As most people know by now, the European Union has come up with new data collection rules that are making life complex for marketers like us, and we wrote this up in order to help our clients find clarity on what GDPR (General Data Protection Requirements) means for them, and we hope you find it useful.
(We also wrote this companion piece with 33 questions to ask about GDPR if you aren’t sure if you are ready for GDPR or not.)
Just to be clear, we aren’t lawyers, and your own legal team needs to provide counsel as this relates to your business – the info below is purely for informational purposes and shouldn’t be relied on for legal advice. With that said, here are our findings on what GDPR means for businesses and advertisers, and what you need to do in order to be compliant with the new rules!
The Basics of GDPR
- First, GDPR stands for General Data Protection Regulation, and it is a European Union regulation that changes the way data is collected by businesses within the European Union.
- It takes effect on May 25, 2018.
- There are six key principles of GDPR:
- transparency – telling people how the data will be used
- honesty – only using the data for the purposes specified at time of collection
- limits – only collecting data that is necessary for the purpose you specify
- accuracy – making sure the data is accurate
- storage – only storing the data for as long as necessary for the intended purpose
- protection – preventing loss or theft of data in a proactive way
- There is an unlisted SEVENTH requirement for accountability: you need to be able to show how you are in compliance with the principles on demand. (In my opinion, this should have been a seventh principle, but no one asked me.)
- GDPR applies to anyone who does business with Europeans or people in Europe. Specifically, GDPR applies to any organization inside or outside the EU who is marketing products or services to, and/or tracking EU citizens, whether they are inside or outside the EU and the EEA (European Economic Area). This basically means GDPR applies to any business.
- What are the penalties for noncompliance? Very large. The maximum fine for a single breach is either €20m euros, or 4% of annual worldwide revenue. This is crazy. (To put it in perspective, if Google (aka Alphabet, Inc.) is in breach, the fine would be around $4b-$5b.)
What GDPR Means for Marketers
- For advertisers and marketers, here are the most important things to know:
- You need to be upfront and clear on consent.
- You need to be ready to demonstrate your compliance with the six principles of GDPR — so you need an internal GDPR policy.
- For the purpose of marketers like us, here is what consent means under GDPR: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear, affirmative action, signifies agreement to the processing of personal data relating to him or her.”
- The key part you need to know about consent is: you need both “affirmative action” that captures consent and you must also be “specific” about how the data will be used. Make sure you think about that in relation to your website disclosures.
- Furthermore, you need to make sure that a customer can change their mind at any time — and withdraw consent.
- Let’s recap what we’ve learned about GDPR to this point: first, you need to update your forms to make sure people know (1) what they are consenting to, (2) how you will use the data, (3) the fact that they can change their mind in the future (4) how you are protecting their data from breach; and (5) how you will provide evidence of your compliance.
A List Recommendations To Be Compliant With GDPR
Given all the points above, here is what we recommend, based on Article 13 of GDPR:
- The identity and contact details of the Controller and their representative to the EU and DPO (if applicable)
- The purposes of the processing of data for which their personal data is intended;
- Recipients or categories of recipients with whom the data is shared;
- Information on any international data transfers;
the period of time for which the personal data will be stored or the criteria used to determine the period;
- An explanation of an individual’s right to access, rectify, erase, or object to the processing of data;
- The right to withdraw consent to processing data (if appropriate);
- The right to lodge a complaint with supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of the failure to provide such data;
- The existence of automated decision-making including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- The legal basis for processing
- If personal data is obtained from sources other than the data subject, such as third party data providers, you must provide some additional information about the data and source. Refer to Article 14 if applicable.
- Specifically, here are the checkboxes and links you need to use:
- A link or checkbox to a “consent to data processing” (the value can be a “YES” or a “NO” for their answer;
- A link or checkbox to consent as of the last update (the value is the data and time that GDPR Consent was updated;
- A link to the “consent notes” (containing the purpose of data processing and a history of consent provided that is documented here) — the value here should capture the purpose of capturing the data; the way the data was obtained, and any previous consent purposes.
- A link to GDPR Consent Operational Program – detailing how you ensure that you respect and handle consent agreement.
- A link to “Correspondence Opt-Out” — letting people opt-out of correspondence easily.
- A link to enable them to opt-out of cookie collection or web tracking.
A Summary of Next Steps on GDPR
Here is a quick summary of what you need to do:
- Every form should have a checkbox that says something to the effect of: “Do Not Keep My Details.”
- Every form should have a “hover” field that gives additional input on what someone is agreeing to — for instance, a question mark next to “Do not keep my details” that reveals additional information such as “By checking this box, you are opt-ing out of receiving additional offers and information from us in the future.”
- If you want to have a newsletter, you need to create a publicly available “Email Subscription Center” — this should allow people to enter their name and email address, and allow them to control the type of information that they subscribe to. An email subscription center should allow someone to check boxes specifying the frequency of communication, type of communication, and whether they subscribe or unsubscribe. It should also give customers a path to contact you to remedy any questions they have on emails they receive.
- You should have a link in multiple places that clearly states: “Opt Out of Website Tracking.” — this page should be cookie’d and the cookie should be used purely for exclusion and suppression purposes. There should also be a link that indicates what someone needs to do in order to stay suppressed. For instance, if they click on the homepage without clicking the “Opt-out” link again, the cookie may need to be re-set.
- Here is an example of Marketo’s “Email Subscription Center” which provides a good model:
We also recommend including the following ways that customers can provide or revoke consent:
- They tell you verbally that they don’t want communications.
- They tell you via email that they don’t want communications;
- They send you written communications in some form that tells you that they don’t want communications via certain channels;
- We recommend maintaining lists within your email system and CRM to document any of these preferences.
- And regarding data access, individuals have the right to request to obtain confirmation that their data is being processed and, if so, to access their personal data.
- Furthermore, you must respond to requests for access within one month of the request;
- Finally, in order to be compliant with the “Accountability” principle of GDPR, we recommend that you do the following:
- Create a policy that identifies the roles of anyone who has access to data;
- State that internally individuals should have access to data only insofar as access is necessary to fulfill their role with respect to the data;
- Review access regularly, we recommend doing so at specific intervals, to make sure roles are being accurately assigned, and no one has access to data unnecessarily;
- Keep all data in an encrypted manner via HTTPS and other means as appropriate.
This blog post represents our understanding of GPDR as it relates to digital marketers after consulting with lawyers, other marketers, and reading the EU’s GDPR guidance, This is a lot of information, and it does not represent definitive information as it relates to your business – we recommend speaking to your own legal counsel, but we also hope this is helpful in helping you understand and prepare for GDPR.