In my last article, I explained the genesis of GDPR is in Europe, but the impact of GDPR will be felt by all global companies with any European contact data. I also went over that it happens in May 2018, you need to appoint a data protection officer to coordinate the project, and I provided a 10 point checklist to help you get the ball rolling.
In Part II, let’s look under the hood at some important factors that don't normally get mentioned. To prepare for GDPR, here’s a simple overview of 12 key changes marketers must consider.
1. Personal Data, Data Subject and Natural Person
Under GDPR, the term "natural person" replaces "data subject," and there is a much broader definition of "personal data" that includes various forms of personal or online identifiers.
2. IP Tracking
There is already a significant debate about whether IP addresses constitute personal data. Various regulators and court cases have asserted this is the case, but further clarification will be required on this point, which will have massive ramifications for the online advertising industry.
3. Does 'Natural Persons’ Apply to B2B?
While companies are not "Natural Persons," individuals who work at those companies are, so the GDPR will apply equally to consumer and business-to-business data.
4. Data Processing Changes Under GDPR
Processing means: "Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." This definition is very broad, and is likely to cover the vast majority of business activities using personal data.
5. Data Controller Changes Under GDPR
In effect, the organization that collects and processes the data will be the "data controller" and has the main responsibility for compliance and accountability for the data it holds.
6. Data Processor Changes Under GDPR
Under GDPR, "Processor" means: "A natural or legal person, public authority, agency or any other body who processes personal data on behalf of the controller."
There are new requirements in GDPR designed to make processors share the accountability for data protection compliance. They will also, for the first time, be jointly liable for breaches, which require compensation of individuals for damage caused by non-compliant processing.
7. Special Categories of Personal Data
(formerly called ‘Sensitive Data’)
Special categories of data are afforded extra protection under GDPR. These categories will, in most cases, require explicit consent for processing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Genetic data (new)
- Biometric data (new)
- Data concerning health or sex life
- Sexual orientation
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Data accuracy
- Storage limitation
- Integrity and confidentiality (security)
Any processing of personal data should be lawful and fair. It should be transparent to people that personal data concerning them is collected, used, consulted or otherwise processed and to what extent the personal data is or will be processed.
The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used.
9. What Makes Processing Legal?
- Is necessary for performance of contract
- Is in compliance with legal obligation
- Is necessary to protect vital interests of the data subject
- Is in the public interest or exercising official authority
- Is with the consent of the person
- Is in the legitimate interests of the controller, or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the person
The definition of consent has been changed under GDPR. The data subject’s consent means:
- "Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed."
- "Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
GDPR also makes it clear that consent should not be conditional upon sign-up to another service, i.e. bundled together.
Individuals must also be told they can withdraw consent and it must be simple to do.
Proof of Consent
Organizations processing data with consent must demonstrate they have obtained consent fairly and that the individual was given the necessary information to understand their choices.
In practice this means having some way of recording in the database the details of the consent gained, e.g. the type of consent, purposes of use that were stated, date gained, etc.
Most businesses will struggle to accommodate the detailed records which may be needed under GDPR on current systems, and significant development may well be needed.
Data controllers will have to decide whether they will record consent by channel (regarded as best practice, but not an absolute requirement of GDPR).
The date a consent was given should be recorded as well as the mechanism used to obtain consent (online clicks or positive agreement on the telephone for example).
Actual wording used at the time consent was obtained will also need to be provided if there is a challenge to the validity of the consent.
Under GDPR, profiling has been given a comprehensive definition, which is intended to include all forms of automated decision-making:
During the negotiations of the GDPR text, there was significant concern that all profiling (including that for marketing purposes) would be subject to the requirement for consent. In the final text, GDPR identifies two different types of profiling:
- Profiling with legal or similarly significant effects, i.e. profiling from which "decisions are based that produce legal effects concerning him or her or similarly significantly affects him or her."
- Other profiling without such effects (including most profiling for direct marketing purposes).
Profiling for Direct Marketing Purposes
Profiling for direct marketing purposes is less controlled and explicit consent is not required. But there is still a right to opt-out.
12. The Rights of People, i.e. Data Subjects
Right of Access: Subject Access Requests
Individuals have the right to have access all the personal data stored on them. The information needs to be supplied in writing, or in electronic form when the request has been made electronically (unless it is requested in writing).
The key changes in GDPR are:
- There will be no fee for the first copy of information in response to a subject access request. Data controllers may charge if the individual asks for a copy to be sent to another interested party, e.g. their solicitor.
- There is a deadline of one month. The timescale may be extended by two further months if it is a particularly complex request.
- The change to ‘no fee’ may well lead to a rise in the number of requests which controllers receive.
The information which needs to be included within an access response can be significant. Along with the purposes of the processing, and the categories of personal data that have been collected, the controller must also supply the following information:
- The recipients of the personal data, including those outside the EU
- How long the data will be stored
- The right to request rectification or erasure of personal data
- The right to object to processing
- The right to complain to the Supervisory Authority
- Knowledge of personal data still undergoing processing, along with its significance and consequences
Right to Rectification
If a data subject finds any inaccuracies in their personal data they can ask the organization to rectify it.
The Right to Erasure
The existing right to be forgotten has been extended into the right to erasure. This gives people the right to request their personal data be erased ‘without undue delay’.
The Right to Data Portability
Under GDPR there is a new right to data portability, designed to make it easier for individuals to switch accounts
Instead of looking at GDPR with dread as a costly headache, smart marketers will see it as a unique opportunity to have a complete top to bottom data review. Ensure you're GDPR compliant, but, at the same time, have a full data review and clean up. Reach out to your audience with a new "Preference Center," so that they can tell you exactly what they want to hear about, and how often.
I predict the arrival of GDPR will be the dawn of a new era of personalized marketing that will generate far more business than your current marketing communications could ever imagine.