GDPR for Marketers

Reading Time: 4 minutes

What is GDPR? And what does it mean to the marketers and marketing Industry?

Marketers around the world are hearing about General Data Privacy Regulation (GDPR) which came into force on 25th May 2018.  This will have a big impact on the way how marketers obtain, store, manage or process the personal data of EU citizens.

Download Now The Last Minute GDPR Kit to understand what GDPR is all about.

As per an independent research carried out by a marketing agency; only 36% of marketers have heard about GDPR while 15% of companies are doing nothing and are at a risk of non-compliance.

There are two parts of GDPR I want to highlight for marketers.  First up, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you. Secondly, the potential penalties for falling foul of GDPR are going to be severe. Depending on the type of violation, companies will incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater). These big penalties show that the regulators mean business and companies cannot afford to ignore the legislation.

The marketers world is going to change dramatically as the GDPR will hasten the demise of marketing tactics like buying lists, cold emailing and spam. GDPR gives the power at the hands to consumers pertaining to their privacy.

What is the Impact of GDPR on marketing activities?

As a marketer you will come up with the very first question. Where should I start off with GDPR? What are the changes concerning Individual Rights, Internal Procedures, Supervisory Authorities and Finally Scope, Accountability and Penalities. For of the above information do visit my Dedicated Page

GDPR for marketers
GDPR for marketers

With the above being said; to start off marketing and GDPR with Inbound Marketing

Stage 1: Data Collection

Transparency

GDPR has come into force to ensure that there is more transparency between organizations (who collect the data: Data Controllers) and customers (Data Subjects).  This means that any organization which attracts people to its website and wants to collect data via a form must communicate clearly to that person what the data is going to be used for. The End Customer (Data Subjects) will need to give their consent to that use and the consent needs to be clear, in plain English and “informed, specific, unambiguous, and revocable”. Data subjects also need to be told about their right to withdraw consent.

Data Minimization 

This is valid for marketers while collecting data from an individual in order to convert a website visitor into a lead.  Under the GDPR, they are only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection. Data collected by the organization which is deemed unnecessary or excessive will constitute a breach of the GDPR.

Stage 2: Data Storing and Processing

Purpose & Usage Limitation

Marketers can only use the data collected and stored by them for specified, explicit, and legitimate purposes. They’re not allowed to use it in any way that would be incompatible with the intended purpose for which it was collected. Also, if they plan to transfer or share the data with another company, they need to ensure they have consent from the person to do so.

Security

Once data is collected, the organization needs to ensure it is stored in a secure manner and in accordance with the Security provisions of the GDPR. This means they must use “appropriate technical and organizational security measures” to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration. Depending on the type of data collected and the ways it is being used, companies may need to consider encrypting the data, using pseudonymization or anonymization methods to protect it or segregating the data from other data in their systems.

Accuracy

People will now be able to ask organizations at any time to correct or update their data if the information is no longer accurate.

Accountability

The organization is responsible for ensuring they comply with their obligations under the GDPR. Not only will they need to keep records to prove compliance (for instance, records of consent for all of the data collected), they’ll also need to ensure they have policies in place governing the collection and use of that data.

They may need to appoint a data protection officer (DPO) and they’ll also need to ensure they implement a ‘Privacy by Design/Default’ policy, to ensure they’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals. Controllers will have to ensure their vendor contracts are updated so that they include the necessary provisions to protect the data being processed by those vendors on their behalf.

Stage 3 – End of the Relationship

Retention

Organizations may only hold on to personal data for as long as is necessary to fulfil the intended purpose of collection. So if the relationship is terminated for any reason, they need to ensure they have a data retention policy in place which outlines how long they will retain that individual’s data for and the business justification for holding on to the data for that specified period.

In drafting their retention policies, organizations will need to consider whether there is any law or regulation which obliges them to hold on to some of that data for specified periods. For example, they may need to retain some financial data for auditing purposes by law. While this is permitted, it should be outlined clearly in their retention policy and made clear to Amy. Again, the principle of transparency is important, even at this stage in the relationship.

Deletion

If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organization.

Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.

In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.

Leave a Reply