Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

AMA Marketing News

Marketing News features original news coverage, exclusive insights, trend analyses and more.

A Marketer’s Guide to GDPR

9 min readMay 4, 2018

--

Press enter or click to view image in full size

The EU’s General Data Privacy Regulations (GDPR) come into force as law on May 25. This highly anticipated set of regulations provide consumers with vital data protection that has been missing for decades in today’s hyper-connected digital world.

Even though GDPR is of EU origin, it applies to any business or organization offering services or goods to any EU resident. As the EU market is the largest in the world and almost every global enterprise is doing business in the EU, GDPR could become the de facto standard worldwide. (Noncompliance can carry penalties as high as 4% of annual global revenues.)

The increasing expansion of cloud and mobile computing practices in enterprises will make US companies more vulnerable to GDPR, as they often act as both data processors and data controllers.

Importantly, organizations are not protected from responsibility because they rely on a third-party cloud provider to manage data, which is often also a US company.

GDPR has been created to ensure that data protection laws are up to date and are responsive to the ever-increasing threat of security breaches and cyberattacks. The directive is prescriptive to assure European citizens that their personal data is safe, enhancing their confidence and interaction with online services. The regulation puts the security of EU citizens at the forefront of all processing activities by granting individuals new rights concerning access and data erasure and holding organizations accountable for any obligations to which they fail to adhere.

The first step toward compliance is to recognize this responsibility and create a GDPR strategy.

Businesses can begin by appointing a data protection officer (DPO). The DPO can be a current staff member or a contractor, however the role must be designated on the basis of professional qualities and expert knowledge of data protection laws. The DPO should:

• Inform and advise the controller — or the processor and the employees who are processing personal data — of regulation obligations.
• Monitor compliance with this regulation — including the assignment of responsibilities, awareness-raising and training staff involved in the processing operations — and the related audits.
• Provide advice on the data protection impact assessment and monitor its performance.
• Cooperate with the supervisory authority (the Information Commissioner’s Office).

Crucially, the DPO’s job overall is to be a catalyst for a change of mindset necessary for successful implementation of GDPR compliance procedures. The whole point of GDPR is moving companies to acknowledge the concept of privacy by design and default.

Key Changes Marketers Will Face

Personal Data, Data Subject and Natural Person

Under GDPR the term “natural person” replaces “data subject,” which has been used in existing laws for many years, and there is a much broader definition of “personal data,” which includes various forms of personal or online identifiers such as sophisticated web activity tracking software.

IP Tracking

There is already a significant debate about whether IP addresses constitute personal data. Various regulators and court cases have asserted that this is the case, but further clarification will be required on this point, which could have huge ramifications for the online advertising industry; this is especially true with regard to personalized delivery of messaging based on previous web visit history.

Does “Natural Persons” Apply to B-to-B?

While companies are not “natural persons,” individuals who work at those companies are, so GDPR will apply equally to consumer and business-to-business data.

Data Processing Changes Under GDPR

The definition of processing has been broadened to encompass the vast majority of business activities that use personal data. “Any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means,” qualifies as processing.

Data Controller Changes Under GDPR

In effect, the organization which collects and processes the data will be the “data controller” and has the main responsibility for compliance and accountability for the data it holds.

Data Processor Changes Under GDPR

Under GDPR, “processor” means “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.” There are new requirements in GDPR designed to make processors share the accountability for data protection compliance. They will also, for the first time, be jointly liable for breaches, which require compensation of individuals for damage caused by noncompliant processing.

Special Categories of Personal Data (formerly called “Sensitive Data”)

Special categories of data are afforded extra protection under GDPR. These categories will, in most cases, require explicit consent for processing:

•Racial or ethnic origin
•Political opinions
•Religious or philosophical beliefs
•Trade-union membership
•Genetic data (new)
•Biometric data (new)
•Data concerning health or sex life
•Sexual orientation

Transparency

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.

What Makes Processing Legal?

•It’s necessary for performance of contract.
•It’s in compliance with legal obligation.
•It’s necessary to protect vital interests of the data subject.
•It’s in the public interest or exercising official authority.
•It’s with the consent of the natural person.
•It’s in the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the natural person.

How to Adapt Before GDPR Becomes Law

Consent

The definition of consent has been changed under GDPR. The data subject’s consent means:

“Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”

“Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

GDPR also makes it clear that consent should not be conditional upon sign-up to another service (i.e., bundled together). Individuals must also be told they can withdraw consent and it must be simple to do.

Organizations that are processing data with consent will have to be able to demonstrate they have obtained consent fairly and that the individual was given the necessary information to understand their choices. In practice this means having some way of recording on the database the details of the consent which has been gained (e.g., the type of consent, purposes of use that were stated, date gained, etc.).

Most businesses will struggle to accommodate on current systems the detailed records that may be needed under GDPR, and significant development may be needed.

Data controllers will have to decide whether they will record consent by channel (regarded as best practice, but not an absolute requirement of GDPR).

The date a consent was given should be recorded as well as the mechanism used to obtain consent (online clicks or positive agreement on the telephone, for example).

Actual wording used at the time consent was obtained will also need to be provided if there is a challenge to the validity of the consent.

