GDPR – A quick guide for marketers

The General Data Protection Regulation is a new data protection legislation that replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across member countries of the European Union, to protect all European Union citizens’ information and give them control over their own consumer data, and to reshape the way organizations across the region approach data privacy.

GDPR will come into effect on May 25th, 2018 and will impact all marketers doing business in the EU or with EU citizens (independent of residency).  Non-compliant organizations will face fines of up to 4% of gross global revenues or $20 million Euros, whichever is higher.

The United States does not have an overarching federal data privacy law. There are federal laws that provide some minimal data privacy protection for certain industries (HIPAA, FCRA, FTCA, COPPA, etc.) but otherwise data privacy is based on state law. In fact there are 48 different laws within 2 states, Alabama and South Dakota and, as of mid-2017, none of which deal with personal data security breaches. While the new GDPR law requires more of marketers, they will also get the benefit of uniform data protection laws.

At the heart of the newly defined rights of individuals is control. The key areas they will now legally control are:

• Conditions of Consent: Under GDPR, a request for consent must be clear and approving consent must be actively given by the individual. There are more stringent parental consent rights for the processing of data for those under 16 years of age.
• Right to Object: When a decision is based on an automated processing, such as inclusion in direct marketing communications, individuals have the right to be excluded and can opt out at any point.
• Right to Access: Individuals have the right to access their personal data free of charge and within a month of their request date. This is limited to the personal data they supplied.
• Right to Rectification: Individuals have the right to request that inaccuracies in their personal data are corrected.
• Right to Data Portability: Individuals can request a portable copy of their data for their own use, or for transfer to another party.  This must be in a usable format.
• Right to Erasure: Requires permanently removing all identifiable traces of personal data at the individual’s request.  Some permanently anonymized data can be kept for analytics purposes.

GDPR protects both EU citizens and EU residents. Previous EU legislation focused just on the residency of the customer but with GDPR, the legislation is now expanded to include residency or EU citizenship. If a marketer has customers who are EU citizens and the marketer controls or processes customer data as part of a sale of goods or services, communications, etc., whether the marketer is physically in Europe or elsewhere, GDPR regulations apply. It is important to note that the legislation is somewhat inconsistent in its terminology on this point, which has led to some confusion but all industry and legal experts we have spoken to support this interpretation. Coupled with the recent Equifax and Uber data breaches, and the 2017 U.S. Executive Orders reducing data privacy rights, specifically those of non-US citizens, we fully expect the EU to enforce this law in a way that best protects its citizens.

Personal Data includes all PII data but goes far beyond that concept. Marketers need to be thinking in terms of Personal Data going forward, not PII. Personal data includes, but is not limited to, identifiers such as a name, email address, phone number, an identification number, location data, an online identifier, or one or more attributes specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Personal Data is different than PII because it includes not only directly identifiable things like email address, but also the concept of indirectly identifiable data points such as sex, race, income and much more. Consider the example of age. By itself age cannot be used to identify an individual out of a large group.  However, in combination with gender, zip code, birth month, etc. someone could reasonably identify an individual. This indirect concept is why the EU has not published a list of personal data points and why they will not do so in the future. There are also special data types that are afforded extra protection as they can easily be used to discriminate.

Special data types are categories of sensitive personal data such as racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, and sexual orientation. Processing of these types of data is allowed only under specific conditions so as to protect data subjects from potential discrimination.

Yes, a data retention policy is required. This should incorporate key GDPR concepts including data minimization and erasure of personal data in scenarios that are not based on an individual’s request for erasure.

No, in fact it may increase your risk of violating GDPR and other laws like Can-Spam and CASL. GDPR is designed to help marketers understand their responsibilities, not keep them from functioning. For example, maintaining personal data in a safe environment is necessary to safeguard against accidental deployments to opt-outs.

To ensure compliance, marketers should evaluate all their programs, policies, vendor contracts and agreements, as well as data management practices. Any necessary changes should be made prior to May 2018. Here are a few essential areas that marketers should address:

• Any terms, conditions, and data usage language that are part of your subscription process should be made clear. To do so, audit all sign-in programs, preference centers, and unsubscribe processes. Make sure there are no pre-checked boxes and individuals are able to easily opt out or correct any inaccuracies in their personal data.
• Update consent language terms to ensure use of profiling activities for marketing purposes is clear. Implement processes that provide individuals with the ability to halt automated profiling of their data.
• In regards to the individual’s right to portability and erasure, consider creating a request tracking mechanism with defined relevant data fields, request rejection rules, and transfer or erasure security rules in order to efficiently fulfill transfer and erasure requests.
• Evaluate, document, and keep records of all processing activities along with consent and objections. This applies to both marketers (controllers) and any partner vendors (processors).
• Carry out large scale data cleansing prior to May 2018 to comply with retention for old and unused data.
• Review and update terms, conditions, and privacy notices to make sure they are transparent, concise, written in plain language and easily accessible.
• Review and update your protocols for data breach management, notifications, and escalation. Protocols should take into account that breach notifications must now be provided to the controlling authority within 72 hours of identification.
• Hire or appoint a Data Protection Officer (DPO) who has access to senior management to manage process change, compliance, and education. Provide the DPO’s name and contact information to all processors.
• Privacy Impact Assessments (PIA) are mandatory when there is automated processing of personal data. If this applies to you, establish processes to conduct them.