The General Data Protection Regulation (GDPR) deadline is fast approaching on May 25th. This European legislation will have a big impact on the way marketers globally process and handle personal data of EU citizens.
Our blog series will educate you on GDPR, give you instructions on how to be compliant and avoid the massive fines which can now be leveled at all companies who fail to comply.
Read on if you want a no-nonsense explanation of GDPR, to learn the latest rights of your customers and the responsibilities of your business.
Don’t feel like reading? We’ve got a video overview of GDPR for you as well.
A Brief History of GDPR
Published in April of 2016, GDPR replaces the 1995 European Union Data Protection Directive. Because of the proliferation of the digital economy along with the explosive growth of mobile technologies, the old Data Directive has been deemed no longer relevant.
It’s important to acknowledge GDPR is not a directive, which is a legislative act that sets out—in a somewhat abstract form—the general goals to be achieved by EU member states through national legislation.
The member states would have a great deal of freedom in deciding how to transpose a given directive into national law; introducing the potential of divergences between the relevant national laws and the directive, which is the case with the Data Protection Directive from 1995.
In comparison, GDPR is a regulation, a legislative binding act for all EU member states without requiring national legislation to be implemented. Therefore, GDPR guarantees a higher level of harmonization across the EU.
GDPR is meant to not only strengthen the privacy rights of individuals but also to hold those who use the data of the individuals responsible and accountable in a meaningful way.
In a nutshell, GDPR imposes new, stricter regulations on organizations targeting EU citizens. This will impact marketers by enforcing significantly larger fines for the abuse of personal data that is stored, processed, or transmitted—wherever that happens.
In this blog series, we will explore critical parts of the new regulation to help brands understand what to do now, tomorrow, and over the next few months in the lead up to May.
What Is GDPR?
GDPR is intended to protect the personal data of any data subject. Personal data is any direct or indirect information related to an identified or identifiable “natural person,” including identifiers such as physical, physiological, genetic, mental, or location data (e.g. geo-IP) or the economic, cultural, or social identity of a natural person.
The regulation defines and applies to two types of entities: a data controller and a data processor. A data controller is an organization that determines the purpose and means of processing personal data. A data processor is an organization that works for the data controller to process personal data on a controller’s behalf.
For example, if Nestle were to sell chocolates to consumers and use Iterable to track consumer engagement activities, Nestle becomes the data controller, and Iterable becomes the data processor.
The European Commission has written the regulation to reinforce accountability while expanding the scope of coverage to include not only all 28-EU members but those who process data of any data subject residing within those member states.
This means that GDPR applies to businesses that control and process the data of individuals residing in the EU even if that organization itself does not operate inside the EU.
The GDPR was published in 2016 with a two-year grace period to allow businesses within the EU to become compliant. Its rollout in May of this year will come with some striking implications for growth marketing in the way we use data.
What is clear is that we will continue to face some degree of uncertainty until the regulation becomes applicable to learn how effective the EU regulators will be or if there will be surprises.
As marketers, we embrace awareness, vigilance, and the pre-planning opportunities that GDPR brings to the plate, and nowhere does that ring truer than in growth marketing. Technology and innovation changes notwithstanding, growth marketing in 2018 will continue to look the same as in years before.
To get started understanding how GDPR affects your business, let’s look at what we know.
There are three central themes to GDPR: the general principles, a data subject’s rights, and the responsibilities of the data controller and data processor.
The GDPR consists of key general principles that every marketer should know:
- When processing a subject’s data, the activity needs to be conducted lawfully, fairly, and transparently.
- Data controllers and processors should use the data per the data subject’s expectations.
- Data controllers and processors must maintain a minimally required data set to conduct business activities. A defensible deletion strategy for data minimization is a good idea, not only it helps with data accuracy (less is more), but also helps with the data confidentiality since you cannot lose it if you don’t have it.
- Data controllers and processors must ensure the accuracy of the subject’s data.
- Once the data of a subject is not required, the data controller and processors must purge the data.
Per GDPR, data subjects have specific rights over their data:
- To inquire what the data controller will do with their data.
