A Marketer's Guide to GDPR

In God we trust, all others must bring data – W. Edwards Deming

Hello. Welcome to this article.

Did you know that the minute you clicked on this article, your digital shadow grew?

Are you aware that you have been leaving a digital footprint, which is becoming more and more accurate?

Every picture you take, every call you make, every comment you leave, everything is adding to your digital footprint. Personal data is being collected at an unbelievable rate.

Image Source

We are producing mind-boggling amounts of data every minute. There is so much data, that it is now compared to oil, as a valuable resource to the digital economy. 

Every click and scroll is leaving a trail, getting stored somewhere in the world that we are uninformed about. In fact, you can see what Google knows about you here – it knows your music interests, what have you been reading, where have you been, and much much more.

The threat with all this data is that most of us don’t know how our data is being used, and the people that use our data (hereinafter called data handlers) don’t fully understand how data should be used. All our personal data is susceptible to being misused or stolen. That’s a good reason to be concerned about your data, isn’t it?

41% of marketers admit to not fully understanding both the law and best practice around the use of consumer’s personal data. (Source)

This should impel us to take some drastic measures and regulate how to manage personal data. It is imperative to police companies that handle your data, and hold them accountable for their actions. Last year, on 25th May 2018, the European Union was the first to take a step towards this. They introduced a new set of laws to reshape the way data is handled, for both consumers and companies. These regulations are called GDPR, and this is a guide for marketers to understand everything about GDPR in 12 minutes. So, here we go. 

What is GDPR?

GDPR or General Data Protection Regulations is a game-changing step towards a citizen-first approach to online privacy. Since there were no proper privacy laws in place until now, companies have been taking an unfair advantage.

Organizations have been using our personal data as they see fit, without worrying about the impacts and consequences on consumers. GDPR gives the power back to the consumers.

EU (European Union) regulators believe that all companies should be held liable for all their actions, and citizens should be empowered. So with GDPR, they standardized all the different privacy legislation into a single set of regulations that will protect individuals from all EU member states. 

It was high time that both the citizens and the companies benefit from the digital economy. With GDPR, now companies are forced to look at how they are using the data they are capturing, and are conducting regular privacy impact assessments. 

It became crucial for organizations to reworking on how to seek permission to use data, document the way personal data is used, manage data better, work on data breach notifications, and do much more. But, to understand GDPR better, we need to understand what comes under the ambit of personal data.

What is Personal Data?

Article 4 of GDPR defines personal data as any information relating to an identified or identifiable natural person (also called ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factor specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

To put it simply, personal data is any kind of information which when put together can lead to the identification of a personal person. It really is just that simple. The main things you need to know are that:

1. GDPR is technology-neutral. It protects personal data irrespective of the technology used in capturing or processing that data.
2. Personal data if de-identified, encrypted, or pseudonymized can still be used to re-identify a person. If that is the case, then this data continues to come under the scope of GDPR.
3. Personal data that has been anonymized will no longer be considered personal data only if it is irreversible. It is important that after anonymization, the individual citizen is no longer identifiable.

The History of GDPR

GDPR was introduced because the previous EU data regulations had not changed in the past 24 years. Since 1995, when the EU Data Protection Directive 1995 was released, the world had changed dramatically, but data privacy laws remained outdated.

Businesses and individuals alike have become more dependent on the web, which made it crucial to change the way data is handled. 

Data was so poorly managed that you would be surprised to know that the data laws before GDPR were only a directive. What a directive essentially means is that companies and countries were not legally bound to follow it and could choose to opt-out or ignore it.

So, if anything went amiss, organizations could literally throw their hands in the air like they just don’t care. 

(Image Source)

The European Commission took data very seriously. They planned for a data protection reform and wanted to work towards making Europe fit for the digital age.

On 25th January 2012, the proposal for GDPR was released. 

After four years of consideration and debate, GDPR was finally adopted by the Council of the European Union on 14th April 2016. In May of 2016, the official texts of the regulations were published in all of the official languages of the EU, and on 24th May, the regulations were entered into force. 

The GDPR provisions became applicable in all member states after 2 years on 25th May 2018, and by 20th July it became valid in Iceland, Liechtenstein, and Norway as well.  

Who does GDPR apply to?

GDPR establishes a standard set of rules that applies to everyone in a European Economic Area (EEA). This includes all countries from the European Union as well as non-EU countries like Iceland, Liechtenstein, and Norway. 

Basically, GDPR will be applicable to any organization operating within the EU as well as ones which despite being outside EEA provide goods or services to customers/companies in the EU. All the data managing parties to GDPR can be categorized as data handlers. 

Who are data handlers? 

