“Vast.” The dictionary definition is “very great in size, amount, degree, intensity, or especially in extent or range.” (Merriam-Webster) It’s a word you’ll hear often in GDPR discussions, and it is an accurate description. In fact, there are 99 articles in the GDPR, each stipulating new parameters and expectations for data transparency, accountability, storage, and security. In our prior posts, we’ve highlighted many of these areas, discussing changes to your backend operations, marketing strategies, external partners and provided a graphic overview with our GDPR infographic.
As much as GDPR covers, it also raises an equal number of questions. Many of GDPR’s articles use ambiguous language leaving marketers scratching their heads, and lawyers busy providing clarification. For this reason, we’ve compiled a list of some of the more frequently asked questions and a few of the lesser-known answers, as discussed with our legal team.
GDPR – Who?
Q: Does GDPR apply only to EU citizens?
A: No. GDPR applies to EU residents, regardless of citizenship. An American living in the EU for three months qualifies for GDPR protection. If your business (B2B or B2C) markets to, does business with, or simply stores or processes the personal or business information of EU residents, you are subject to GDPR requirements regardless of your business’s location.
Definition of Personal Data
Q: What is considered “personal” data? Is B2B information exempt?
A: Generic emails, such as “info@,” “contact@” are not personal addresses so do not count as personal data. All personal (individual) data, whether B2B or B2C, is covered under GDPR. This includes any business information that makes a someone personally identifiable, such as their business email address.
Implied vs. Explicit Consent
Q: Is there a version of implied consent under GDPR? Does submitting a form with an available privacy statement count as consent to collect that data?
A: No. GDPR requires express consent with a checkbox acknowledgment.
Bundled Consent
Q: Can you bundle consent to receive future communications with other actions, such as a whitepaper download?
A: No. Consent is an independent action from a marketing action and your consent language needs to be clear. You can include an opt-in option to receive additional information on your form with an unchecked checkbox acknowledgment, just make sure the checkbox is not required to submit the form. And, be sure to include a link to your privacy policy on all forms. See an example of a GDPR compliant opt-in form.
Privacy Policy Inclusions
Q: What needs to be included in my privacy policy?
A: How the data will be used, who will use it, and for how long. Use should include behavior such as lead scoring or other propensity-to-purchase calculations and workflows, as well as who has access, such as data enrichment vendors.
A sample of a GDPR-compliant privacy policy regarding the opt-in checkbox on a form reads like this:
“The information set out in this form is registered in an electronic database for the purpose of [commercial prospection, HR…]. This information is intended to be communicated to [internal service of the company, commercial partners…] and retained for [the relationship, xxx months…]. In accordance with the applicable regulation, your rights to access and update your data, withdraw your consent or lodge complaint where applicable can be exercised by following this link [contact of the service, person or authority in charge…]”
Cookie Law
Q: Does GDPR have any ramifications for EU Cookie laws or is ‘Do Not Track’ still in effect?
A: Yes, GDPR changes requirements for cookies, since this constitutes personal data. You must now have consent to track visitor behavior. “By using this site, you agree to cookies” messages implying approval upon closure do NOT meet GDPR compliance. This is a departure from Do Not Track legislation. See a cookie notification example.
Limits for Storing Data
Q: How do we define the duration of storing data? What constitutes “as long as necessary?”
A: That depends on the purpose of the data. Where a contractual agreement exists, (ex: I am buying on Amazon) personal data may be retained as long as the contract runs. (or in our Amazon example, as long as I am willing to keep my Amazon account, which is mandatory to purchase on their site.) If the data subject is not a customer, then three years after the last contact is a reasonable period, per the French CNIL. It is the Data Controller’s responsibility to set the limit on data retention and this should be specified in your privacy policy. Be careful not to run wake the dead nurture campaigns on opt-ins that have exceeded the stated time frame.
Unsubscribe vs. Data Removal
Q: Does unsubscribe mean data erasure?
A: No. They are two separate functions—you will need an unsubscribe from emails and a right to erasure option in the data consent center.
Opt-In Confirmation Emails
Q: We use a double opt-in for emails. Is this allowed?
A: Absolutely! Remember, Germany still requires a double opt-in. For Germans, you may send the opt-in confirmation, but no marketing communication until consent confirmation is provided.
3rd Party Access
Q: Are there any considerations for 3rd party vendors who have access to my data?
A: Yes, these are called processors, and they must also be compliant with specific GDPR obligations regarding security, confidentiality and accountability. As a controller, you must only appoint processors who can provide sufficient guarantee that all requirements under the GDPR will be met and that the rights of data subjects will be protected. For insights into assessing GDPR Processor compliance, view this blog post.
Data Protection Officer
Q: Does my company need a data protection officer?
A: Under the GDPR, Controllers AND Processors must appoint a Data Protection Officer (DPO) if:
- they belong to the public sector
- their main activities lead to regular and systematic monitoring of people on a large scale
- their main activities lead them to deal with sensitive data on a large scale
The good news: your DPO can be an external DPO shared by multiple companies.
Additional Consumer Rights
Q: I’ve heard GDPR grants consumers a number of rights… what do these rights include?
A: Under GDPR, data subjects have the right to request an export of all the personal data a company has collected on them and the right to request complete erasure of all personal data. They also have the right to be informed of your company’s data collection and usage policy upon request, and to be informed within 72 hours of any data breach your company has experienced.
Proactive Recommendations
If you don’t have explicit consent from EU names in your database, now is a great time to launch a whitelisting campaign to engaged leads to update your records and get that required permission. Be sure to update your privacy policy first. As we all know, no marketing campaign has a 100% response rate so don’t expect a single effort to capture all that you need here. Plan to send several messages. Ideally, your campaign should wrap up by May 25, 2018, when GDPR becomes enforceable.
Permissions. Privacy. Regulations. What’s Next?
As consumers, we’ve come to rely on the cyber world; as marketers, we’re learning to communicate our message efficiently amidst new regulations. In 2017, CASL became enforceable; 2018 is the year for GDPR; what will 2019 hold? I expect we’ll see more regulation, rule clarifications, and yes, penalties for non-compliance. My advice for marketers: focus on the needs of your customer, continue to build strong relationships, deliver personalized digital interactions and leverage technology every step of the way. Ultimately, you’ll develop deeper connections across wider audiences and strengthen your brand for any new legislation coming down the pike.
Legal Guidance
For more information on GDPR, we invite you to download the complimentary guide, “GDPR: A Legal Overview for Marketers.”
Need help evaluating your data practices and processes? Get your questions answered or request a GDPR readiness assessment by our team of Marketo Certified Solutions Architects.
*Note: This post is intended as a starting point for GDPR compliance, but should not be considered legal advice. We’re marketers, not attorneys–and while we did work with our attorneys to put this together for you, the reality is that we wear cool t-shirts, not 3-piece suits, so do make sure you have your own legal eagles review all of your policies and procedures related to GDPR.
