GDPR is like an overloaded puzzle. It is difficult to make sense out of the endless number of rules to figure out what is relevant for marketers. This article is intended to decode the 99 articles and 173 recitals in GDPR for marketers, and guide them through the steps to be followed to ensure GDPR compliance across the marketing spectrum. Towards the end of the article, I have listed down the documents I have referred to prepare this piece of writing, which can be used for your further reading.
Scope of GDPR
It is important to understand to whom and where GDPR applies. The rule outlines this through material scope and territorial scope.
Material scope: This regulation says GDPR applies to all sorts of automated/non automated types of processing of personal data. As per GDPR, the individual is the owner of the data, and hence it requires his/her consent for anyone to process it.
Territorial scope: This regulation states that the law applies to processing of personal data of an individual in the European Union (EU), irrespective of whether the processing takes place inside or outside the union.
Let us look at a few examples where GDPR would apply for better understanding the scope.
- US company without any EU subsidiaries offering free social media services via a website hosted in the US to individuals in the EU.
- Singaporean hotel booking business using cookies to track past customers’ (including EU-based customers) browsing in order to target specific hotel ads to them.
- Chinese flower delivery company allowing data subjects in the EU to make orders for fulfillment only in China.
- Australian retailer with a website for orders/deliveries. The website is accessible to individuals in the EU in English. The currency is the Australian dollar and the address fields only allow Australian addresses.
Some basic definitions
Before we get into what businesses need to do to ensure compliance, it is useful to look at some of the basic definitions.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Since the definition includes ‘any information’, personally identifiable data (PII) should be interpreted as broadly as possible. Also there are a few special categories of data as defined in articles 9 and 10 of the GDPR, which could be processed only with explicit consent (and not by means of legitimate interests). Special categories of data are defined as data concerning:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Data concerning health or sex life
- Sexual orientation
A controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
A processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
6 legal bases for processing personal data
There are six legal grounds based on which any entity is allowed to process personal data. They are as follows:
- Consent– The data subject has given permission for the organization to process their personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw, so organizations need to be careful when using consent as their legal basis. For example, the age of automatically-checked consent boxes is coming to an end through GDPR.
- Performance of a Contract– Self-explanatory, right? The data processing activity is necessary to enter into or perform a contract with the data subject. If the processing activity does not relate to the terms of the contract, then that data processing activity needs to be covered by a different legal basis.
- Legitimate Interest– This is a processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities and fraud prevention. If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms? If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.
- Vital Interest– A rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.
- Legal Requirement– The processing activity is necessary for a legal obligation, such as an information security, employment or consumer transaction law.
- Public Interest – A processing activity that would occur by a government entity or an organization acting on behalf of a government entity.
Marketers are most likely to use consent and legitimate interests for data processing. However, Legitimate interests do not give the data controller a right to override the interests of the data subject.
Rights of the data subject
As mentioned earlier, the individual or data subject owns his/her data. Following are the four broad categories of rights a data subject has:
- Transparency and modalities: the data subject shall be provided with details related to personal data processing in a concise, intelligible and easily accessible form.
- Information and access to personal data: the data subject should be provided access to personal data both when data is obtained and not obtained.
- Right of rectification and erasure: the data subject possesses the right to modify or delete any personal data related to him/her.
- Right to object and automated decision making: the data subject has the right to prevent any manual or automated processing of personal data relating to him/her.
You could have a look at articles 12-22 of the GDPR text to learn in detail about the rights of the data subject.
Steps to be taken to ensure GDPR compliance
Organizations could be penalized up to €20m or 4% of annual worldwide turnover, whichever is greater if they do not comply with GDPR. Hence it is important to take steps – technical and organizational – to create an ecosystem that facilitates the same. Here I am not going to cover how to change your technology landscape to achieve this. Rather I would look at the measures that would help form your GDPR strategy as an organization (from a marketing standpoint) and as individual marketers, basis which you can build and modify your tools and technologies.
