Back to Blog List

Topics/Previous Posts

Marketers, Are You Down with GDPR?

GDPR, how can we explain it?

Bridgeline will take it, term by term,

To have y’all all jumpin’, shoutin’, sayin’ it!

G is for “gargantuan”.

D, well, that’s for data,

P is for “protection”, the last one

R, well, that’s not that simple… “regulation”!

That’s right, a regulation that will be enforced beginning May 25, 2018 (oh, and the G is actually for “general” but with a regulation that is 151 pages published in the Official Journal of the European Union contains 172 whereas provisions, comprised of 65 Articles in the base of the legislation, and has at least a gazillion terms, let’s call it what it really is; gargantuan data protection regulation!

Let’s break it down, if you market to or process the information of European Union (EU) citizens a/k/a Data Subjects – which includes end users and customers – you need to know to the fundamental terms we’ve identified. As a regulation it seems we gotta start to explainin' (but we ain’t dishin’ legal advice).

The General Data Protection Regulation (GDPR, for short) is bringing an expectation to provide uniformity or a baseline for the European Union (EU) and its member states to increase transparency around data information to its naturalized persons and heighten data security. As we discussed in our prior blog post, the GDPR is applicable not only to those EU naturalized person and companies but also to those companies who offer good or services to EU citizens. In just a couple of weeks people in the EU will also have greater control over their data. The GDPR contains enough terminology to make even the most seasoned marketer’s head spin. Luckily, we’ve identified pieces of GDPR terminology that are tantamount for every marketer to understand – read on and get down with it!

1. Data Subject

A Data Subject is a natural person whose personal data is processed by a controller and/or a processor. Understanding who is “protected” under the GDPR is important to fully understand as we walk through other poignant terms contained in the GDPR. Marketers, let’s keep going!

2. Personal Data

Personal data includes names, addresses, health information, racial or ethnic data, sexual orientation, political views – anything that personally identifies a consumer either alone or in combination with other data elements. This greatly expands the US notion of personally identifiable information.

3. Pseudonymous Data

While it may seem self-explanatory, anonymous data (or data not tied back to a specific person) is not protected under the GDPR. Pseudonymous Data - data that cannot be attributed to a specific Data Subject without additional information – isn’t exempt from the GDPR, but it would be wise to adopt the pseudonymization process to better prepare for compliance. An example of this is encrypted data. Data that has been “de-identified” may actually be pseudonymous. This is one of the easiest ways to ensure GDRP compliance, but be ready to get buy in from your IT folks – you need them and it can be done.

4. Right to Erasure

One of the more progressive Articles in the GDPR is the “Right to Erasure” or “Right to be Forgotten.” This Article gives consumers the right to have their information removed at any time. Given the amount of incorrect data floating around social media sites and the like, this could benefit the accuracy of your marketing data and better-qualify your campaigns.

5. Increased Territorial Scope

Simply put, this means that regardless of a company’s geographical location, if you process or control the Personal Data of – or market to - consumers in the EU, you must abide by the new data privacy regulations.

6. Consumer Consent

Say “goodbye” to the days of pre-selected opt-ins. When a consumer submits their email address for a whitepaper or video download, the GDPR states that the consumer must be aware, in plain terms, of the exact purpose that email address will be used for and not a single thing extra (other purposes = another consent). Further, a company must be able to prove consent and how it was obtained. Email marketers may be shaking in their boots over this one, but have no fear! Complying with this requirement means we’re talking about more engaged audiences and an increased likelihood of conversions.

7. Data Protection Officer

Under the GDPR, every enterprise must have a designated Data Protection Officer (DPO). The DPO is responsible for an organizational data protection strategy and policy, conducting regular, with autonomy, privacy audits, generating reports for upper management and other GDPR-related tasks. A DPO also acts as a primary point of contact for Data Subjects to make inquiries. A DPO can be an internal appointed employee, a new hire with legal experience with technical acumen, or your company may elect to hire or use a third-party. Who is your DPO?

8. Data Controller

A data controller is a person or company that decides on how to use personal data now or in the future. Sales and marketing are often the primary actors in data control for a company. Data Controllers also instruct Data Processors as to how this data should be processed. Marketers should work closely with Data Controllers, in assessing your vendors, especially open source, to determine if Personal Data is being collected and stored there for your business and instruct those Data Processors in a in a lawful manner.

9. Data Processor

A Data Processor processes data on behalf of Data Controllers, including collecting, recording, modifying and storing personal data. Common examples are cloud storage providers, marketing automation platforms, accountants and payroll entities. Data Processors must only act as instructed by the Data Controller and they too must have policies and procedures in place to support their compliance with your instructions and GDPR.

10. Legitimate Interest

With legitimate interest, marketers must continuously think about what is lawful and what is not lawful. This means obtaining and documenting consent must be performed. This may be one of the most important items a marketer needs to focus on when it comes to complying with the GDPR.

Marketers (and others) make certain you commit, minimally, these 10 terms in your vocabulary by May 25th, and you will find yourself better prepared for the GDPR. Are there GDPR terms that you’ve come across that you think we should include here? Let us know in the comments below!

Exciting isn't it, a special kinda business,

When GDPR comes, damn – skippy I'm with it.

It’s 4 little letters that you’ve got to get down with – GDPR!

You down with GDPR? Yeah you know it!

Who's down with GDPR? Every last homie!

Comments

Just a small correction on number 10 - legitimate interest is a lawful basis for processing that is separate from the use of consent. So if you are relying on legitimate interest for a specific processing, then you probably wouldn't also be capturing consent. Rob from Clarip (consent management software)

Reply


Leave a Comment

Only comments approved by post author will be displayed

Back to Blog List

Close