Your Biggest GDPR Marketing Questions Answered
Based on the attendance of our recent webinars on the General Data Protection Regulation (GDPR), page views of related content, and direct customer inquiries, many companies still have a good many questions about the European Union’s new legislation. Considering new rules go into enforcement on May 25th of this year, it’s no wonder many have suddenly realized the urgent need for answers, especially at such a late date.
What’s stood out most about the conversations we’ve had with our customers is the very lack of a common focus, and how their concerns have ranged quite far and wide – all over the map, as it were. That speaks to the complexity of the impacts GDPR will have on organizations, and to how there’s still a great deal of confusion surrounding the regulation for many of them.
Recently, we decided to document some of the questions – and our responses – into a GDPR FAQ so we could share with a broader audience how they might want to think about preparing for the law’s sweeping requirements. This is by far an exhaustive list, but it should serve helpful for marketers as they work towards making sure their data and campaigns are compliant by the deadline.
Is GDPR specific to just the European Union, or does it hold for other countries, too?
GDPR’s scope extends worldwide, applying to any “natural persons, whatever their nationality or place of residence,” to the “processing of personal data (by) a controller or processor in the Union, regardless of whether the processing takes place in the Union or not,” and to “processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union.”
For more on this subject, we recommend the recent blog post, “Does the GDPR Apply to US Companies? 4 Reasons Why It Probably Does”.
Should the GDPR be a global consideration for all marketers, regardless of being global versus regional? For example, if our company just operates in the United States, how will the GDPR affect us, if at all?
Every digital marketer, wherever they are, should be taking GDPR into account, period. The GDPR is very explicit in asserting how the GDPR applies to entities outside the EU who are processing the personal data of people who reside inside the EU. For example, if your US-based business operates a website that is accessible inside the EU, and your site gathers personal data from visitors, then you have GDPR exposure even if you have absolutely no intention of marketing to, or servicing, anybody in the EU.
Similarly, unless you can prove your collection of that data was lawful under GDPR, the regulators will have basis for an action against your company. Whether or not they would file an enforcement action in that situation is another matter entirely. However, it could very well turn out to be a case where the US FTC and the EU decide to cooperate in enforcing the statutes, in the way there’s reciprocity today in supporting cross-border investigations through extradition and information sharing.
Does the GDPR apply only to data collected through marketing/websites, or does it apply to data collected through any means, such as an application from for a product or service?
GDPR applies to any personal data processed by automated means as well as to data processed manually, if that data is stored in a filing system. In other words, it’s far broader than just website-based data collection for marketing purposes. While the drafting of GDPR may have been stimulated, in part, by the explosion of data-driven online marketing, it’s by no means restricted to that category. Just as HIPAA Privacy in the United States seeks to establish controls and protections over Electronic Protected Healthcare Information, the GDPR will perform a very similar function in the European Union, as well as in financial services, scientific research, public services and many other areas.
So, yes, the GDPR applies in any context where you are seeking to collect what GDPR considers to be personal data.
Does GDPR apply equally, no matter how large the company? Can a small company do anything to reduce its requirements?
Yes to the first question, no to the second. It doesn’t matter how large or small you are, you’re under the same regulatory obligations. It’s rather democratic, actually. Massive enterprises have to operate on the same level as the rest, and can’t leverage their way out of compliance.
What constitutes “personal data” under GDPR?
"Personal data" means any data you can use to identify human beings, either directly or indirectly, and/or any data that describes human beings, such as descriptions of their characteristics and behaviors.
GDPR mentions “legitimate interest” on the part of the individual as a legal grounds for processing personal data. How do you interpret the possibilities offered by legitimate interest in a marketing context?
There are, in fact, six lawful bases for collection of personal data under GDPR, including both consent and legitimate interest. The thing about legitimate interest is that it has to be just that: legitimate. You have to be able to demonstrate that the purpose to which you’re putting the gathered personal data is legitimately in the interests of the controller or the data subject.
An example might be a company that needs to process certain personal data to comply with industry standards or regulatory requirements related to fraud prevention or policing money laundering. Typically, this would be a financial institution such as a bank, a credit card issuer or an insurance company, but also other entities that process data on a global scale. That would fall under legitimate interest, and there are other exceptions, but it’s complex and confusing matter. So a marketer should keep qualified counsel on speed dial.
What about B2B marketing? Does consent apply the same way as it would in B2C?
GDPR is concerned with the protection of "natural persons,” i.e. human beings, as opposed to “legal persons,” i.e. limited liability companies. So, as long as your B2B marketing activities do not use, gather, rely on, or process, personal data? Then you're fine.