Profiling

Under GDPR profiling has been given a comprehensive definition, which is intended to include all forms of automated decision-making:

During the negotiations of the GDPR text there was significant concern that all profiling (including for marketing purposes) would be subject to the requirement for consent. In the final text, GDPR identifies two different types of profiling; profiling for direct marketing purposes is less controlled, and explicit consent is not required. But there is still a right to opt out.

The Rights of Natural Persons (Data Subjects)

Right of Access: Subject Access Requests
Individuals have the right to access all the personal data stored on them. The information needs to be supplied in writing or in electronic form when the request is made electronically (unless it is requested in writing).

The key changes in GDPR are:

• There will be no fee for the first copy of information in response to a subject access request. Data controllers may charge if the individual asks for a copy to be sent to another interested party (e.g., their solicitor).

• There is a deadline of one month. The timescale may be extended by two further months if it is a particularly complex request.

• The information that needs to be included within an access response can be significant. Along with the purposes of the processing, and the categories of personal data that have been collected, the controller must also supply the following information:

  • The recipients of the personal data, including those outside the EU.
  • How long the data will be stored.
  • The right to request rectification or erasure of personal data.
  • The right to object to processing.
  • The right to complain to the Supervisory Authority.
  • Knowledge of personal data still undergoing processing, along with its significance and consequences.

Right to Rectification

If a data subject finds any inaccuracies in their personal data, they can ask the organization to rectify it.

The Right to Erasure

The existing right to be forgotten has been extended into the right to erasure. This gives natural persons the right to request their personal data to be erased “without undue delay.”

The Right to Data Portability

Under GDPR there is a new right to data portability, designed to make it easier for individuals to switch accounts.

What is the potential ROI of GDPR?

The potential for improved commercial performance is immense, if companies take compliance as an opportunity to become data-driven.
Some of the benefits we will see include:

Improved Business Reputation

Major data breaches have made global headlines, but the problem of data protection is a lot bigger when smaller companies are considered. In the Cyber Security Breaches Survey 2017, an annual report published by the UK’s Department of Culture, Media and Sport, about 70% of large UK firms were found to have suffered a cyberattack. With the threat of attack so high, being certified as GDPR-complaint is going to be a major plus in marketing terms, boosting a business’ reputation as secure in the eyes of potential customers.

Greater Customer Loyalty

It’s clear that better cybersecurity will greatly improve loyalty among existing customers. The consequence of the alternative was highlighted by a FireEye report published in 2016, wherein 76% of consumers who responded admitted they were likely to take their business elsewhere if a company was guilty of negligent data handling, and 75% said they would stop buying from a company that suffered a data breach following boardroom failure to prioritize cybersecurity. Fifty-nine percent confirmed they would take legal action if their personal details were stolen and then used for criminal purposes.

More Accurate Data

Getting GDPR-ready will improve the accuracy of data stored in a company’s database because it will allow customers not just to access their personal data, but to inspect and validate the stored information. This right already exists, but since the new regulations will require data controllers to rectify any identified errors they are told about, it means the accuracy of data stored will be greatly improved.

Required Data Protection Training

Since the GDPR has introduced data controller accountability, the role has become even more serious. While not specifically mentioned, formal awareness training is set to become standard to ensure the data protection officer (DPO) is properly qualified for the job. As a result, this data protection training is set to ensure better cybersecurity and should result in a dramatic reduction in data breaches.

Greater Data Security Globally

While consent is a key factor in GDPR, and this legislation is focused primarily within the EU, it has taken into account the need to protect individuals whose data is transferred to a third-party country of organization outside the EU. But, such transfers can only be done where the third-party provides legal and contractual agreements to protect the rights of the “natural person” (individual). Transfers are permitted without this condition in certain circumstances, but doing so in response to a legal request or requirement from a third country is not one of them. The result is, again, a much higher level of consumer and client trust.

Data Storage

No longer will firms use their data just to look back at history. Now it can be used to establish patterns, trends and predict the future, empowering the organization to innovate and launch new products. The modern data-centric approach should leverage a technology to integrate full content of all data sets, structured and unstructured, establish relationships between the data sets, annotate it with metadata and make it instantaneously searchable, at less cost.

No doubt, gearing up for GDPR is a priority for many organizations, and it won’t be a light lift. Even so, the changes needed for GDPR compliance can turn into real competitive differentiators for organizations moving forward.

About the Author | Peter Gillett

Peter Gillett is CEO of Zuant where he’s responsible for driving product development and client roll-outs of the company’s award-winning Mobile Lead Capture app across US corporations. An entrepreneur and innovator, Peter created the world’s first web-based CRM system funded by Lucent Technologies in the 1990s. CRM, lead generation and follow-up are still the focus for Zuant and its network of NACCENT call centers around the globe.

Gdpr
Data Protection
Marketing
Big Data

--

--

AMA Marketing News
AMA Marketing News

Published in AMA Marketing News

929 followers
Last published May 20, 2020

Marketing News features original news coverage, exclusive insights, trend analyses and more.

AMA
AMA

Written by AMA

12.4K followers
13 following

The American Marketing Association is the essential community for marketing professionals and academics looking to put answers in action. #oneama

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech