Data is the most valuable resource for marketers, allowing them to build marketing strategies, analyze campaigns, and gain potential customers. It’s a primary reason why marketing has to comply with the General Data Protection Regulation (GDPR), which has changed the way companies deal with the data protection law across the EU.
In this article, we’ll look at some of the new rules that the GDPR places on how marketers will use personal data.
What Is Personal Data
Today advertisers can target people based on thousands of data points collected by companies that monitor their internet activity, location, and behavior. This can be entirely unwanted, disturbing, or intrusive, so the General Data Protection Regulation tries to give users the ability to control when and how their data will be utilized.
Personal data is any information that relates to an identified or identifiable natural person (Article 4 of the GDPR). It is not limited to name or email address merely but includes any information that would tell you something about a specific person. It means that IP addresses, GPS data, information received from cookies, tracking pixels, and web beacons are relevant to marketing and relate to personal data under GDPR.
Do Non-EU Companies Have to Comply with GDPR?
Yes. The new data privacy law applies not only to companies based in the EU but also to any entity that either offers products and services or monitors people’s behavior in the EU.
In other words, if you are located outside the European Union, but its citizens are your target audience, you must comply with the GDPR.
When it comes to “Monitoring people’s behavior,” it’s a big part of what online advertising is about. According to the European Data Protection Board, the following activities include the monitoring of behavior:
- Behavioral advertising
- Geolocation activities, especially for marketing purposes
- Online tracking (e.g., cookies)
- Market surveys and other behavioral studies based on individual profiles
If your organization derives personalized ad revenue from the EU citizens, you should comply with the GDPR.
GDPR: What Has Changed in the Way Marketing Can Handle Data
The main goal of GDPR is to ensure that data owners (Internet users) are confident that their data isn’t going to be misused.
Under GDPR, there are seven main changes businesses must make to collect and maintain data. They are as follows:
- Place user consent separately from other terms and conditions so that your customers can see what they’re signing.
- Don’t use pre-ticked opt-in boxes for consent. The user must opt-in manually.
- Ask users for separate consent to each way that personal data is to be used.
- Always name yourself. Your users should be informed who will be using or storing their data. It also concerns all the third parties with whom the data will be shared.
- Record consent. Document all your activities concerning data collection, handling, and storage.
- Data owners should always be able to contact you and withdraw their consent for data usage.
- The consent should be freely given.
Which Marketing Activities Does GDPR Affect
Digital marketing that includes personal data processing usually consists of the following main activities:
- Data collection and profiling. Companies collect information about people’s interactions to analyze the market and create unique customer profiles. Additionally, the marketing team processes data to keep track of the client’s choices to enhance further the product or service based on customer needs.
- Targeting. Marketing departments use data to reach out to potential customers by delivering the product or service offer. Email campaigns, social media advertising, Google Adwords, instant messaging, SMS, or other push notifications relate to personal data usage.
User Consent: What to Take Into Account
Consent is a must for online advertising, as companies are utilizing personal data that is subject to GDPR. Advertising often involves collecting and analyzing data about a person’s preferences, political affiliations, and family life (to name just a few examples).
The GDPR wants to make sure that they know what they’re getting into if a person is subject to online advertising.
Under the old law, the Data Protection Directive, the definition of consent held businesses to a relatively high standard of consent. Under the GDPR, this standard is even higher.
So, until the GDPR, consent was:
- Freely given
The GDPR requires that consent must also be:
- Made by an explicit affirmative action or statement.
Previously, the consent could be received according to the “opt-out” model. That is, if the user didn’t refuse something, it could be assumed that you have his or her consent. However, the GDPR puts it differently now – you can’t have users’ consent until you ask them directly and receive a positive answer. Companies must ensure that they don’t use a pre-ticked box when asking for user consent.
According to the GDPR, if personal data is used for direct marketing, a person has the right to object against such processing, and companies must take it into account. It is obligatory to inform users that their data will be for marketing purposes. If a data subject has objected against it, you must stop processing personal data for marketing purposes.