Data handlers are categorized as – 

1. Data controllers, and
2. Data processors.

Image source

A data controller is a “person, public authority, agency or another body which, alone or jointly with others, determines the purpose and means of the processing of personal data” (Article 24). 

Simply put, if your organization decides why and how personal data should be processed, it would be labeled as a data controller. 

If your organization together with one or more organizations decides why and how personal data should be processed, it is called a joint controller (Article 26).

Confused about whether you are a data controller or not?

Here is a GDPR checklist for data controllers to help you secure your organization, protect customers’ data, and avoid the fines for non-compliance. 

A data processor is “a person, public authority, agency or another body which processes personal data on behalf of the controller” (Article 28). Just to be clear, since the processor only processes data on behalf of the controller, it is usually an external third party to the company/controller.

Essentially, the obligations of a processor towards the controller must be specified in a contract, in compliance with GDPR. 

According to GDPR, the processor is legally obligated to maintain all records of personal data and how it is processed. The same is the case with the controller.

So, what does GDPR mean for Consumers (individuals)?

Data breaches occur often, and our data gets lost, stolen, or released to people who were not intended to see it. GDPR provides every individual with the following rights: 

1. The right to be informed:
   Consumers have the right to be informed about their personal data collection and how it is being used. This basically covers the key transparency requirements under GDPR. The data handlers need to share how they process the data that they capture with absolute clarity.
2. The right to access:
   All individuals have the right to access their personal data. This means that all individuals can obtain a copy of their personal data along with supplementary information. As a data handler, it’s your responsibility to provide easier access to their personal data.
3. The right to rectification:
   This implies that all individuals have a right to rectify inaccurate personal data or to complete it if it is incomplete. A request needs to be made by the consumers for the same either verbally or in writing.
4. The right to erasure:
   Every consumer has the right to have their personal data erased. This is also called the right to be forgotten. But, this right is not absolute and is only applicable in certain instances like when the personal data is no longer necessary.
5. The right to restrict processing:
   According to this, individuals have the right to request restriction or suppression of their personal data. Consumers can limit the way the data handlers are using their data, which is to say that once the processing is restricted, companies can still store the data but are not permitted to use it anymore.
6. The right to data portability:
   This right allows consumers to obtain their personal data and reuse it. They can move, copy, or transfer their personal data easily in a secure way.
7. The right to object:
   All consumers have an absolute right to stop their data from being processed in certain circumstances. Individuals need to be told about their right to object explicitly.

GDPR gives all individuals the right to their own data. Under GDPR, organizations are required to notify the consumers as well as the appropriate national bodies as soon as possible so that consumers can take the right steps to prevent any malicious use of their data.

What Does GDPR Mean for You (the marketers)?

GDPR primarily revolves around 3 areas that you need to understand as marketers, namely, 

1. Data permission,
2. Data focus, and
3. Data access.

Data Permission

This area revolves around the concept of consent and is focused on the people who request to receive material from you. Let’s talk about your email subscribers: you cannot assume that every person wants to be contacted.

As per GDPR, your subscribers need to express their consent in a freely given, informed, specific, and unambiguous way, followed by a clear affirmative action. 

I know this sounds complicated, but it really isn’t. This means that all your prospects and customers need to physically confirm that they want to receive emails from you. A pre-ticked box that opts them in by default would not be considered as consent.

The pre-ticked opt-in box on the right is not GDPR compliant (Image Source)

Data Focus

Has it ever happened to you that you have a lot of data and don’t quite know what to do with it? Well, this just won’t cut it. Thanks to GDPR, now you have to legally justify the processing of the personal data you collect. 

As a marketer, you need to focus on the data you really need and stop collecting unnecessary data. This would not only be beneficial for the consumers, but you will be able to organize your data better.

Data Access

It is an additional responsibility as a marketer to ensure that your users have easy access to their data. This means that you have to give control of personal data in the hands of the users. This area makes it mandatory for you to include an unsubscription link within all the emails you send and also to let your consumers manage their email preferences. 

You also need to understand your users’ right to be forgotten. With easy access comes the right to have outdated personal data deleted, and you have to make this process convenient for your customers. It is true – with great data, comes great responsibility. 

How to be GDPR Compliant: A Checklist

Ever since GDPR became applicable, all companies have been forced to take data seriously and be GDPR compliant. If organizations don’t follow this, they will be penalized with some hefty fines. I’m sure you would have seen a lot of websites with this logo. 

