In God we trust, all others must bring data – W. Edwards Deming
Hello. Welcome to this article.
Did you know that the minute you clicked on this article, your digital shadow grew?
Are you aware that you have been leaving a digital footprint, which is becoming more and more accurate?
Every picture you take, every call you make, every comment you leave, everything is adding to your digital footprint. Personal data is being collected at an unbelievable rate.
We are producing mind-boggling amounts of data every minute. There is so much data, that it is now compared to oil, as a valuable resource to the digital economy.
Every click and scroll is leaving a trail, getting stored somewhere in the world that we are uninformed about. In fact, you can see what Google knows about you here – it knows your music interests, what have you been reading, where have you been, and much much more.
The threat with all this data is that most of us don’t know how our data is being used, and the people that use our data (hereinafter called data handlers) don’t fully understand how data should be used. All our personal data is susceptible to being misused or stolen. That’s a good reason to be concerned about your data, isn’t it?
41% of marketers admit to not fully understanding both the law and best practice around the use of consumer’s personal data. (Source)
This should impel us to take some drastic measures and regulate how to manage personal data. It is imperative to police companies that handle your data, and hold them accountable for their actions. Last year, on 25th May 2018, the European Union was the first to take a step towards this. They introduced a new set of laws to reshape the way data is handled, for both consumers and companies. These regulations are called GDPR, and this is a guide for marketers to understand everything about GDPR in 12 minutes. So, here we go.
GDPR or General Data Protection Regulations is a game-changing step towards a citizen-first approach to online privacy. Since there were no proper privacy laws in place until now, companies have been taking an unfair advantage.
Organizations have been using our personal data as they see fit, without worrying about the impacts and consequences on consumers. GDPR gives the power back to the consumers.
EU (European Union) regulators believe that all companies should be held liable for all their actions, and citizens should be empowered. So with GDPR, they standardized all the different privacy legislation into a single set of regulations that will protect individuals from all EU member states.
It was high time that both the citizens and the companies benefit from the digital economy. With GDPR, now companies are forced to look at how they are using the data they are capturing, and are conducting regular privacy impact assessments.
It became crucial for organizations to reworking on how to seek permission to use data, document the way personal data is used, manage data better, work on data breach notifications, and do much more. But, to understand GDPR better, we need to understand what comes under the ambit of personal data.
Article 4 of GDPR defines personal data as any information relating to an identified or identifiable natural person (also called ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factor specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
To put it simply, personal data is any kind of information which when put together can lead to the identification of a personal person. It really is just that simple. The main things you need to know are that:
GDPR was introduced because the previous EU data regulations had not changed in the past 24 years. Since 1995, when the EU Data Protection Directive 1995 was released, the world had changed dramatically, but data privacy laws remained outdated.
Businesses and individuals alike have become more dependent on the web, which made it crucial to change the way data is handled.
Data was so poorly managed that you would be surprised to know that the data laws before GDPR were only a directive. What a directive essentially means is that companies and countries were not legally bound to follow it and could choose to opt-out or ignore it.
So, if anything went amiss, organizations could literally throw their hands in the air like they just don’t care.
The European Commission took data very seriously. They planned for a data protection reform and wanted to work towards making Europe fit for the digital age.
On 25th January 2012, the proposal for GDPR was released.
After four years of consideration and debate, GDPR was finally adopted by the Council of the European Union on 14th April 2016. In May of 2016, the official texts of the regulations were published in all of the official languages of the EU, and on 24th May, the regulations were entered into force.
The GDPR provisions became applicable in all member states after 2 years on 25th May 2018, and by 20th July it became valid in Iceland, Liechtenstein, and Norway as well.
GDPR establishes a standard set of rules that applies to everyone in a European Economic Area (EEA). This includes all countries from the European Union as well as non-EU countries like Iceland, Liechtenstein, and Norway.
Basically, GDPR will be applicable to any organization operating within the EU as well as ones which despite being outside EEA provide goods or services to customers/companies in the EU. All the data managing parties to GDPR can be categorized as data handlers.
Data handlers are categorized as –
A data controller is a “person, public authority, agency or another body which, alone or jointly with others, determines the purpose and means of the processing of personal data” (Article 24).
Simply put, if your organization decides why and how personal data should be processed, it would be labeled as a data controller.
If your organization together with one or more organizations decides why and how personal data should be processed, it is called a joint controller (Article 26).
