privacy and enabling them to have a good grasp of what personal data is being collected on them and what is it used for. It also rises transparency and holds organizations accountable for their ways of collecting and processing data.
GDPR KEY FACTS
GDPR is designed to enable individuals to better control their personal data while putting the responsibility on data collectors and processors (organizations). The whole document is lengthy, with 99 Articles and lot of new information. Here, though, we will provide an overview of most important components of this regulation and put an accent on the most relevant ones for the marketers.
Below, we compiled an overview of key articles and information they provide which are relevant to businesses and marketers.
SCOPE: STANDARDIZATION AND HARMONIZATION OF RULES IN THE EU (AND BEYOND)
GDPR’s main aim is to establish one single set of rules across Europe and make them equally legally binding for everyone. These modernized and unified rules should allow companies to make the most of the opportunities of the Digital Single Market by simplifying regulation and benefiting from reinforced consumer trust. Though, there is a bit controversy about the territorial scope of this regulation. According to GDPR, even the organizations outside of the EU have to comply with GDPR if they collect or process data concerning EU residents.
EXPANDED DEFINITION OF PERSONAL DATA
Data subject is a natural person who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or the other identity.
Personal data is any information which can be used, directly or indirectly, to identify an individual (data subject). There is also no distinction between personal data about individuals in their private, public or work roles.
Sensitive personal data: The GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include genetic data and biometric data where processed to uniquely identify an individual.
This expands the definition of personal data to information which has not been considered as part of it so far (see the image below).
PROFILING is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
CONTROLLER determines the purposes for which and the manner in which any personal data is to be processed. These organizations who collect, encrypt and store the data.
PROCESSOR processes the data on behalf of the controller
PROCESSING is anything that is done to or with personal data such as:
- Organisation, adaptation or alteration of the information or data.
- Retrieval, consultation or use of the information or data.
- Disclosure of the information or data by transmission, dissemination or otherwise making available.
- Alignment, combination, blocking, erasure or destruction of the information or data.
RIGHTS AND RESPONSIBILITIES
STRENGTHENING THE RIGHTS OF DATA SUBJECT
Consumers or data subjects are empowered by this new regulation. GDPR brings a number of measures which makes sure that consumers are in control of their own personal data and well informed on how it’s being used. Articles 13 through to 22 of the GDPR describe certain rights that data subjects are entitled to.
The rights of the data subject are as follows:
- The right to be informed – organizations are required to provide a privacy notice which explains in transparent and simple manner who the organization is, what data they are collecting, for what purpose (especially if the data will be used in profiling), for how long will they hold onto the data and finally if they would pass it onto a third party. Furthermore, it should explain how the data subject may withdraw consent or complain to the relevant supervisory body.
- The right to access personal data which an organization holds on them and any supplementary information. This allows individuals to be aware of and verify the lawfulness of the data processing conducted. The time limit from the request being made by the data subject to the information being obtained by them is 1 month. This process can be significantly faster if the collector has data stored electronically in a CRM system. Under GDPR guidelines, data is to be provided to the data subject free of charge.
- The right to correction – GDPR enables individuals to correct their personal data if it is inaccurate or incomplete. Furthermore, if the collector has passed this inacurate data to a processor, they must inform both, the data subject and processor, that the data is to be corrected.
- The right to erase – this principle should enable to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This could happen in case if the personal data is no longer necessary for the purpose it was originally collected or if the data subject withdraws their consent to process their data, or if the data was in breach of the GDPR.
- The right to restrict processing enables individuals to stop the collector from processing their data, but the collector is still allowed to store their personal data
- The right to data portability enables individuals to stop you from processing their data but you are still allowed to store their personal data; i.e. to move, copy or transfer personal data easily from one IT environment to another.
- The right to object – individuals can object to processing their data, which stems from their circumstantial reasons. If collector receives an objection, they must cease processing unless they fulfill exemption clauses.
