Disclaimer: The information in this blog is provided for general informational purposes only. No information contained within should be construed as legal advice from Verticurl, nor is it intended to be a substitute for legal counsel on the subject matter.
This part will cover the impact of GDPR, specifically on marketing organizations
GDPR implications can be covered under two major categories:
- Category 1 - how do you define a unique person and what information do you collect about them
- Category 2 - how do you acquire their data and what do you do with that data
Most earlier data privacy rules have looked at email as a unique identifier, and hence, most of data acquisition and management processes have defined a unique person as an email ID. GDPR is much more comprehensive about the definition of a unique person. As per GDPR, any data or combination of data that uniquely identifies an individual is the definition of a person who is covered under this law. Some examples are:
Postal Area code + Gender
Loyalty Membership ID
Activity or transaction history if it identifies a person uniquely
Each of these could uniquely identify a person and hence each of these data points will be considered personal data, and hence is covered under GDPR. GDPR also defines the data type that you are collecting and asks for extra precaution about any sensitive information about a person which includes any details such as religious, political, health, sexual, etc.
GDPR also asks for extra care for children/minors who are below the age of 16.
Until now, most data protection laws have only looked at the data acquisition part. GDPR focuses not just on data acquisition but also on data management practices.
Data acquisition: it requires that a person should provide explicit opt-in for them to be considered contactable. This is equivalent to the industry definition of Double Opt-in. However, the rule goes further to say that this rule should be followed through every channel, including physical channels, like events. Also, the opt-in statement should explicitly let the person know what the data being collected will be used for. It needs to be as specific as possible, and the person should be able to access the service without having to provide their opt-in. Lastly, as an organization, you need to record when and why you acquired that permission and re-acquire permission if that purpose is over.
Data management: GDPR gives the users a lot more control over their data that an organization owns. They can request the organization to provide all data that the organization might have about them. They can request that their data not be processed, which means that the organization has to exclude them from any targeted/segmented campaigns that uniquely targets them, potentially including activities like remarketing, lead scoring based campaigns, etc. They can also ask the organization to provide all their activity data to a rival service provider. Lastly, they have the right to request that any data that the organization holds about them be deleted.
GDPR also puts in some rules about the processes that the organization has to put in place to handle and process the data more securely:
Document all data-related processes.
Deploy a data protection officer, who will monitor all these processes and documentation and also train the organization about GDPR.
Use data masking steps like ‘de-anonymization’ and ‘pseudonymization’ to prevent any data leakage.
And in case of data leakage, inform the authorities within 72 hours. Depending on the severity and extent of leakage, the organization might have to inform all affected people as well.
As you can see from the above list, GDPR is much more comprehensive than any previous data regulation laws. Hence companies need to have a plan to get GDPR compliant.