The new General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and we hope that as a Marketing professional you have already heard about it.
This new regulation will have a great impact on the way in which specialists in this sector approach their work and how organisations obtain, store, manage or process the personal data of residents in the EU.
In this article, we will give some specific examples of what will change, the new habits that you must adopt and the 10 fundamental aspects that you must be aware of as a good marketer.
This post is also available in Spanish.
Table of contents
The GDPR legislation on privacy and data protection was approved in April 2016 and will be officially applied as of 25 May 2018, by modernising European data regulation to reflect how companies use and collect data today.
Basically, GDPR tries to provide the best practices in data management and compliance, designed to strengthen peoples’ rights and to create better transparency and control by companies.
There are two fundamental issues of the Regulation that we would like to highlight. First of all, even if a company is outside the EU, GDPR will apply to it if it controls or processes the data of EU citizens.
Secondly, the possible sanctions for irregularities in the GDPR will be significant. Depending on the type of infringement, companies will incur fines of up to €20 million or 4% of their total annual income, so companies cannot afford to ignore this regulation.
“The protection of natural persons in relation to the processing of personal data is a fundamental right.” This is how the GDPR begins. In practice, this means a massive reform of the current panorama where the digital monitoring of our lives is widespread, which often happens without our full consent.
For marketers, information is the key to executing successful campaigns and actions. It helps them recognise those interested in their product or service and address them with the right content. But it is also your responsibility to legally use and store data that is offered to you.
Until the mid-1990s, Marketing focused mainly on lists of intermediaries or on the after-sales experience. It was very focused and dependent on the active acceptance of customers to participate through point clubs or discount coupons, for example.
With the beginning of the Internet, Marketing expanded. The network made it possible to track and take advantage of large volumes of data reaching the limits in a way that neither they nor consumers could have conceived years ago.
But nowadays, the concern about privacy and fatigue due to the excessive “noise” is growing, which has led the European authorities to set out this regulation. Thus, a new dynamic is created that forces marketers to work harder to obtain the right to communicate with their customers continuously within these current legal limits.
The GDPR was designed to ensure that there is more transparency between the organisations that collect and control the data and the people whose personal data are collected. This means that any organisation that attracts people to their website and wishes to collect data via a form must clearly communicate to that person what their data will be used for.
The individual must give their consent for that use and the consent must be clear, informed, specific, unequivocal and revocable.
According to the GDPR, data is only allowed to be collected that is adequate, relevant and limited to what is necessary for the purpose of obtaining such data. Any data collected by the organisation that are considered unnecessary or excessive will constitute a breach of the GDPR, which currently clashes with the practice of many organisations that collect data that they do not directly use.
Companies can only use the data they collect and store for specific, explicit and legitimate purposes. They are not allowed to use data in any way that is incompatible with the purpose for which it was collected. Also, if they plan to transfer or share the data with another company, they must ensure that they have the person's consent to do so.
Once the data is collected, the organisation must ensure that it is stored securely. This means that they must use “appropriate technical and organisational security measures” to protect personal data against unauthorised processing and loss, disclosure, access, destruction or accidental alteration.
Depending on the type of data collected and the ways in which they are used, companies may need to encrypt the data, using pseudonyms or anonymisation methods to protect them, in addition to periodic system tests and confidentiality controls.
Now people can ask organisations to correct or update their data at any time if the information is no longer accurate.
The company is responsible for ensuring that they fulfil their obligations under the GDPR. Not only will they need to maintain records to verify compliance (for example, consent records for all collected data), but they should also ensure that they have policies in place that govern the collection and use of that data.
In addition, they may need to appoint a Data Protection Officer (DPO) and make sure to implement a ‘Privacy from design’ policy, to ensure that they are systematically considering the potential impact that a project or initiative could have on peoples’ privacy.
Companies can only retain personal data for as long as necessary to fulfil the purpose of the collection. Therefore, when drafting their retention policies, organisations will need to consider whether there is any law or regulation that forces them to hold on to some of that data for specific periods even when the purpose has disappeared.
For example, they may need to retain some financial data for audit purposes as set out by law. While this is allowed, it must be clearly described in their retention policy and be clear. Again, the principle of transparency is important.
If at any time the individual requests that their data be deleted, the data controller must comply with that request and confirm the elimination, not only in their own systems, but also in the provider’s systems where they process their data.
The search engine has already taken part in security and has recently begun favouring websites that take into account the security of users who visit the pages that are indexed in the search engine.
Having a website with SSL certificates helps to achieve a better organic positioning. Currently, browsers already warn you if a website uses the HTTP or HTTPS protocol and informs you of the security risks that may be in the first.
One of the most important novelties that this Regulation is introducing, as we have commented, revolves around the way in which those responsible must obtain the consent of users for the processing of their personal data, and above all, how to demonstrate that they have obtained it lawfully.
For this reason we already explained in this post the different specially-designed options from Signaturit for the occasion that allows this legal requirement to be quickly and effectively automated according to the particular needs of each company.
Marketing specialists must continue to work with their IT and legal colleagues to understand the ramifications of this new legislation and to find solutions not only to comply but also to demonstrate compliance.
With the right tools, they will be able to comply with the high guarantees of data privacy and become true guardians, which will help to avoid excessive processing of customer information.
In addition, because this implication respects legal limits, it will also imply a value proposal that is very well received for its audience. In short, it is about connecting with consumers and building a relationship based on transparency and trust through best practices.
This post is also available in Spanish.