- To request, at any time, a copy of the data that a controller or processor stores on them. You must be able to export the data subject’s personal data and provide it to them. This means data subject portability is a crucial factor. While the data portability requirement does not seem to indicate if a standard format is required, we can deduce it must be machine-readable.
- To understand the business justification for why a data controller may be storing the data, and how long it may keep it.
- To have corrected by data controllers any inaccuracies a data subject points out
- To request their data to be erased. This by far the most misunderstood requirement. The so-called “right to be forgotten” is not an absolute right. In some cases, such as when a data subject has taken a loan from a bank, they cannot request to be forgotten. However, if you are not fulfilling a statutory obligation, the data subject can require their data be removed.
Consent is not the only necessary means to justify data collection and processing for data-driven growth marketing. The notion that marketers need to obtain permission for personalized or targeted marketing is impractical and unnecessary in the consent collection and preservation at a large scale, which may be moot for many organizations.
More importantly, marketers need to develop an understanding of what’s considered sufficient and legitimate interests in addition to where the limits are.
In the context of legitimate interest, the marketing campaign parameters define where there is reasonable interest and when there is a need for consent. You should consider:
- If the data processing is consistent with the initial purpose of the collected data;
- Or was the extent of the data processing reflected in the notices in full?
- Could the data processing activity result in an unexpected outcome causing prejudice to the consumer?
In many scenarios, under GDPR, growth marketing efforts will continue to be unhindered, with no barriers to personalization and advanced forms of advanced data processing, such as machine learning.
However, data protection and management compliance will remain a burden for many organizations. Meaning, the means to provide audit records of when, why, and where data is collected and how it is used must be aligned with the initial purpose of the data collected. The challenge of how organizations record and manage data requires extensive architectural and data management considerations.
The responsibilities of data controllers and data processors are covered in 20 articles, only three of which are about security. The most important responsibilities include:
- Ensure accountability by demonstrating compliance. This means establishing a proper governance and policies framework that is repeatable and thorough.
- Ensure data protection and privacy by design. Meaning, when you procure or design a system, you have to ensure the appropriate privacy controls are a part of the system.
- Perform vendor due diligence of any third-party processor. Part of your diligence process should include the necessary contractual requirements.
- If your organization employs over 250 people, or stores certain types of data, maintain an audit trail of processing that is accessible by the regulators at any time.
- In a data breach scenario, disclose it to your local regulator and all data subjects within 72 hours. Every EU member country has a data protection regulator. In France, for example, it is the Commission Nationale de l’informatique et des libertés (CNIL).
Iterable’s GDPR Compliance
Implementing the necessary GDPR strategy is key. As a data processor, Iterable has and continues to revamp its security and privacy program, to ensure alignment with GDPR governance.
Additionally, a Data Protection Impact Assessment (DPIA) is in place to identify third-party vendors who store, transmit, or process data for Iterable, to ensure compliance as a data controller.
Lastly, Iterable’s API provides the necessary calls to accommodate data controller and subject requests, such as erasure, export of events, and any modification of subject personal data.
Iterable is working with a multitude of experts to educate our audience on the nuances of GDPR. Elena Elkina, Partner at Aleada Consulting, explained the need for urgency:
“If your company does not need to comply with the EU Directive that the GDPR will replace in May 2018, it is most likely that it will change and you will need to build your GDPR compliance program. If you still have not done anything around the GDPR, it is time to get your assessment done.”
GDPR isn’t designed to prevent businesses from communicating with their customers; rather it improves data quality by diving deeper into the needs of prospects and customers.
Brands will need to develop an understanding of what sufficient and legitimate interests are important to their customers. The months leading up to the May 2018 GDPR deadline are set to be challenging for businesses across the world.
“However, we encourage you to look at the GDPR as a business opportunity for innovation, transparency, and data protection. Privacy sells! Companies who realize that will be rewarded,” added Elkina.
Stay Tuned for More on GDPR
In our next blog post, we will address GDPR assessment best practices and how marketers can drive revenue and growth through compliance. If you have any questions or concerns related to GDPR, please reach out to us at compliance@deviterable.wpengine.com. We’d be happy to help!