With the introduction to GDPR, it became a huge factor for consumers to only work and continue working with GDPR compliant companies. By now, your organization should be GDPR compliant as well, but in case it isn’t, here’s what you need to do: 

• Conduct a data inventory and flow audit.
  You cannot be GDPR compliant unless you understand what data you process and how. Most companies don’t entirely know where their marketing databases come from. Audit your existing databases and mailing lists.  If you cannot find a proper record of your subscribers opt-in, remove them.
• Review your existing data.
  Understand the data and how you are using it. Is it important to even collect all this data, or can you do without it? Rework on the forms on your website and only collect data you require. Moreover, figure out how to efficiently organize the data.
• Obtain active consent.
  Move on from pre-ticked boxes and obtain affirmative action from your subscribers. For all new subscribers, make sure that they explicitly ask to be contacted in the future. Confirm their subscription by sending them an automated subscription email.
• Keep tabs on existing data profiles.
  Understand how you’re using information from any profile. If your customers request their existing data, you must be able to give them an electronic copy of all the data you have collected and how you are using it. Your customers have a right to port the data that you have captured and reuse it outside the company. You must make it easier for your users to obtain their data from you.
• Respect the right to be forgotten.
  All your users have a right to data deletion. Once the main purpose of the data has been fulfilled, your customers have the right to request you to completely erase their personal data. It is imperative that you have systems in place for the same.
• Update your privacy statement.
  Review your existing privacy statement and amend it to comply with GDPR requirements. Learn how to write a GDPR-compliant privacy statement.
• Design better security protocols
  As a data controller, you need to design better systems with proper security protocols. So keep privacy protection in mind, and design better processes. Failure to do so can lead to fines due to non-compliance.
• Appoint a data protection officer (DPO)
  An organization must appoint a DPO if it carries out data processing on a large-scale. Take this test to know whether your organization needs to appoint a data protection officer.
• Centralize your personal data collection
  Use a customer relationship management system to store all your customer data in one place. CRM systems make it convenient for users to access their data, review their usage, and make changes if required.
• Discuss new sales techniques with your sales teams
  Email is the channel chosen by sales reps to connect to their prospects, but there are other ways to connect with prospects. Just to be GDPR compliant, push your sales teams to connect with prospects on social media and use said medium for their first touchpoint.
• Perform a DPIA – Data Protection Impact Assessment
  If your organization is storing personal data, you will have to perform a DPIA. Here’s how you can do a DPIA with your stored data. 

But despite following all of the above, there are possibilities for a breach to occur. So lets swiftly shift to reporting data breaches under GDPR.

How to Report a Data Breach under GDPR?

According to Article 4 of GDPR, any breach of security that leads to the accidental or unlawful loss, destruction, alteration, disclosure of, or unauthorized access to personal data constitutes a data breach. 

The data breaches which are likely to violate the rights and freedoms of people, need to be reported to the Information Commissioner’s Office (ICO). Essentially, report any breach that is likely to lead to discrimination, financial loss, loss of confidentiality, damage to reputation, or other economic or social issues.

Every organization is required to take all the necessary steps to see the severity of the breach and contain it. Don’t know whether you should report to the ICO? Do this self-assessment to determine that.

If there is a breach, it must be reported to the ICO within 72 hours of becoming aware of it. If the breach is serious enough, then the public/customers need to be notified without undue delay. Not doing so can lead to massive fines and penalties. 

What information to provide while reporting a breach? 

God forbid, if you ever have to report a breach, the following must be provided in your breach notification: 

1. An explanation of the breach, including information on the number of people affected by it, and the types and volume of records of personal data involved. 
2. A description of all the potential consequences of the breach. 
3. A description of the measures an organization has to take to deal with the breach. 
4. The contact details of the organization’s DPO.

Make sure that you take all of this with utmost seriousness. GDPR non-compliance is being taken more seriously than most had assumed.

GDPR Fines and Penalties for Non-Compliance

The GDPR fines depend on the severity of the data breach and the steps taken by the organization under GDPR compliance. There are 2 kinds of fines in GDPR: 

1. In the case of infringements of rights, unauthorized international transfer of data, and failure to put procedures in place, the organization is liable to pay either 20 million euros or 4% of the annual global turnover, whichever is greater. This is the maximum fine payable under GDPR. 
2. A lower fine is applicable if the organization has mishandled data in other ways, failed to report the data breach to the ICO within 72 hours, failed to build in privacy by design, failed to appoint a DPO and more. This fine is of 10 million euros or 2% of the annual global turnover, whichever is greater. 

Note: While reporting the data breach to the ICO, note that the window is fixed at 72 hours after the discovery of the breach, and not 72 working hours.

So you will end up heavy fines if your organization is non-compliant with GDPR. I know this sounds like a lot, but it is high time that we start treating data as the resource it truly if.

Your data can accurately depict your personality, and there are bits and bits of data of yours floating somewhere. Take care of your data, and yourself.  🙂

Republished with permission from Freshmarketer and updated on 14th October 2019