The GDPR is going to have a great impact on your marketing organization. This is a summary of what you should be aware off as a marketer, concerning the GDPR. You will have to leave to your Data Officer and Legal Department, but this you have to know:
Background of the GDPR
The EU will launch the General Data Protection Regulation in the EU on 25 May 2018. Every business needs to comply with this new regulation and some requirements will be new and difficult to achieve for some companies. The main goal of the GDPR is to unify and strengthen data protection for individuals. It is unified because the DGPR will be launched in all of the EU countries and strengthen by the fact that individuals are way more controlled over the data that is collected by companies and there are stricter protection rules.
Also, the regulation is for the right of European Union residents, so also countries outside EU that deal with personal data of EU residents will have to comply to the GDPR.
So this regulation is 88 pages long and since you are here, I suspect you are not going to read that. Anyway, you can click here if you want to save in on your desktop just in case.
Here is a summary for you to get an idea of how GDPR can affect marketing as you are used to now.
Data protection by design and by default
This new regulation is two-folded, the design part and the default part and are both explained in article 25 of the GDPR. Let’s start with the data protection by design:
|The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.|
In other words, data protection by design means that every new service, process or system that holds personal data must be fundamentally designed with data protection such as pseudonymization (the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information).
And in addition, new services, processes or systems must be designed with the minimal data necessary (data minimization).
|The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.|
Data protection by default means that personal data is by default personal data is not made accessible. For example on social media, by default personal data must be on private and not accessible to other persons.
You need to have a clear goal of storing personal data. It needs to be adequate, relevant and limited to what is necessary for the purposes for which the data is processed. The burden of proof must be with the organization that stores the data. And customer data is contextual; meaning that an email address gained for product A, cannot also be used for product B. That will mean that you cannot just save any data you’d like. When you think of gaining new data for your CRM system, briefings to IT will be a lot more elaborate than now, so it assures then it is GDPR compliant to store that data.
Right to erasure
A subject has the right to request erasure of personal data. Make sure that you keep some proof of erasing that data and save the request of that subject, for example, the email in which it is requested.
|Article 17: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies…|
Right to access and Data portability
A person must be able to retrieve personal data, without mediation of the organization. So, that will be some kind of portal where the customer could get all his personal data. Sufficient anonymized data is excluded. Also, it must be possible that the organization transfer data from one company to another. For example, for when you want to switch your cable company.
Consent should not be new to a marketer. There are a lot of articles written in the GDPR on consent.
|Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement|
|If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.|
Make sure you offer consent and the form is GDPR compliant. If you want to know more about consent. Here is a complete article explaining everything just mentioned on consent and much more.
Data Protection Officers
Any large organization must appoint a Data Protection Officer and is responsible for the compliance of the regulation. So this doesn’t apply to small and medium-sized enterprises. That means a marketer that requests for data enrichment or other data related requests will be via a new Data Protection Officer and way more elaborate than now.
A breach of security that involves personal data must be reported within 72 hours. More on Personal Data Breaches and how to report, click here. If any customer sends you an email on Friday: “I just saw my data online!” Do not think you will leave this for Monday. Immediately send this to the legal department and data officer and mention the obligation to report data breaches.
There will be a lot more and new regulations on profiling. The GDPR defines profiling in Article 4 as:
|‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.|
Then there are some articles with restrictions on profiling. Let’s start with article 22:
|The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.|
Sounds scary and all, but as long as you are not using profiled data for legal consequences of your customers, like calculating insurance premiums using algorithms, there won’t be a problem here.
Profiling is named in many other articles. I will name two articles in particular: the right to object and the right to access data. In both cases, profiling also plays a role. That means that for the right to access personal data, you will also need to provide all the profiled data you have on a subject.
There is a lot more to talk about, but these are the biggest differences that will have an impact on marketing. Anyway, you might have noticed that a lot of regulations strongly look like the current regulation. So if you are keeping strictly to the regulation now, being GDPR compliant should not have to scare you. If this is not the case, then you should take action, because fines are going to be higher and there will be more surveillance and audits.
Want more CRM knowledge and news in your mailbox? Subscribe to our monthly newsletter today.