What is GDPR?
The countdown begins. May 25th marks the enforcement of GDPR – probably the most researched and written about acronym to date. We all know by now that the General Data Protection Regulation (GDPR) provides legislation on all organizations generating and processing personal data related to EU-citizens.
It’s a great legal framework to put users’ rights first and foremost, returning the control to their hands as to what information they would like to give away to online businesses – just as they would for offline businesses.
This has become among the most disruptive regulation rocking the online marketing world because it applies to virtually any online business (regardless of location) that sells to EU citizens – and they will have to adhere to GDPR or risk costly penalties.
What does this mean for online marketers?
The online marketing industry is getting (understandably) jittery, as it primarily functions because of data collected from your customers’ behaviours for purposes of personalisation and targeting of advertisements. Because of GDPR, this very basis is being questioned – but for a fairer collection and usage of data. GDPR gives rise to the four main questions that online marketers need to be able to answer:
Is your collected data personally identifiable?
Source: Article 4.1 of GDPR
Personal data is defined as any information relating to an “identifiable natural person”. This person can be identified “directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity”.
This is a very broad definition since it also includes data that can allow indirect identification. This means not only names and data containing names such as an email address are considered personal, images, customer IDs and perhaps data on behaviour could be too.
Is consent given for the data?
Source: Article 7 of GDPR
Any storage and usage of personal data must be preceded by a request for consent to the individual involved “using clear and plain language”. This consent must be requested granularly: data subjects must be able to choose which personal data can be stored and which cannot.
What’s new is that silence, pre-ticked boxes or inactivity no longer constitutes consent. Data collection must now be on an opt-in basis, rather than by default opted in. In addition, there needs to be clear explanations as to what the data is used for when requesting consent. If the data is used for multiple purposes, consent needs to be given for each and every one of them.
Can your data be accessed and exported?
For those, whose data you are collecting, they have the legal right to obtain information from you as to “whether or not personal data concerning him or her are being processed”, what they are processed for, and who is processing these data. On the other hand, you will need to provide a readable copy of all personal data that is undergoing processing relating to this individual.
This also means that businesses need to ensure that they have even the right IT infrastructure to summon up these information when an individual requests it.
Do your data subjects have the right to be forgotten?
Source: Article 17 of GDPR
Data subjects have the right to request for the stored personal data to be erased, for instance when their data is no longer necessary for the purposes they were collected for – and you are obliged to concede to this request “without undue delay”. What this underlines is the integrity of ensuring your reason for collecting is clearly and comprehensively explained, so that your data subjects know exactly what they are consenting to.
On the other hand, if they withdraw their consent and there were no legal ground to process the data in the first place, then these data must be removed. This is likely to apply to all previously collected data, which had not been properly consented to before.
According to some articles, GDPR leaves the door slightly ajar in Article 6(1) where it allows passive consent for the storage and usage of data in case of a “legitimate interest” on the side of the organization collecting the data. However, this legitimate interest must be balanced with the interest of the individuals involved, and there is much debate on how to keep this balance.
The key terms to grasp GDPR are consent, transparency and accountability. Personal data can only be generated when individuals have given their consent, and it should be possible to revoke consent at any time.
When personal data is collected, individuals have the right to know how they will be stored, to what aims they will be used and by whom. The storage and usage of data should be properly managed and supervised. Naturally it is advised for businesses to educate the team, hire a Data Protection Officer (DPO), change policies and ensure compliance.
Perhaps the real question for businesses, the elephant in the room so to say, is whether you should work towards being able to collect and erase the personal data you collect, or – if possible – not collect any personally identifiable data at all.
Interested in discussing this?
This article has been written by Product Manager Dr. Gijsbert Pols and Marketing Manager Swee Huang Hustedt-Teo.