Article by Laghima Jain and Adhip Ray, Edited by Chinmay Jain.
The General Data Protection Regulation (GDPR) of the European Union (EU) is a data governance law, providing the consumer’s control over their personal data.
GDPR, the core of Europe’s digital privacy laws, is designed to reflect the digital world in which we are living and helps the laws and policies revolving around the personal data, privacy, and consent across Europe keep pace with the internet-driven era.
It applies to the organisation operating within the EU and the organisation outside the EU dealing with the consumers and businesses in the EU.
This article will provide you a touch-up of everything you need to know relating to the impact of GDPR on marketers in European Union.
Remember this: Article 4 of the GDPR lays down the definition of two different types of data-handlers – controllers and processors.
A controller is “any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Rights of the Data Subject
Under GDPR, the individuals whose data is collected, are referred to as data subjects.
It has protected the consumer’s privacy by providing the following rights for digital platform usage:
- Right to access- The data subjects have the right to obtain and access their personal data along with the supplementary information without any charge for understanding the usage of data and checking if the data is being used for lawful purposes only.
- Right to be forgotten/erasure- By the name itself, the data subject has the right to make the controller delete his/her personal data. The right occurs on a situational basis, and it is not an absolute right.
- Right for data portability- The data subject has the right to ask for the transfer of the personal data to another controller or to ask for getting back the whole data in a machine-readable electronic form.
- Right to be informed- The data subject has the right to get the correct information about how his/her data is being processed and the rationale behind such processing. This right is the core of the GDPR as it brings vital transparency requirements.
- Right to renew information- The right to rectify the inaccurate or incomplete personal data depending on the purpose of processing.
- Right to object- The data subject has the right to object the processing of their personal data and withdraw their consent. The objection maybe for all of the personal data or a part of it or it can be concerning the way of processing it. Further, there is the right to object the evaluation of the personal data based on automated processing and not to be subjected to the decision of such automated processing.
- Right to restrict processing- The data subject can restrict the organizations from using their personal data in a certain manner, i.e., right to restrict the processing of the personal data.
- Right to be notified- In case of breach of data, compromising the personal data of the individuals, they have the right to be notified regarding the breach within 72 hours after receiving the knowledge of the breach.
- Related Information: Need help? Book a free consultation with us and learn how we can guide you to avoid legal troubles for your startup.
GDPR and Marketers
GDPR has created a significant impact on the marketers and their approach towards the customers and handling their personal data.
It obliges the marketers to get explicit permission for using the data of the consumer for particular activities for protecting the privacy of the consumer by providing them with the option of channelising the usage of their personal data and greater control over it.
With the introduction of new legislation, marketers will have to regulate the way of collecting data, store, and process it for making and maintaining better connections with the consumers.
Before going forward, we should understand the difference between personal data and personally identifiable information.
Personal Data is a broader connotation and includes all “Personally Identifiable Information”.
Personal Data includes all the identifiers such as name, email address, contact details, location data like pin-code, etc. but it is not limited to the basic information.
It includes other attributes as well, such as information regarding the psychological, physical, genetic, physiological, mental, social, cultural, or economic identity. The Personal Identifiable Information includes only the basic information which is identifiable directly.
In contrast, Personal Data is a combination of information that consists of both direct and indirect identifiable data.
Further, Personal data also includes some special kind of data which is obtained for some special and specific purpose. Sensitive Personal Data are termed as Special kind of data such as race, origin, class, caste, opinion, religion, health, etc. which can be subjects of potential discrimination.
Marketers should consider the personal data instead of personally identifiable information for the specific purpose, obtain consent for using it, and ensure that such data is protected.
Marketers are required to bring an effective change at different stages of their marketing methodology.
Collecting Data from data subjects
The Marketers, as Data Controller under GDPR, are required to bring transparency while collecting data from individuals (also known as, Data Subjects under the GDPR).
The data subjects must be appropriately communicated about the use of their personal data.
The Marketers must specifically provide the data subjects the option to provide their consent in a clear, understandable language in an unambiguous form. Also, the information regarding the right to withdraw their consent must be provided.
For example, Alex, an EU citizen, is interested in music and downloads an e-book to learn a musical instrument at home. He does some research on the website.
Before downloading, Alex has to enter his personal data on the website. The website owner must provide the details regarding how his personal data is going to be used and should ask for his consent for that particular use. If in the future, the website owner wants to use the personal data of Alex for some other purpose, then he/she will be required to obtain consent from Alex to use it for another specific purpose.
Therefore, under GDPR, the transparency must be maintained throughout the relationship between the marketer and the individuals. Further, the marketer should collect only those data which is necessary for the intended purpose of collection.
Unnecessary and Excessive data collection may constitute a breach under GDPR.
Storage and Processing of Data
The Marketers have to ensure that the personal data of the individuals are used for a specific and legitimate purpose for which they have obtained consent from the consumers.
The use must revolve around the intended purpose, and if they wish to share the data with any other person, organisation or company, then the consent has to be taken from the person whose data is intended to be shared.
Further, the security of the data after collection is must under GDPR. The marketers have to ensure that the consumer’s data is secured in an appropriate manner, which is in accordance with the provisions under GDPR, i.e., the Marketers must apply the principle of privacy by design under GDPR and restrict any unauthorised usage by adopting technical and organisational security measures.