- Rights in relation to automated decision making and profiling – processors who perform automated decision making (without any human involvement) and profiling need to: give individuals information about the processing, introduce simple ways for them to request human intervention or challenge decision and carry out regular checks to make sure that the systems are working as intended.
RESPONSIBILITIES OF CONTROLLERS AND PROCESSORS
On the other hand, GDPR is putting a lot of pressure on organizations which collect and process personal data. However, it does separate responsibilities and duties of data controllers and processors and that distinction is important for compliance.
GDPR imposes a set of obligations upon both, controllers and processors which handle data. Here is an at-a-glance overview:
The controllers are considered as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling the right to access, etc. They are held accountable and are obliged to engage only those processors that comply with the GDPR, or risk penalties themselves.
GDPR introduces direct obligations for data processors for the first time. Processors will also now be subject to penalties and civil claims by data subjects for the first time. Data needs to be protected all the time during the handling process. And every step of the way needs to be duly documented for the future proof.
ENFORCEMENT AND PENALTIES
Depending on the type of violation, companies will incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater). These big penalties show that the regulators mean business and companies cannot afford to ignore the legislation.
It remains to be seen how the supervisory authority tasked with asking for these fines will work, but fines may become a driving force of this change.
GDPR & DIGITAL MARKETING INDUSTRY
For marketers, consistency in data privacy regulations across Europe should come as good news. However, GDPR also entails a number of challenges which will inevitably impact marketers. In fact, as GDPR will affect any company that handles EU citizen’s data, regardless of where that company is, so marketers worldwide need to prepare for GDPR if they manage any EU citizens‘ personal data. It might seem like GDPR brings massive changes to ways marketers operate, but just like with pretty much any massive problem – if we dissect it into smaller ones, it becomes solvable. The most understandable way is to see where and how GDPR applies through an inbound marketing methodology.
STAGE 1: DATA COLLECTION
The GDPR was designed to ensure that there will be more transparency between the data subjects and data collectors. There are few instances to consider here:
- Privacy notices – as said above, organizations need to communicate clearly to the user what the data and why is being collected and that user has right to withdraw consent and exercise any of the rights provided by GDPR.
- Consent – Under GDPR, consent must be explicit; expressed in a freely given, specific, informed, and unambiguous way, which is reinforced by a clear affirmative action. Users need to physically confirm that they want to be contacted. Data collectors need to document and keep track of each and every instance of consent given. They must be able to provide proof that an individual elected to opt-in to communications and didn’t just fall onto the list by default ( by checking an unchecked ‘opt-in’ box on a form). ‘Double opt-in’ would be the best practice; where opt-in is followed up with a ‘click to confirm’ email.
- Legitimate Interest – When dealing with business to business marketing (B2B), and collecting corporate or business data, ‚implied consent’ means marketers are able to email someone, so long as there is a legitimate interest (i.e. content is relevant and appropriate) and they provide an option to opt-out of emails.
“If a business decides to use the legitimate interest precedent for their direct marketing, then it will be able to send email marketing on an unsubscribe/opt-out basis.“
Above is not a workaround GDPR, because criteria to prove there was a legitimate interest in the first place needs to be met. However, it is predicted that there will be a move towards legitimate interests as an alternative legal basis to process personal data.
- All on-site data capture fields and forms must be made GDPR compliant.
- Marketers will no longer be able to add event attendee lists to a campaign because they would need to show evidence for opt-in.
- Refer-a-friend programs – consumer enters a friends email address in order to claim an offer. Then an email is automatically sent from the company to the friend without gaining explicit consent to contact them. However, these are typically notifications, not promotional e-mails; so it’s GDPR compliant – as long as none of the data is stored or used.
DATA FOCUS – GDPR requires collectors to legally justify the processing of the personal data they collect; meaning that collectors are only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection. Unnecessary or excessive data collection constitutes a breach of the Regulation.
STAGE 2: DATA STORAGE AND PROCESSING
PURPOSE AND USAGE LIMITATION – Collectors and processors can only use the data collected and stored by them for specified, explicit, and legitimate purposes and are not allowed to use it outside of the intended scope. In case of transferring data to a third party, they need to ensure they have consent from data subject to do so.
