Some Helpful GDPR Resources

May 16, 2018

Blog 2018.05 GDPR Erik-03

The General Data Protection Regulation (GDPR) is confusing to marketers. Of course it is! GDPR is a legal issue and we are not lawyers. At CI we want to be helpful so what we can provide is what our lawyer sent to us and other resources we have found useful in facing GDPR for our business. This is the first post we’re publicly releasing with another specifically about Google Analytics to follow. CI clients will be hearing more from us individually.

None of this information is intended to be legal advice. Therefore, we strongly recommend that you consult a qualified attorney who understands the GDPR before making any decisions which may even possibly based upon, or impacted by, the GDPR.

Here are the resources:

1. Seth Godin has some helpful words of wisdom on his blog about how GDPR is actually a good thing for marketers because it helps us market to people who want to be marketed to.

2. Here are some other resources our team has come across in trying to wrap our heads around GDPR:

The UK's Information Commissioner's Office

Google’s info center on GDPR

Facebook's info center on GDPR

3. If you’re frustrated, we hear you and you’re not alone. Today The New York Times published this on its Opinion page about the complexity and lack of clarity around the law.

4. Finally, see the note below from Capacity Interactive's lawyer putting things as plainly as a lawyer can.

As many have heard, the General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018.  However, for some people, it is not clear what the GDPR is or how it impacts them or their organization. The below is intended to provide a simple summary of the main provisions of the GDPR. There are, of course, other provisions of the GDPR which may impact your organization.


The GDPR is a new and fairly strict law which, when applicable, sets precise and strict standards for the collection, storage, and use (sometimes referred to as “processing”) of personal data of individuals who are located in in the European Union (“EU”) and the European Economic Area (“EEA”) and in connection with activities in the EU/EEA, or in connection with monitoring behavior in the EU/EEA.  

The law is intended to provide new and additional protections to "data subjects" (i.e. residents) of the EU and EEA, and therefore, its application is based on the location of the data subject and not the locations of the individual or entity processing such personal data. Therefore, for example, if your organization is targeting and gathering personal data from individuals within the EU/EEA, you may be subject to the GDPR even if all of your operations are located in the United States or outside of the EU/EEA.  

The GDPR applies to "controllers" (the entity who determines the purposes and means for processing the personal data) and "processors" (the entity who performs any operations on the personal data, including storage or structuring of the data).

Merely making your website available to individuals located in the EU/EEA, without more, will not necessarily subject your organization to the GDPR.  Rather, the law will look to whether the "processor" (your organization) “envisages offering services to data subjects in” the EU/EEA (in which case, the GDPR would apply).  

The GDPR requires controllers and processors to maintain records of their processing activities. For example, under the GDPR if an entity learns that it has inaccurate personal data (i.e., a data subject corrects the information) and the entity has already shared that data with a third-party, that entity is under an obligation to inform the third-party of the change. The GDPR requires organizations to be in a position to reveal how they comply with the data protection requirements and that they have appropriate procedures in place. For now, the standard for compliance is somewhat subjective. However, it is likely that once the law becomes effective, standards will gradually evolve.  

The GDPR requires entities to inform data subjects of its identity, how the personal information will be used, the lawful basis for processing the data, the data retention periods, the right to complain to the applicable Information Commissioner’s Office (“ICO”), etc. All of this information must be provided in clear, concise and easy to understand language.

The GDPR provides individuals with the following rights with respect to their personal data being collected and deleted:

1. The right to be informed of what data is being collected and why;

2. The right to access their personal data;

3. The right to have any incorrect information fixed;

4. The right to have their personal data deleted under certain circumstances;

5. The right to restrict processing;

6. The right of data portability under certain circumstances;

7. The right to object to the use of their personal data; and

8. The right to not be subject to automated decision-making with respect to their data (i.e., profiling).

Importantly, many of the above rights may be limited or restricted under certain circumstances or based upon certain other provisions of the GDPR.

The GDPR also requires that there be a lawful basis for processing personal data.  Data subjects are entitled to know the lawful basis for the processing. This is often accomplished through a privacy policy on your website but may also occur through a contractual relationship or otherwise.

There are six (6) lawful reasons to process personal data:

1. Consent of the data subject – and there are specific requirements for consent to be valid;

2. Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;

3. Processing is necessary for compliance with a legal obligation;

4. Processing is necessary to protect the vital interests of a data subject or another person;

5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and

6. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

There are new reporting requirements when an entity suffers a data breach – generally only where the breach is likely to result in a risk to the rights and freedoms of the individual data subject(s) (i.e., discrimination, reputation damage, financial loss, loss of confidentiality, or other economic or social disadvantage). The GDPR also requires reporting to data subjects under certain data breaches (where there is a high risk to the rights and freedoms of the individual).

Finally, the GDPR also requires controllers and processors to implement appropriate technical and organizational measures proportionate to the risk.

We at Capacity Interactive take the GDPR and our obligations under the GDPR seriously. More information can also be obtained at

Social Media Strategy, Google Ads/Search Engine Marketing, Email Strategy, Data-Driven Display, Leadership, Website Redesign Strategy, Website Analytics


Erik Gensler
Capacity Interactive

Market Smarter
Boot Camp 2021

The evolution of the arts continues on October 20, 21, and 22. Register today for a three-day conference 100%-focused on digital marketing for the arts.

Register Today 

Livestream + Q&A 
Arts Industry Data Analysis: Pandemic Response

This livestream explores findings from a survey of 54 arts organizations. You’ll learn about evolutions within the digital and media landscape and build frameworks for stronger teams.

Watch Now 

Market Smarter
CI to Eye Podcast

Erik Gensler, President of Capacity Interactive, talks with leaders about marketing, organizational culture, innovation, and how cultural organizations can survive this pandemic. 

Listen Up

Market Smarter
Content Inspiration Gallery

This interactive resource features over 150 examples of stellar social content examples from the arts. It’s yours to bookmark and will be updated regularly.  

Take Me There

Watch and Learn
CI to Eye Live

Live conversations that fuel the future of the arts. Hosted by CI’s President, Erik Gensler, CI to Eye Live features timely conversations with leaders inside and outside of the arts. 

Tune In