The intensity of measures for keeping the data safe will depend upon the kind of data collected. For example, Sensitive data such as biometrics will require high security. Further, the standards of security also depend upon the usage of the data by the organisation.
The principles under GDPR requires to establish a Data Privacy Impact Assessment (DPIA) while processing the data using new technologies. DPIA will provide information regarding the potential impact on the privacy of the data subjects.
It will help in mitigating the potential impacts identified before they arise. Also, the marketers may be required to appoint a Data Protection Officer (DPO) for a better application of the principles under GDPR and comply with the rules and regulations.
Contracts and Privacy Documentation
The primary reason for establishing GDPR is to maintain transparency between the companies and their customers. In lieu of maintaining transparency, the marketers are required to review their privacy policies, as well as their internal data policies, and make appropriate changes for meeting the requirements of GDPR.
If a third party is appointed for processing the data of the data subjects, the contract has to be made after including the new and compulsory provisions under Article 28 of GDPR. Similarly, the third party will have to make necessary changes to ensure that the customer contract is in accordance with the provisions of GDPR.
Termination of Relationship
The Marketers should make clear in their policies about the retention of data after the termination of relationships between the consumer and the marketer.
They should retain the personal data of the data subjects until the intended purpose is not fulfilled.
They should inform the data subjects, after the termination of the relationship, about what information they will retain, for how long they will keep it, and the justification for the retention of the specific data.
While drafting the retention policies, they should check whether there is any law or regulation which mandates the period of retention of specific data.
For example, the financial data of a consumer might be required, even after the termination of the relationship, for auditing purposes in the particular financial year. Here, the marketer must specify that the financial information is retained for the specific purpose of auditing in order to maintain transparency.
Further, if at any point in time, any data subject requests the marketer that his/her personal data should be removed, then the marketer must ensure the deletion of the data from his/her portal as well as from the portal where it is shared for the intended purposes.
For example, after ordering the e-books, Alex wants to delete the account from the particular platform and remove all of his information.
The platform must ensure that all of his data is removed and only that data is retained for the purpose, which is yet to be fulfilled. The retention of data must be communicated to the data subject with all the necessary information.
Preparation to Comply with GDPR
GDPR has raised the bar for marketers and made them think out of the box to attract the consumers as well as comply with the provisions of GDPR.
It is an opportunity as well as a challenge because, after the application of GDPR, marketers will have to come out with innovative tactics to approach the consumers and share their personal data.
Marketers should revisit and evaluate all of their policies, contracts, agreements, programs, and the data handling practices before GDPR came into force, i.e., May 2018.
Thereafter, they should alter and update their policies, contracts, agreements, programs, and data handling practices according to the provision of GDPR.
The foremost intention of GDPR, i.e., transparency between the data subjects and companies, must be kept in mind during alteration.
Following are the few basic and essential areas that should be addressed:
- The terms, conditions, privacy notices should be reviewed and updated, ensuring transparency, and be concisely written in plain language. It should be easily accessible. Also, contracts and agreements should be reviewed and updated in accordance with the GDPR provisions.
- The terms, conditions, and data usage should be made clear in a direct manner, and after the consent of the user, the marketer should use the data for the intended purpose only. Also, there should be an opt-out option or an option to alter the personal data for the consumers.
- The language of consent for using the data for the intended purpose should be clear and unambiguous.
- A process should be implemented where the consumer can refuse the processing of their data using algorithms, i.e., automated processing.
- A tracking mechanism should be developed to ensure the right to portability and erasure. The mechanism should consist of relevant data fields, requests for deletion, or transfer or alteration of the data security rules to efficiently fulfil the requests related to transfer or deletion.
- Controllers and Processors must evaluate the data and maintain a proper record of the data as well as all processing activities along with the consent and objections (if any).
- The protocols for management, notifications, and escalation from a future data breach should be revised, and the breach notification must be given to the controlling authority within 72 hours after identification. If any serious breach is there, a public notification must be issued to inform the consumers about the breach.
- DPIA is a compulsion for the organisations conducting automated processing of personal data.
- Appoint a DPO and connect them with the top-level management for managing changes in process and compliance under GDPR.
Any non-compliance will attract a fine ranging from 10 million Euros or 4% of the company’s annual global turnover. Further, fines depend upon the seriousness of breach or whether the company is deemed to have taken compliance and regulations around security in an appropriate manner.
Wrapping it Up
GDPR is introduced to acknowledge the importance of data in the internet-driven global economy and to protect individual rights while using their personal data by the organisations in the EU and outside connected or doing business with those in the EU.
It is quite a big challenge as the life-blood of marketers is data and now marketers have to rethink their approach towards consumers. It is also an opportunity for the marketers as they have to formulate the importance of data subjects sharing their data, leading to personalization and a more efficient data economy.
Therefore, these regulations will ensure that the marketers depend upon the behavioural data collection.
- For any queries or help with your startup, feel free to book a free consultation with us. You may also check out our list of services if you need any help with your business efforts.
- How You Can Startoff With Digital Marketing to Skyrocket Your Business
- 7 Influencer Marketing Campaigns that You can Learn from
Author Bio: Laghima Jain is a law student at Nirma University. She has numerous legal internship experiences with several top-tier law firms. Connect with her on LinkedIn.
Editor Bio: Chinmay Jain is a BA.LLB(H) student from Institute of Law, Nirma University, and was an intern at WinSavvy. Connect with him on LinkedIn.