SECURITY – With data in hand, collectors and processors need to ensure it is kept safely in accordance with the Security provisions of the GDPR. They must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental loss, disclosure, access, destruction, or alteration. Sensitive personal data might require encrypting, or use of pseudonymization or anonymization methods to protect it.
ACCURACY – Data subjects can request at any time to correct or update their data if the information is no longer accurate.
ACCOUNTABILITY – Data collectors are responsible for ensuring they comply with their obligations under the GDPR. Not only will they need to keep records to prove compliance, but they will also need to ensure they have policies in place governing the collection and use of that data. Some organizations might need to appoint a data protection officer (DPO). Collectors also need to implement a ‘Privacy by Design/Default’ policy, to ensure they’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals.
STAGE 3: END OF THE RELATIONSHIP
RETENTION – organizations may hold on to personal data only for the time necessary to fulfill the intended purpose of collection. In case of termination of consent, they need to ensure they have a data retention policy in place which outlines the period and reasons for holding data. Some might be required by law of their domicile to hold on to some of that data for specified periods – but they still need to be upfront about it.
ERASURE – If the individual requests at any time their data to be deleted, the data controller has to comply with that request and confirm the deletion. Data must be deleted from all the systems – the collectors as well as third-party processors‘. Keeping the data after this point is considered a serious breach of Regulation.
GDPR WILL CHANGE MARKETING – FOR THE BETTER
It’s a lot to process. And even more to do in order to ensure that data we keep is in compliance with GDPR. Even though GDPR sounds intimidating indeed, and the consequences of failing to comply are dreadful, it is actually an amazing opportunity which should boost the marketing industry. In a long run, it should make easier for marketers to create targeted marketing campaigns with people that are engaged with their brands.
Marketers will now have to provide even more value to their consumers. It will require a lot of hard work to attract customers. However, consumers who get attracted will be more likely to turn into leads or customers. By giving their explicit consent they already show the interest. What marketers can do to even more utilize such high-quality contacts is to make further inquiries about consumers‘ preferences, hence gaining insight into their interests and allowing marketers to better serve content the consumer wants to see.
This is also a perfect opportunity to purge your own marketing databases and get rid of all the contacts which did not provide explicit consent. On the bright side – remember all those unwanted subscriptions which are flooding your inbox but you never came around to unsubscribe – well, GDPR will sort out that one for you. In a way, this is a clean start!
Bottom line is, marketing shouldn’t be pushy or mysterious for consumers. GDPR will provide greater transparency and control to EU citizens over how their data is being used. Nowadays, even despite concerns about their data’s security, many consumers share data because they want a service or a product. However, with the implementation of GDPR, organizations will need to communicate and provide value to the consumer which should lead to better understanding of sharing their personal data. Better understanding will make consumers more inclined to share. To conclude this article, let me finish it off with a surprisingly fitting marketing catchphrase; for, when it comes to personal data, quite literally, sharing is caring.
- General Data Protection Regulation GDPR
- Guide to the General Data Protection Regulation (GDPR)
- A Summary of the EU General Data Protection Regulation
- What is the GDPR? And What Does it Mean for the Marketing Industry?
- GDPR And Digital Marketing: What Do You Need To Know?
- GDPR and Digital Marketing: How Your Company Will Be Affected
- HOW WILL THE GDPR IMPACT DIGITAL MARKETING PROFESSIONALS?
- Implications of the GDPR for marketing in UK and Europe
- GDPR for Marketing: The Definitive Guide for 2018
- The business case for layered security
- GDPR for small businesses: What it means for you
- What is GDPR and How Does It Impact Your Business?
- Preparing for the General Data Protection Regulation (12 steps to take)
- GDPR Compliance: Last-minute Steps & Tips
- The Final Countdown: Last Minute Preparation for GDPR
- Last-Minute Quick Fixes for GDPR Compliance – Recommended Action Steps
- The GDPR Compliant Website Starter Checklist