With just five weeks to go until the General Data Protection Regulation comes into effect, there’s a lot that marketers need to consider. Everything from validating email contacts, to updating privacy notice and opt-in forms remains a part of the new EU law, aimed to protect data and privacy for all individuals within the European Union.
In this first part of a series on interactive content and GDPR, you’ll get a snapshot of how GDPR changes will affect marketers, and how to prepare for what is considered to be one of the most significant changes to the regulatory landscape of data privacy.
Why is the GDPR presented now?
It’s no secret that personal data has become one of the most valuable commodity in the world.
In a changed digital landscape data is no longer collected only and directly from individuals through a form. Instead, data is increasingly collected through other means, such as tracking people’s behaviour online, by combining data from various locations, and through algorithms to analyse a variety of data such as social media, location data, and records of purchases.
Users are therefore vulnerable to misuse and are demanding to know what happens to their data in the hands of companies.
Where is the data stored, who has access to it, and what’s the purpose of keeping it? These are all factors included in the new and substantial EU legislation. Now companies must ensure transparency and honesty when handling personal data, if they fail to comply, they’ll be held accountable through hefty fines.
The purpose of the legislation is to give users the power to control the digital footprints they leave behind better than before.
What is the GDPR?
The GDPR’s primary aim is to give control back to Internet users over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The current regulation, The 1995 Data Protection Directive, is only a directive, so companies can opt out, whereas the GDPR is a legally binding, meaning companies can’t opt out and face fines if failing to comply.
But what exactly counts as personal data? The European Commission defines personal data as the following:
“..any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
The extensive legislation comprises of eight primary areas: increased territorial scope, penalties, consent, right to access, breach notification, right to be forgotten, data portability, privacy by design, and data protection officers.
The increased territorial scope is what makes the legislation unique. The GDPR applies to the processing of personal data from within the EU, regardless of whether the processing takes place in EU or not. Meaning, companies outside of EU processing the data of EU citizens will have to comply with the law. Failing to comply with the law, can result in severe penalties, up to ‘4% of annual global turnover’.
How does this impact marketers?
GDPR is a complex and drastic change for the online sphere and will affect how companies gather and process personal data. For marketers its important to keep in mind that the overall message through the legislation is transparency and honesty in handling personal data.
Below we focus on three key areas marketers should put their attention to; data permission, data access and breach notification. You can take our 5-question quiz below as well to test your knowledge.
1. Data permission
Consent is now something you must master as a marketer. From the 25th of May, it will no longer be allowed to send promotional material to contacts who did not specifically request to receive marketing materials.
That’s right. Data permission includes strict rules on how you manage e-mail opt-ins.
The biggest change is how you obtain your consent. Your contacts should be informed about what exactly they are opting in for, and the terms must be provided in an easy to understand, clear, and plain language. Not through legal ‘jabber’ that no one understands.
Further, you need to ensure contacts provide an unambiguous consent through a ‘clear affirmative action’.
That means pre-ticket opt-in boxes are not allowed anymore and consent must be separate from other terms and conditions.
You must also make sure your opt-ins can withdraw their consent and make sure you inform people about this right, to withdraw consent at any time.
It’s important to explain which organizations and any third party controllers will be relying on this consent as well.
Finally, you must keep clear records of the consent given, and be able to demonstrate it, this includes who/when/how/what you informed people.
To meet these demands, many companies have resulted in offering multiple opt-in options so people can choose what type of content they will receive.
Check out this checklist to make sure that you got this!
- Use a positive opt-in. Not pre-ticked boxes or any other method of default consent
- Make sure to include an explicit consent, meaning a clear and specific statement of consent
- Inform that people can withdraw their consent and explain how
- Keep evidence of consent: who, when, how, and what you told people
- Use clear, plain language that is easy to understand
- Mention the organisation and any third parties who will be relying on the consent
Now that you got this, let’s go on.
The reason many marketers are crying themselves to sleep these days is that you need to review existing email contacts and check if the consent mechanism used to obtain them meets the GDPR standard.
Take a moment and sob.
This means you must make sure that all of your current email contacts were obtained with an “unambiguous consent” through a “clear affirmative action”, that people knew exactly what they were signing up for, and you also explained in plain English what the data would be used for, and how to opt-out. Yikes
If all your email contacts were obtained through an opt-in without pre-ticked boxes and it was clear what people were opting into (like opt-in to our weekly newsletter) you don’t have to panic.
But if you’re not sure, you should take action.
Try to find out what part of your contacts was obtained through ways that meet the new GDPR standards, and which didn’t. The contacts you’re in doubt about you should categorise into your ‘do not have GDPR permission’ category as the fines for failing to meet the rules are expensive.
For the email contacts in ‘do not have GDPR permission’ category, you can send emails until the 25th of May and try to refresh their consent by offering them to opt-in again through the new standards.
2. Right to be forgotten
The right to be forgotten is also known as Data Erasure and entitles the contact to require the company holding their personal data to erase it, cease further dissemination of it, and potentially have third parties halt processing of the data.
After receiving a request, the company needs to provide information on the action it will take within 30-days. Under special circumstances, the deadline can be extended up to 60 days, depending on the complexity of the request.
As a marketer, it will be your responsibility to make sure that your users can easily ask to see what data your company holds and to remove their consent.
This can be as easy as including an unsubscribe link in your email marketing, linking to a user profile that allows users to manage their email preferences. It can also mean navigating through piles of data in your systems, searching for consent, and deleting information from multiple locations.
The best solution is to have a single platform or CRM system that hosts the consent record for all users, and its personal information. It makes it easier for you to keep track of all your permission data and stay GDPR compliant.
Step by step: What to do when receiving data erasure request:
- Confirm you have received the request and explain what will happen next
- Locate the personal data and identify all processors and third parties that may hold that data as well
- Notify all identified third parties that have access to the personal data to completely remove the data from their records and confirm erasure
- Remove the personal data from your records
- Inform your contact of the data erasure
3. Access request
The GDPR includes the right for contacts to receive confirmation as to whether or not a company is processing personal data concerning them, including information on where and for what purpose. The company should also provide a digital copy of the personal data, free of charge. The request should be processed within 30-days.
4. Right to data portability
Data portability is the right for a contact to receive the personal data, which they have previously provided to a company, in a digital format, and the right to forward that data to another company.
5. Breach notification
The GDPR includes a requirement that companies holding data must notify their country’s supervisory authority and customers of a personal data breach ‘without undue delay’ and within 72 hours of learning of it.
As a marketer, it’s your responsibility to ensure there is a breach plan in place, and/or familiarise yourself with it.
Disclaimer: This website does not include legal advice for your company to use in complying with EU data privacy laws like General Data Protection Regulation. Instead, it provides information to help you better understand what can be done on the Dot.vu platform to comply with the law. This information isn’t legal advice and we encourage you to seek a professional lawyer’s opinion when referring to this. To be clear, this information is in no way a recommendation or any expression of legal understanding. This page does neither enlist all the regulation within the GDPR, and it’s important that you make sure your company meets all the legal requirements of the GPDR.