‘To dos’ for the marketing organization
- Appointing a DPO: It is mandatory for organizations to have a Data Protection Officer (DPO) either internally, or as an entity that acts as a DPO on behalf of the organization. The DPO’s contact should be easily available for anyone to reach out to inform a data breach or share any other relevant info. (The DPO could be common for the company, whereas it is recommended to have a dedicated person handle GDPR within the marketing organization)
- Conducting a Data Privacy Impact Assessment (DPIA): It is the responsibility of the DPO to conduct a DPIA, that would help you systematically analyze, identify and minimize the data protection risks of a project or plan. Failure to do DPIA may result in a fine of up to €10 million, or 2% global annual turnover if higher.
- Maintain Records of Processing Activities (RoPA): The controller needs to maintain details of all the channels using which it collects personal data from data subjects. The RoPA document should contain details such as how data is processed, who processes it and with whom it is shared.
- Report in case of a data breach: If a data breach occurs, the organization is obliged to inform the concerned supervisory authority within 72 hours of the breach.
- Carry out Legitimate Interest Assessment (LIA): GDPR does not mandate an LIA. However, it is recommended as a best practice. Conducting an LIA helps you to think clearly and sensibly about your processing and the impact it could have on the individual. Recording your LIA also helps you demonstrate compliance with the principles and appropriate organizational measures in line with your accountability obligations under Articles 5(2) and 24 of the GDPR.
- Signing a Data Processing Agreement (DPA) with vendors and partners: It is a best practice to establish a DPA with vendors and partners who will (or might) process personal data concerning your data subjects. This will help ensure that your partners/vendors also have necessary measures in place to comply with GDPR rules.
- Maintain any other required documents: This would include maintaining any other documentation required to prove measures implemented across your organization in order to comply with all relevant rules in GDPR (please have a look at the list of mandatory documents given in the reference section at the end of this article).
Templates are easily available online for all the documents (such as DPIA, LIA, RoPA, DPA) mentioned above. Irrespective of which one you use, the objective is to be able to demonstrate GDPR compliance whenever required.
‘To dos’ for marketers
While an organization or team can create an ecosystem that ensures compliance, individual marketers also have certain obligations to make sure that the organization is not penalized for any action against the rules of the regulation.
- Things to take care while sending emails: While sending emails, you need to ensure that you include an option for the users to opt out (or unsubscribe) from your campaigns/emails. It is recommended to use an opt out link instead of a statement (that would require the user to write to you to opt out). The link should be easily visible. Most email or marketing automation tools have a system check to ensure that you have included the link before you send out an email. It is also a good practice to mention the name and address of your organization (as mandated by email CANSPAM laws) for the user to be able to identify the company.
- Sending emails to contacts who have not given clear consent: Businesses are allowed to use personally identifiable information even when there is no clear consent if the purpose constitutes the legitimate interests of the business, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. However, it is to be made sure that the opt out option is clearly stated in all the communications sent out to the such users.
- Informing the DPO or concerned person in case of a data breach, erasure or rectification request: There could be scenarios where people (many a times the recipient of an email from you) reach out to you requesting to remove or edit their data in your database. Or they might want to bring to your notice that a data breach has happened. In such cases, you are required to inform the Data Protection Officer (or anybody else who manages GDPR in your team or organization) for him/her to take necessary actions.
As mentioned in the beginning, GDPR is a vast topic. When this article can help you get started, I would always recommend you to do further reading to develop an understanding of the regulation in order to apply it to your business context. The ultimate objective is for you to have processes and mechanisms in place to be able to ensure and demonstrate GDPR compliance.
Following is the list of references you could use for further reading. Also, please feel free to leave a comment about how your organization has prepared to comply with GDPR, or even if you have a query.
- GDPR full text
- GDPR essentials for marketers
- Comparison of GDPR, DPA, PECR, and ePrivacy rules
- List of mandatory documents for GDPR