Confused about whether you are a data controller or not?
Here is a GDPR checklist for data controllers to help you secure your organization, protect customers’ data, and avoid the fines for non-compliance.
A data processor is “a person, public authority, agency or another body which processes personal data on behalf of the controller” (Article 28). Just to be clear, since the processor only processes data on behalf of the controller, it is usually an external third party to the company/controller.
Essentially, the obligations of a processor towards the controller must be specified in a contract, in compliance with GDPR.
According to GDPR, the processor is legally obligated to maintain all records of personal data and how it is processed. The same is the case with the controller.
Data breaches occur often, and our data gets lost, stolen, or released to people who were not intended to see it. GDPR provides every individual with the following rights:
GDPR gives all individuals the right to their own data. Under GDPR, organizations are required to notify the consumers as well as the appropriate national bodies as soon as possible so that consumers can take the right steps to prevent any malicious use of their data.
GDPR primarily revolves around 3 areas that you need to understand as marketers, namely,
This area revolves around the concept of consent and is focused on the people who request to receive material from you. Let’s talk about your email subscribers: you cannot assume that every person wants to be contacted.
As per GDPR, your subscribers need to express their consent in a freely given, informed, specific, and unambiguous way, followed by a clear affirmative action.
I know this sounds complicated, but it really isn’t. This means that all your prospects and customers need to physically confirm that they want to receive emails from you. A pre-ticked box that opts them in by default would not be considered as consent.
The pre-ticked opt-in box on the right is not GDPR compliant (Image Source)
Has it ever happened to you that you have a lot of data and don’t quite know what to do with it? Well, this just won’t cut it. Thanks to GDPR, now you have to legally justify the processing of the personal data you collect.
As a marketer, you need to focus on the data you really need and stop collecting unnecessary data. This would not only be beneficial for the consumers, but you will be able to organize your data better.
It is an additional responsibility as a marketer to ensure that your users have easy access to their data. This means that you have to give control of personal data in the hands of the users. This area makes it mandatory for you to include an unsubscription link within all the emails you send and also to let your consumers manage their email preferences.
You also need to understand your users’ right to be forgotten. With easy access comes the right to have outdated personal data deleted, and you have to make this process convenient for your customers. It is true – with great data, comes great responsibility.
Ever since GDPR became applicable, all companies have been forced to take data seriously and be GDPR compliant. If organizations don’t follow this, they will be penalized with some hefty fines. I’m sure you would have seen a lot of websites with this logo.
With the introduction to GDPR, it became a huge factor for consumers to only work and continue working with GDPR compliant companies. By now, your organization should be GDPR compliant as well, but in case it isn’t, here’s what you need to do:
But despite following all of the above, there are possibilities for a breach to occur. So lets swiftly shift to reporting data breaches under GDPR.
According to Article 4 of GDPR, any breach of security that leads to the accidental or unlawful loss, destruction, alteration, disclosure of, or unauthorized access to personal data constitutes a data breach.
The data breaches which are likely to violate the rights and freedoms of people, need to be reported to the Information Commissioner’s Office (ICO). Essentially, report any breach that is likely to lead to discrimination, financial loss, loss of confidentiality, damage to reputation, or other economic or social issues.
Every organization is required to take all the necessary steps to see the severity of the breach and contain it. Don’t know whether you should report to the ICO? Do this self-assessment to determine that.
If there is a breach, it must be reported to the ICO within 72 hours of becoming aware of it. If the breach is serious enough, then the public/customers need to be notified without undue delay. Not doing so can lead to massive fines and penalties.
God forbid, if you ever have to report a breach, the following must be provided in your breach notification:
Make sure that you take all of this with utmost seriousness. GDPR non-compliance is being taken more seriously than most had assumed.
The GDPR fines depend on the severity of the data breach and the steps taken by the organization under GDPR compliance. There are 2 kinds of fines in GDPR:
Note: While reporting the data breach to the ICO, note that the window is fixed at 72 hours after the discovery of the breach, and not 72 working hours.
So you will end up heavy fines if your organization is non-compliant with GDPR. I know this sounds like a lot, but it is high time that we start treating data as the resource it truly if.
Your data can accurately depict your personality, and there are bits and bits of data of yours floating somewhere. Take care of your data, and yourself. 🙂
Republished with permission from Freshmarketer and updated on 14th October 2019