Learn more about the General Data Protection Regulation and how it may impact your digital marketing program.
Please Note: This article does not constitute legal advice. We recommend you seek professional legal advice where appropriate.
It is our goal at Adept, as a marketing partner and Google Analytics Certified Partner company, to help each of our clients understand the General Data Protection Regulation (GDPR) and compliance as it relates to digital marketing. We developed this article to inform our clients of the implications associated with the GDPR, but others may find it valuable as well.
We know there is a lot of confusion and questions around the implications of the GDPR, especially when it comes to the different types of data collection and compliance. We hope this post helps to address these questions. Should you have questions after reviewing the details below, please contact your Client Experience
What is the GDPR?
On May 25, 2018 the GDPR went into effect and changed the rules for personal data storage for members of the European Union. The GDPR aims to give European citizens more control over their personal data and standardize the EU legal system regarding personal data storage and usage. This law will replace the EU’s 1995 Data Protection Directive, and makes notable changes to existing laws including:
- Expanding the definition of personal data
- Consolidating laws for the data handling of European citizens
- Delineating the roles and responsibilities of data usage and storage
- Requiring companies to notify consumers of a data breach within 72 hours
- Escalating the penalties for noncompliance
Who does the GDPR impact?
Despite the fact that it is an EU regulation, the scope of this legislation does not require EU citizenship and it does not exclude US companies. Rather, it covers any user from any location within the EU boundaries. The regulation "applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
Therefore, any organization with visitors (users) from the EU to its website or customers from the EU who purchase its products or services is impacted by the GDPR.
While GDPR impacts most businesses, not all business risk profiles are equal. Your organization’s size, location, user base, measurement and marketing strategies, and most importantly your own legal counsel’s advice, all impact how you should comply with the new rules.
Several factors which put you at a higher risk profile include:
- You have offices in the European Union (EU)
- You have customers or users in the EU
- You store or process sensitive personal information (Article 9)
- You have more than 250 employees
Factors requiring a Data Protection Officer (DPO) by GDPR (Article 37) include:
- Public authorities
- Organizations that engage in large scale, systematic data monitoring
- Organizations that engage in large scale processing of sensitive personal data
How does GDPR define personal data?
According to the GDPR legislation, personal data is any information that contains:
- Directly identifying information such as a person’s name, phone number, address, email address etc.
- Pseudonymous data or non-directly identifying information, which does not allow the direct identification of users but allows for profiling such as retargeting or personalization.
That’s correct, online identifiers (such as cookies) are now explicitly mentioned in the definition of personal data corroborating the broad interpretation of "personal data" already enforced under EU laws.
However, the GDPR establishes a clear distinction between directly identifying information and pseudonymous data. The GDPR encourages the use of pseudonymous information and expressly provides that “the application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”
The GDPR also establishes a clear distinction between sensitive personal data and non-sensitive personal data. Processing of sensitive data is strictly prohibited except under specific instances called out in Article 9.
Sensitive data is any data that reveals:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or a natural person’s sex life and/or sexual orientation
How do you ensure digital marketing compliance?
It must be restated that only your company's legal counsel can and should provide final guidance on full compliance with the GDPR.
We have seen a wide spectrum of interpretations regarding GDPR from many companies, some accurate and some not, which is why we recommend consulting legal counsel to ensure you are in compliance.
As outlined above, compliance is dependent on organizational risk factors. We recommend beginning with a legal risk assessment to understand what, if any, adjustments should be made.
We recommend ensuring the below practices are audited and reviewed, specifically related to digital marketing:
- Use clear and transparent language outlining all data collection, data usage and directions on how to opt-out.
- Require explicit consent when obtaining directly identifiable information that will be used for marketing (e.g. newsletter sign-up)
- Consumers must give active consent to have their information collected for marketing. Passive consent, like unchecking a box after a sale, is not acceptable.
- Tell consumers why you are requesting their data and what it is used for. If you're using the data for purpose A and purpose B, put it in your consent statement and if A is more important than B, consider two consent methods so that a consumer can give you consent for A without needing to give consent for B.
- Update Pseudonymous Data Collection methods such as cookies or User Ids.
- This data is often collected for analytics, marketing or personalization purposes via first-party HTTP cookies. An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the user's web browser.
- Online identifiers (e.g. cookies) are categorized by GDPR as non Personally Identifiable data and explicit opt-in is not required but it does require unambiguous consent.
- For unambiguous consent, data collection should be dependent on consent meaning that cookies shouldn’t launch until after consent is given. As an example, this may be accomplished by surfacing a consent banner including:
- An explanation of what data is being collected, the specific purpose for which such data is collected, as well as how that affects a browser’s online experience.
- A way for users to control their experience, including an opt-out choice, that is easy to use and access, with language that explains how that will affect a browser’s ad experience.
- Confirm any vendors you work with or tools you use that access your users data are also abiding by the GDPR regulations
- Most large vendors (Google Analytics, MailChimp, SalesForce) have been taking steps to ensure compliance and have a dedicated page or section in their documentation to list their measures towards compliance.
- If using Google Analytics:
- Review & accept Google’s updated Data Processing Amendment
- Accept (if you use GA 360, do this via your Sales Partner)
- Review Google Analytics Updated data retention settings
- Consider shortest time period needed for user level analysis depending on your organization’s risk profile.
- Prepare process for EU Citizens ‘right to be forgotten’ (Article 17)
- The right to erasure or right to be forgotten grants data subjects the right to have their personal data deleted if they don’t want it processed anymore and when there is no legitimate reason for a data controller to keep it.
A general principle of the GDPR is any information you collect should be collected in a way that after the interaction is complete, the consumer would not be surprised that you have the information nor would be surprised at what information was obtained. All data collected should be relevant to the collection purpose.
If you have any additional questions, or would like the name of an attorney that specializes in GDPR, please reach out to your Client Experience manager.