Email address refers to personal data, so the GDPR applies if you collect, store or use emails, including email campaigns.
You don’t have to always ask for consent for email marketing, as there is a certain exception that applies to customers with whom you already have business relationships. If your emails include a demonstration that it’s in your company’s “legitimate interests” to send such marketing emails, you might not have to ask for consent. However, it is crucial to give people an clearly stated opportunity to refuse from receiving your emails.
If you are trying to reach out for new customers via email campaigns, you must receive their consent.
Companies that perform consumer profiling must inform people that their data will be used for profiling purposes and the consequences of such profiling activities. A person should also be informed if they must provide data and what happens if they decline. People should also know that they can object to personal data processing for profiling purposes.
Now you must inform your data subjects about the processing for both direct marketing and profiling. People have the right to object to personal data processing, and you must comply and stop it immediately as well as delete their data. However, if you process personal data for both profiling and direct marketing, and a person sends an objection, he or she should send it separately to both of your activities.
What are TOMs and Why They Are Vital
If you process personal data, you must implement Technical and Organizational Measures (TOMs) to minimize the risks and eliminate factors that may lead to inaccuracies in personal data. Besides, companies must take necessary security measures to:
- Protect user’s data;
- Prevent potential risks to people’ rights and freedoms;
- Prevent discriminatory effects on individuals based on special category data, such as race, ethnicity, religion, beliefs, political opinion, trade union membership, genetic or health status or sexual orientation;
- Profiling and automated decision-making and based on special category data should be allowed only under specific conditions.
How to Reconsider Your Marketing Process under GDPR: The Checklist
It is crucial to rethink and change your marketing approach as long as it involves personal data, whether for targeting, advertising, and profiling. You should be able to demonstrate to your users that your practices are transparent. In connection to this, you may utilize the following Marketing & GDPR Checklist.
Develop and publish on your website the Data protection policy and related notices. It should include clear statements about the consent practices (according to Article 7) and guarantee that data subjects understand their consent conditions.
Add Data privacy notice to all the emails you send out. People on the mailing lists must be informed how they got into the email list. They must be there legitimately and have the opportunity to unsubscribe.
What else marketers should consider when dealing with data today
To comply with the GDPR, make sure that you:
- Understand if you are subject to the GDPR.
- Update your consent request mechanisms for cookies and direct marketing.
- Inform data subjects on data collection and its further utilization. Make sure all the necessary opt-ins are available for all marketing-related data processing activities.
- Consider whether you need to request a new consent from any of your existing customers.
- Ensure you have all set for users to be able to ask for data portability.
- Keep records of all your data collection and processing activities. This is a cornerstone of the data privacy law. You must demonstrate proof when asked by a regulator for accountability; this mainly refers to user consent.
- Provide disclosures that clearly show which third parties you share data with and for what purposes.
- Your data subjects should be able to retrieve their data and ask for erasure. Under GDPR, you should have this process all set, as your users can easily access their data and send a request for immediate erasure.
Personal data will remain essential for marketing activities; yet compliance with the data privacy law involves a lot of work, particularly for companies doing online advertising.
If a company collects and processes personal data for direct marketing and profiling purposes, the GDPR is going to make their marketing life more complicated. The GDPR has strengthened data protection rights, making digital marketing more demanding for businesses. To comply with the data protection law, you must reconsider and improve your marketing processes.
About the Author!
Jan Keil (“IT-Compliance, Security and Blockchain Evangelist”) has a proven track record and more than 20 years of experience, working in the IT industry. Currently working as VP of Marketing at Infopulse, he is a strong business development and marketing professional and received his education at the Karlsruhe Institute of Technology, Germany. As an experienced Chief Executive Officer, he previously ran several companies and start-ups, acted as interim manager for several international IT projects and well-known brands. In the past, he also run a security company focusing on biometrics. Since 2015 he is heavily involved in Compliance and Blockchain related project development.