However, that's probably unlikely, since you need information about human beings inside those legal entities so you can present them with marketing offers. In other words, the GDPR applies equally in B2B marketing scenarios as soon as you start reaching out to real human beings, and/or attempt to gather information about them not covered by any of those six lawful bases for collection of personal data we mentioned above.
If our marketing department is getting a list from a third party, and we use those names for an email campaign, who is responsible for the legal notice: the list supplier or the marketer using it?
There are a few issues to unpick here. Firstly (and theoretically). the supplier of such a list should be taking GDPR-compliant steps to ensure they’ve secured the permission of the list members for their data to be distributed in such a way before offering it to you in the first place. In practice, it would be highly unlikely that the members of such a list would have granted permission for their data to be sold indiscriminately for undefined purposes.
Having said that, just like handling stolen goods, it wouldn’t be much of a defense to argue that you assumed the supplier had ensured appropriate consent, especially if you’re not able to offer some reasonable proof of due diligence on your own part to confirm that assumption. At the end of the day, you – as the controller of that data –are going to be held responsible for the unlawful processing of any GDPR-protected personal data. So you should make sure you have lawful grounds to use (or even store) that personal data, whether sourced directly or acquired from third parties. In this scenario, the marketer would be considered the controller of any personal data gathered through a marketing campaign, so responsibility for presenting a GDPR-compliant notice falls to them.
How does GDPR apply to historically collected data? For example, people who are already opted-in to receive marketing emails?
As far as we can tell, there is no mention of grandfathering in GDPR. What does that mean in practice? We think it means that when GDPR becomes effective, every company from that point forward will have to ensure that its processing (and even storage) of all personal data in its possession is lawful under GDPR.
That means a couple of things: Firstly, for personal data held directly by the company, it will have to determine whether there is a lawful basis for continuing to store and/or process that data.
If not, the company will have to determine whether the opt-in process they used met the GDPR criteria of freely-given, informed, specific and unambiguous consent. For example, was the opt-in consent notice written in plain English and separated from other terms and conditions? If a checkbox was involved, was it defaulted to "yes,” which would violate the "silence and inactivity" prohibition component of unambiguous consent? Did the consent notice explain how consent could be revoked, and was that process comparable to the method used to provide consent in the first place? Was any part of the service conditional on the data subject providing consent? And so on. And finally, is there a record of the consent notice each subject actually received?
Secondly, each company will have to go through the same inventory and decisioning exercise with each of its business partners or subcontractors who have collected personal data on their behalf. We are, alarmingly, aware of several companies who have already considered this issue and determined the burden of compliance to be so high that the only pragmatic course of action was to institute a company-wide purge of all personal data repositories. Hopefully, they’ll be in a minority, but it does serve to highlight how seriously some are viewing these issues.
Can our company provide an incentive for giving consent? For example, could we offer a 15% discount on a customer’s first purchase that they wouldn’t get otherwise if they didn’t opt-in?
The guidance we’ve seen from the EU’s Article 29 Working Party about freely-given consent under GDPR says this: "If a controller is able to show that a service includes the possibility to withdraw consent without any negative consequences e.g. without the performance of the service being downgraded to the detriment of the user, this may serve to show that the consent was given freely." It also says: "For example, the controller needs to prove that withdrawing consent does not lead to any costs for the data subject and thus no clear disadvantage for those withdrawing consent." In your example, the denial of the 15% discount seems to set up a clear, cost-based disadvantage for those refusing to give up their personal data for marketing purposes if they can’t receive the product/service without giving up that data.
Is there some sort of GDPR “compliance certificate” a company can obtain to show they’ve gone through the process of adhering to the law?
GDPR is a law and, as such, the notion of a compliance certificate doesn't really apply, in the same way that a person can't really get a compliance certificate for being a good driver. Following the law isn't really something you get a certificate for. Having said that, it probably won't be too long before one or more respected industry bodies establish a standard in this area against which companies can elect to be assessed. We already have SSAE16, PCI-DSS, ISO etc. and it would make a lot of sense for a body such as IAPP to propose an audit/certification standard for GDPR compliance.
So is GDPR a threat to marketers, or an opportunity?
The former, certainly, if you’re not prepared. We’re willing to believe it can be a great advantage though, for marketers who are compliant, and who take pains to let their prospects and customers know that’s the case.
Demonstrating an authentic respect and concern for personal data will earn a company a great many brownie points with people, especially as they’re becoming more aware of its value, and more assertive about protecting it.