The General Data Protection Regulation (GDPR) is confusing to marketers. Of course it is! GDPR is a legal issue and we are not lawyers. At CI we want to be helpful so what we can provide is what our lawyer sent to us and other resources we have found useful in facing GDPR for our business. This is the first post we’re publicly releasing with another specifically about Google Analytics to follow. CI clients will be hearing more from us individually.
None of this information is intended to be legal advice. Therefore, we strongly recommend that you consult a qualified attorney who understands the GDPR before making any decisions which may even possibly based upon, or impacted by, the GDPR.
Here are the resources:
- Seth Godin has some helpful words of wisdom on his blog about how GDPR is actually a good thing for marketers because it helps us market to people who want to be marketed to.
- Here are some other resources our team has come across in trying to wrap our heads around GDPR:
- If you’re frustrated, we hear you and you’re not alone. Today The New York Times published this on its Opinion page about the complexity and lack of clarity around the law.
- Finally, see the note below from Capacity Interactive's lawyer putting things as plainly as a lawyer can.
As many have heard, the General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018. However, for some people, it is not clear what the GDPR is or how it impacts them or their organization. The below is intended to provide a simple summary of the main provisions of the GDPR. There are, of course, other provisions of the GDPR which may impact your organization.
The GDPR is a new and fairly strict law which, when applicable, sets precise and strict standards for the collection, storage, and use (sometimes referred to as “processing”) of personal data of individuals who are located in in the European Union (“EU”) and the European Economic Area (“EEA”) and in connection with activities in the EU/EEA, or in connection with monitoring behavior in the EU/EEA.
The law is intended to provide new and additional protections to "data subjects" (i.e. residents) of the EU and EEA, and therefore, its application is based on the location of the data subject and not the locations of the individual or entity processing such personal data. Therefore, for example, if your organization is targeting and gathering personal data from individuals within the EU/EEA, you may be subject to the GDPR even if all of your operations are located in the United States or outside of the EU/EEA.
The GDPR applies to "controllers" (the entity who determines the purposes and means for processing the personal data) and "processors" (the entity who performs any operations on the personal data, including storage or structuring of the data).
Merely making your website available to individuals located in the EU/EEA, without more, will not necessarily subject your organization to the GDPR. Rather, the law will look to whether the "processor" (your organization) “envisages offering services to data subjects in” the EU/EEA (in which case, the GDPR would apply).
The GDPR requires controllers and processors to maintain records of their processing activities. For example, under the GDPR if an entity learns that it has inaccurate personal data (i.e., a data subject corrects the information) and the entity has already shared that data with a third-party, that entity is under an obligation to inform the third-party of the change. The GDPR requires organizations to be in a position to reveal how they comply with the data protection requirements and that they have appropriate procedures in place. For now, the standard for compliance is somewhat subjective. However, it is likely that once the law becomes effective, standards will gradually evolve.
The GDPR requires entities to inform data subjects of its identity, how the personal information will be used, the lawful basis for processing the data, the data retention periods, the right to complain to the applicable Information Commissioner’s Office (“ICO”), etc. All of this information must be provided in clear, concise and easy to understand language.
The GDPR provides individuals with the following rights with respect to their personal data being collected and deleted:
- The right to be informed of what data is being collected and why;
- The right to access their personal data;
- The right to have any incorrect information fixed;
- The right to have their personal data deleted under certain circumstances;
- The right to restrict processing;
- The right of data portability under certain circumstances;
- The right to object to the use of their personal data; and
- The right to not be subject to automated decision-making with respect to their data (i.e., profiling).
Importantly, many of the above rights may be limited or restricted under certain circumstances or based upon certain other provisions of the GDPR.
There are six (6) lawful reasons to process personal data:
- Consent of the data subject – and there are specific requirements for consent to be valid;
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary to protect the vital interests of a data subject or another person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
There are new reporting requirements when an entity suffers a data breach – generally only where the breach is likely to result in a risk to the rights and freedoms of the individual data subject(s) (i.e., discrimination, reputation damage, financial loss, loss of confidentiality, or other economic or social disadvantage). The GDPR also requires reporting to data subjects under certain data breaches (where there is a high risk to the rights and freedoms of the individual).
Finally, the GDPR also requires controllers and processors to implement appropriate technical and organizational measures proportionate to the risk.
We at Capacity Interactive take the GDPR and our obligations under the GDPR seriously. More information can also be obtained at https://www.eugdpr.org/