What is GDPR?
The General Data Protection Regulation (GDPR) is the EU's binding legislation for the protection of personal data. GDPR is being driven by the need to tackle inconsistencies in the data security space throughout the European Union and the issues relates to the free flow of information between member states while staying current with rapid developments in technology.
Why do we need GDPR?
Cyber security and attacks are being and will become even more prolific as the internet continues to mature, and as such protecting the identities and rights of people across boarders is vital. The ideal behind GDPR is to put control back in the hands of the very people who's data is being compromised. Even through the United Kingdom is going through uncertainly of Brexit and its legal positioning, the UK remains subject to EU Law and must be complaint with GDPR by 25th May 2018, and failure to comply can result in a fine of 4% of an organisations global turnover or 20 million Euros which ever is higher.
What does GDPR mean in practice for brands and their digital marketing?
Well, like us, brands have a responsibility to ensure both their policies and practices are up to date with the GDPR legislation to protect consumers rights. Yes we get that but what does it mean in practice? In reality each brand needs to map out their own business structures, process, systems and controls, and work out all the touch points of what that data is, how it is processed and where its located.
The very nature of cloud computing and global server structures means data will be located in many different locations, both within and outside the EU, and as such their will be huge dependencies on large media players like Google and Facebook. Not in terms of granular detail, but broadly what data is processed, how they are using consumer details in their business practices, and how consumers can remove themselves.
Many will have already noticed they key here legally is consent, and Google and Facebook already require consent when using their services, so in practice the effects of GDPR will probably be minimum to them - in fact, as their data is largely based in the United States of America, they self-certified its compliance with the EU-U.S. Privacy Shield. The EU-U.S. Privacy Shield is an approved certification mechanism under Article 42 of the General Data Protection Regulation, which is permitted under Article 46(2)(f) of the General Data Protection Regulation. You can access the European Commission decision on the adequacy of the EU-U.S. Privacy Shield at: https://ec.europa.eu/info/law/law-topic/data-protection_en.
What does GDPR mean to your digital agency?
A digital marketing agency, like your brand, needs to be compliant in terms of how it conducts its affairs in relation to GDPR, by way of disclosing the data on its customers, and how it is processed across the business and its own marketing activities involving the likes of re-marketing, display on GDN, using Facebook pixel, web beacons and the like. In addition, it must disclose its business systems, where data is stored and transferred, for what reason and by what mechanism, and how that data can be removed if requested. All initially activated with given consent.
But my digital marketing agency surely have a responsibility as they process our consumers data through their services?
Yes that is correct, to a point. Your digital agency have a responsibility to ensure they are complaint to GDPR for their business affairs, but they are not responsible for your own GDPR compliance and business affairs. Fundamentally, your agency will be involved if they host/email data from websites, or if they are acquiring and processing data from third parties on your behalf. However, nine times out of ten, agencies don't host websites themselves they rely on third party hosting providers, and as such they require compliance and policies from their providers.
Typically what will GDPR involve?
As a general overview it will involve how information is obtained, stored and used, and will involve the following:
- A data controller
- How information is obtained or collected:
- when its provided (e.g. contacted by completing a form on a website, and signing up to a newsletter, and emailing via a website or directly,
- from use of a website, using cookies, web beacons or tracking code and
- occasionally from third parties.
- Information collected: Name, contact details, payment information e.g. credit or debit card details, IP address, information from cookies, information about thr users computer or device (e.g. device and browser type), information about how the users uses the website (e.g. which pages have been viewed, the time when they were viewed and what was clicked on, the geographical location from which the user accessed the website (based on IP address), company name or business name (if applicable), VAT number (if applicable), and any information inserted in the free text fields about the requirements.
- How information is used: for administrative and business purposes (particularly to contact the user and process orders placed on the website), to improve the business and website, to fulfil contractual obligations, to advertise goods and services, to analyse website usage, and in connection with legal rights and obligations, to maintain information as a customer or prospective customer.
- Disclosure of information to third parties: only to the extent necessary to run a business, to third party service providers, to fulfil any contracts, where required by law or to enforce legal rights.
- Disclosure if information is sold
- How long information is retained: for no longer than necessary, taking into account any legal obligations (e.g. to maintain records for tax purposes), any other legal basis for using information (e.g. consent, performance of a contract with legitimate interests as a business) and additional factors.
- How information is secured: using appropriate technical and organisational measures such as storing information on secure servers, encrypting transfers of data between servers using Secure Sockets Layer (SSL) technology, encrypting payments using Secure Sockets Layer (SSL) technology, and only granting access to information where necessary.
- Transfers of information outside the European Economic Area: in certain circumstances information is transferred outside of the European Economic Area, where safeguards need to be in place, including encryption for data transfers outside the European Economic Area and the third parties who transfer information outside the European Economic Area must have self-certified themselves as compliant with the EU-U.S. Privacy Shield for example.
- Use of automated decision making and profiling: automated decision making and/or profiling in relation to a website e.g. use of web analytics, cookies, web beacons or server logs analysis tools (profiling) or use targeting cookies to display advertisements to people who visit a website on other websites around the internet (e.g. using the Google Display Network) (automated decision making).
- Rights in relation to information
- to access information and to receive information about its use
- to have information corrected and/or completed
- to have information deleted
- to restrict the use of information
- to receive information in a portable format
- to object to the use of information
- to withdraw your consent to the use of information
- not to have significant decisions made about the user based solely on automated processing of their information, including profiling
- to complain to a supervisory authority
So, having spent hours trying to understand the granular nature of GDPR and how it relates to a digital marketing agency and the relationship it has with its customers, the conclusion is simple. GDPR is actually not that complicated once the brand understands how their data needs to be communicated and manged. And it's then a case of working with your digital agency to implement those policy changes to ensure compliance and good ongoing governance.