What is the GDPR
The General Data Protection Regulation (GDPR) has been put together to protect the privacy and data of EU citizens. It replaces the Data Protection Directive 95/46/EC and aims to harmonise and broaden the reach of EU data protection law across Europe.
In May 2018, the GDPR significantly changed for many marketers; specifically, they’ve changed the way data is collected, processed and used. Providing Marketers with a framework for innovation and growth.
The GDPR brings about legislative change that asserts that data belongs not to a business but the individual. The new regulation aims to give people greater control over the collection and use of their data.
Why was the GDPR needed?
The EU Commission published the first GDPR text in January 2012.
The Commission wanted to update data protection law because there had been huge technological advances since the 1995 Data Protection Directive, particularly in the marketing sector.
The law needed to consider new technological developments, consumer data proliferation, and changing consumer attitudes and expectations.
Until the GDPR came into force, data protection standards still varied across the EU. Still, the new law harmonises member states’ data protection laws because it directly affects national legislation.
What was the DMA’s role in the GDPR?
The DMA represented the interests of the marketing industry. At the same time, the GDPR was being debated in Brussels to ensure a fair balance between the customer’s right to privacy and the legitimate interests of business.
In collaboration with the Advertising Association and other marketing trade associations, including FEDMA in Brussels, the work of the DMA helped achieve a more balanced final regulation compared to early drafts from the European Commission and the European Parliament.
For example, the DMA advocated that the legislation should recognise a business’s legitimate interests alongside the customer’s right to privacy and have direct marketing recognised among legitimate interests for processing personal data in Recital 47.
What is the structure of the GDPR text?
- The GDPR text is a lengthy document divided into articles covering specific issues.
- The text also has explanations of the articles, known as recitals.
- The articles and the recitals need to be taken into account to get a complete picture of the law.
- 99 articles make up the letter of the law and 173 recitals.
- What about the role of consumer attitudes to data?
- The GDPR is written in a more EU citizen-centric way than any of the data protection laws before it.
- That said, recent research has suggested that there are varying opinions on data privacy, and these have been grouped into three distinct segments:
- Pragmatists, fundamentalists and those not concerned.
The GDPR directly affect the processing of personal data of EU citizens resident in the EU, including those in the UK.
The processing of any personal data belonging to EU citizens or others resident in the EU is subjected to the GDPR rules no matter where the data is stored or processed – this is known as the territorial scope.
This means organisations processing personal data about customers resident in the EU need to abide by the law. Suppose a non-EU based organisation is offering goods or services to individuals in the EU or monitoring the behaviour of individuals residing in the EU. In that case, the law applies to them, too.
For organisations established in the EU, the GDPR always applies.
For those who are non-EU establishments, there are certain conditions for the GDPR to be triggered.
Processing activities must be related to:
- Offering goods or services, irrespective of whether a payment is required, to such individuals in the Union
- The monitoring of their behaviour, as far as their behaviour takes place within the Union. The GDPR will expand the scope of data protection legislation.
The previous legislation only applied to data controllers – usually the brands or agencies with a relationship with the customer. Data processors now have obligations under the GDPR and those that may provide services for the brand or agency.
The principles of accountability:
The principle of accountability under the GDPR is about demonstrating compliance with all of the GDPR’s principles.
Carrying out a Data Protection Impact Assessment (DPIA) or employing a data protection officer (DPO) are tools you can use to evidence your compliance. These measures are important to successfully implementing the regulation.
The GDPR is principle-based, but much of it has a risk-based approach. Effective risk assessment is an important part of successful compliance.
The mitigations that you use must be appropriate to the risk to that data. Several tools in GDPR will help you ensure that privacy risks are mitigated as much as possible and ensure you’re able to evidence your compliance.
- Privacy by design
- Privacy Impact assessments
- Breach notification
- Data Protection Officers
- Data Security
(See Articles 5, 25, 30 and 35 of the GDPR text for further information)
Accountability is a core principle. The GDPR asks companies to be accountable for their own decisions on how they collect and use personal data and have records and evidence of the decisions they made and how they made them. Companies need to be clear about why they need the data, what they are going to use it for, how they will keep it secure and the legal basis they are using to process the data.
Accountability applies to everyone in the organisation. The company is responsible for what it does with its customers’ data and has to consider the customer’s right to privacy when developing new products, services or marketing campaigns.
What is Consent:
The definition of consent was very contentious as the GDPR text was being written. Finally, the word “explicit” was removed from the definition, and the word “unambiguous” replaced it.
The GDPR says: “Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
- Ticking a box when visiting an website
- Choosing technical settings. For example, altering your privacy settings in your internet browser could be a valid consent mechanism, providing all the consent requirements were met
By any other statement or conduct which clearly indicates acceptance Consent does not include:
- Pre-ticked boxes
Consent The GDPR says:
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The right to object:
A new requirement under the GDPR is that this right to object must be brought to the data subject’s attention clearly and explicitly at the time of collection of their data or in the first communication made to them.
A full list of rights is as follows:
- The right to be informed – to know what happens to their information
- The right of access – this is known as Subject Access Request (SAR)
- The right to rectification – data should be kept accurate
- The right to erasure – the right to have data deleted / to be forgotten
- The right to restrict processing – where the data subject believes the data is inaccurate or requires it for legal claims, or believes the processing is unlawful or is challenging the data controller’s legitimate interests
- The right to data portability – to transfer data from one supplier to another
- The right to object – to stop data from being processed
- Rights in relation to automated decision making and profiling – not to be profiled or to have a human make automated decisions.
At first glance, the GDPR can be seen as a hindrance to marketing activities. Still, a closer examination of the regulation reveals that it allows marketers to build more transparent and meaningful relationships with their customers.
The GDPR mirrors the DMA’s long-held view about the need to place the customer at the heart of everything we do and echoes our commitment to a code that enshrines five key principles which marketers should follow:
- Put your customer first
- Respect privacy and meet your customers’ expectations
- Be honest, be fair, be transparent
- Exercise diligence with data
- Take responsibility, be accountable.
Out of the six legal bases for which an organisation can process an individual’s data, two closely apply to marketing activities: legitimate Interests, in certain circumstances, and consent.
Consent, the more obvious choice for marketing activity, gives the GDPR its poor reputation in our industry. Still, the DMA has established vital building blocks within the new regulations that will safeguard the interests of marketers.
This has been made possible mainly by our advocacy for direct marketing to be carried out under legitimate interests, thus opening up more opportunities to build and strengthen relationships with customers.