The General Data Protection Regulation is a new law introduced by the European Union (EU) on 25th May 2018. This law replaced the Data Protection Directive 95/46/EC. It was intended to:
Harmonize data privacy laws across Europe
All EU citizens can protect and empower their data privacy
Rethink the way organisations across the region view data privacy.
What does GDPR mean to companies?
The GDPR is and notoptional, as it is a law that can be enforced. The GDPR is mandatory for any person or company that wants to conduct business in the European Union or with EU citizens.
In order to comply with GDPR, businesses must be clear about how they collect personal information for marketing purposes. It means that companies must ask for explicit permission when they collect personal data, and provide a legitimate reason to the consumer.
The GDPR is essentially:
Individuals have more control over their personal data
Clarifies across the region how data can used from one EU member country to another (and beyond).
Businesses must allocate more resources and take more responsibility to protect data privacy.
Legal bases for processing data
The GDPR offers six legal bases to comply with the regulations. A legal basis is the justification of the processing of data in data protection.
The GDPR provides six legal bases to process data:
Individual consent – Data is freely provided by the individual under clear and unambiguous circumstances.
A contract between an organization and a person – The organization requires certain data in order to provide a service, for example a delivery address when e-commerce is involved.
Legal obligations of the organizationThe organisation may require certain information in order to comply with legal requirements or statutes.
Individuals’ vital interests – An organization may be required to process data in order to protect someone’s life
Public Interest/Public Task -The organisation can process information in order to perform functions public as set forth by law
Legitimate Interest – An organization’s legitimate interest is to process data, such as contact information. This is because they have a commercial interest that enables them to email or call the person for sales purposes.
Responsibility of data marketers
Digital marketers need to understand their responsibilities with respect to the six legal bases, and the rules that govern data storage and processing.
Included are:
Data Consent Rules: The term “data consent” refers to the collection of personal information about leads and prospective customers via digital marketing channels and their unambiguous and explicit consent to hear from an organization.
Data Processing Rules: The data processing rules describe how an organization processes the collected data and whether leads, prospects and customers are aware of the reasons for processing the information in a certain way.
Data Retention Rules: Data Retention refers to the length of time an organization keeps personal data, and the reasons why.
Data Transfer Rules: Data transfers refers to the transference of personal data of European Union Citizens outside the EU for legitimate commercial purposes.
Data deletion Rules: Data removal refers to the process of removing personal data from a system.
The role of marketing in GDPR compliance
The Head of Marketing, or the Marketing department, plays a crucial role in supporting and communicating the GDPR to senior management.
Marketing plays a unique role in the collection, processing, retention, transfer, and deletion of data that belongs to the public, as well as to users and customers of organizations. The person or persons within the team who are nominated to implement GDPR compliance should be aware of all the responsibilities and scope of the project.
It is usually a team effort, since the digital marketer who leads GDPR-related efforts will need to work closely with IT, Support, Engineering, Customer Success, and Product, to ensure data privacy processes and dependencies are understood and supported throughout the organization.
Data Protection Officer
The appointment of a DPO or Data Protection Officer will help guide the resources in place to comply with GDPR:
The GDPR requires that a DPO be appointed for every organisation that stores or processes large amounts of data about employees or individuals outside of the organisation. DPOs are required to be appointed for “all public authorities” and when the controller’s or processor’s core activities involve “regular, systematic monitoring of data subject on a large-scale”, or where an entity processes large amounts of’special category of personal data’, such as that which reveals race, ethnicity, or religious beliefs.
Data Controllers and Data Processors
The members of the digital marketing team must be conversant with both the roles of Data Controller and Processor. In order to know whether they are acting as Data Controller or Data Processor, it’s important to understand the scenarios.
The data controller is defined as:
Person or organization that determines the purpose and method of processing personal information. You decide how and why the data will be used.
The data processor can be defined as follows:
The person or entity that is not an employee of the data controller. Not an employee, but a person or body that processes personal data for the data controller. The controller assigns a task to the processor, and the processor completes it.
Every time a digital marketing professional deals with data, it is crucial that they know if they are playing one of these two roles.
Business interest
A “legitimate business interest” is a requirement that the business has a valid reason to collect and use certain data. This could include the home address and name of a client for a pizza business. It is not enough that a customer orders pizza to give them permission to use their information for direct marketing – such as sending flyers. This information being passed to a third-party without a legitimate interest could also be considered a violation of GDPR.
The reason for collection and processing of data must not violate the rights of a natural person. You must ask yourself: What data is being collected and why?
The GDPR makes it clear that consent must be recorded. The consent must be given freely, without ambiguity, in a clear and transparent manner, to the data subject. They must not have to wade through long and confusing legalese. The consent must be recorded correctly. The unsubscribe process must also be as easy and clear for the data subject.
Marketing roles and GDPR
Line managers and senior executives are expected to understand the full impact and workings of GDPR, both on their team and individual contributors.
What are the main roles and tasks of an average digital marketing group?
Developers
The website forms are correctly set up.
Compliant website plugins
The website platform is safe.
CMS is correctly integrated.
Data Analysts
Compliant analysis tools
When possible, integrations are used to prevent data from being exported onto computers.
Graphic designers
Information about the company that is only available internally will not be used in graphics.
Consent must be signed and recorded for the use of customer data in public facing content.
Copywriters
Information that is only available to the company and not shared with the public will never be used.
Consent must be signed and recorded for the use of customer data in public facing content.
Contractors are not allowed to have unauthorised access to CMS data.
You can also find out more about PR
Media contacts must be contacted to obtain, document, and maintain their consent before sending materials.
Prepare communications in the event of a data breach.
Keep a brand that is trustworthy when it comes to data management.
The following are some examples of the events that you can attend
Before adding booth visitors to your CRM, you must obtain, record and maintain their consent.
Check the terms and conditions of the event attendee lists. Are the attendees aware they have signed up for communications from your organization? What communications are aligned with their expectations?
Check the policies for any apps or services that you may use to attend or run an event. Who owns and secures the data?
Digital Marketing
Privacy impact analyses (PIAs) are required for all projects and processes
Sensitive data
Some digital marketers may have stricter GDPR requirements than others, depending on their industry.
Included are:
Healthcare
Fintech
Public Service
Organisations that handle the data of persons under 16 years old
Organisations that collect sensitive and vulnerable PII.
All of these organizations must adhere to the strictest data privacy and protection policies
The Marketing Department’s Responsibilities
What are the responsibilities for a digital marketing department in terms of recording, maintaining and reporting data under GDPR?
Included are:
Recording email opt-ins
Create an opt-in/opt-out flow where consent is unambiguous. Opting out should be as simple and as clear as opting in.
Standardizing the way a new customer is added to CRM through all marketing channels
Understanding every data entry process in the CRM that falls under the jurisdiction and responsibility of the marketing department is important. Ensure that each process, when it comes to EU citizens, has clear guidelines regarding consent.
Explaining the process for honoring requests from data subjects to delete their data
Test a request for data subjects and a request to delete data; document and refine the process and train all team members.
Communicating data breaches
Prepare a set of pre-approved templates for crisis communications and understand the deadlines within which you must publish notice of a data breach.
Updating the Privacy and Terms & Condition pages
Your DPO should review the public facing data usage documentation at regular intervals. Also, your IT team, a legal expert and your DPO can all be involved.
