What is GDPR?
The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018, introducing new requirements for how organizations process data, both in the EU and abroad. The regulation ensures privacy for individuals, and gives regulatory authorities greater power to take action against businesses that breach the new laws.
The requirements and rights granted to EU citizens under the GDPR are defined in a document containing 99 articles. Companies collecting and storing the personal data of citizens in the EU are required to address each of these articles in order to achieve and maintain compliance.
What is personal data?
The European Commission defines personal data is any information that relates to an identified or identifiable living individual. Personal data can include names, ID numbers, phone numbers, and in some cases IP addresses. The definition of personal data continues to broaden, and can even include genetic, mental, cultural, economic, and social identity identifiers.
Consequences of noncompliance with GDPR
Companies that are found to be noncompliant with the GDPR can be penalized with severe fines of up to 4% of annual global revenue or 20 million Euro—whichever sum is greater.
In the early years of the GDPR, European data protection authorities are more likely to target enterprise companies or those that are engaged in annoying or ruthless marketing to make an example out of them. But the risk of being detected is real and probable, even for smaller companies. GDPR authorities have made it as easy as possible for individuals to file claims against companies they suspect of misusing their data, without needing to initiate a huge lawsuit or take other cumbersome steps.
Key points on GDPR for marketers
The GDPR requirements for companies are listed in an extensive document containing 99 articles. While there are a lot of details to take into consideration, there are few central points that marketing teams should especially pay attention to in order to maintain compliance.
- Obtaining consent for the processing of personal data must be clear and must seek an affirmative response
- Data subjects have the right to be forgotten and erased from records
- Customers or users may request a copy of personal data in a portable format
- Personal consent is required for the processing of personal data of children under age 16
- If your company processes particularly high volumes of personal data, a dedicated data protection officer must be appointed
1. Marketers must handle Personally Identifiable Information (PII) correctly
The GDPR requires that marketers provide notices to marketing subjects about the handling of their Personally Identifiable Information (PII). These notices must be concise, transparent and in a format that’s easy to access.
Notices must contain the following information:
- Legal basis for processing
- What, if any, legitimate interests are relied upon
- Details of any international data transfers
- Data retention periods (or criteria used to determine them)
- The existence of the various data subject rights
- The right to withdraw consent at any time
- The right to complain to the Data Protection Authority
- Whether or not there is a statutory or contractual requirement to provide the data, and the consequences if it is not provided
2. Marketers must be prepared for Data Subject Requests
At any time, somebody can ask your team about what Personally Identifiable Information you have on them. If requested, you must be ready to deliver that data within 30 days. Similarly, if somebody asks for their information to be deleted, or they withdraw their consent, you must comply within 30 days.
3. Marketers must obtain affirmative consent
Does your marketing team have “consent-based processing” in place? Under the GDPR, companies must demonstrate that they have received valid consent to store and process personal information. Data subjects must be informed and then provide their consent in a specific, free, and unambiguous manner. This requires a clear affirmative action, for instance, where the potential data subject ticks a box or “opts in.”
Keep in mind:
- You must request consent using clear and plain language
- No pre-ticked boxes
- No opt-out “consent”
- No bundled consent— it must be unpacked so that separate consents are obtained for different processing activities
- There are specific rules in relation to children and online services
- It must be just as easy for data subjects to withdraw consent as it is to give it
4. Marketers must comply with the right to be forgotten
Data subjects have the right to insist that their data be erased in cases where processing violates or no longer justifiable under the GDPR or member state law. For instance, someone who withdraws their consent can then ask that their data be erased on the basis that their consent is withdrawn.
Companies are also required to notify recipients and communicate any erasure or rectification of data. If data has been “made public,” for example in a social media post, you are obliged to erase the data and take “reasonable steps” to inform other Data Controllers who might be processing the data that the data subject has requested erasure of “any links to, or copy or replication of” that personal data.
The right to be forgotten is subject to some exceptions, including compliance with a legal obligation and for the establishment, exercise or defense of legal claims.
Benefits of GDPR for marketers
The measures marketers are required to take in order to comply with the GDPR may feel inconvenient or laborious at times. However, there is a silver lining.
"I think people need to remember that the goal of GDPR is to protect personal data and privacy,” says Peter Yeung, Global Data Protection Officer at Episerver. “With that in mind, the global GDPR does not prevent companies from successfully marketing and selling their products and services.”
In fact, this new era of GDPR marketing can be beneficial for marketers. Not only does GDPR level out the competitive playing field, it enables marketers to more easily identify relevant leads and opportunities and reach a better informed and more interested customer base.
“Having affirmative consent means that leads that you ultimately get will have a higher level of interest in what you have to offer because they have clearly consented to you marketing to them,” says Peter. “You aren’t barraging them with messages that don’t resonate or annoy them.”
Why choosing the right marketing platform for GDPR compliance is important
Working with a marketing platform that is GDPR optimized can be a significant source of support when it comes to maintaining GDPR compliance and taking some of the workload off your marketing team.
While some providers discuss how their platforms are designed and developed with “privacy by design” as required under GDPR, we at Episerver have taken this GDPR responsibility further. Our software products and services go beyond data “privacy by design” and have been engrained into the company ethos of Data Protection and Privacy by Design.
By using the Episerver Digital Experience Cloud, your marketing team can easily meet the GDPR requirements, while keeping all of the functionalities that make your company a leader in digital marketing.