GDPR – what can be done with care and what must never be done?

The GDPR – great and terrifying. When you open the Regulation and read its articles, any marketer would think that no data should be collected. More precisely, you can, but every ‘trinket’ needs permission, which the customer does not give out of inertia. Is this really happening? And what are the most dangerous traps that those who collect, process and store data on customers and target audiences risk falling into?

The good old days of default consent are over. “Consent by default” meant that by visiting a website or downloading an app, the customer agrees to everything that is written in 200 pages of terms and conditions that nobody ever reads. And if they do read and disagree, then they can no longer visit the website or download the app (or get any other service). That’s why I call it “forced consent”. As a result, a large amount of data was collected, much of it never used, following the principle of “let it be, maybe it will be useful”. But several years ago, the General Data Protection Regulation (GDPR) came into our lives, and life for marketers and communicators became much more complicated under its terms.

Under the GDPR, the “here’s a 200-page text for you, agree to everything, but if you don’t want to, blame yourself” option is no longer acceptable. You now have to get unambiguous consent for all the things you want to do with a person’s personal data (i.e. a default tick until the person deletes it will not work either).

Nor can this consent be a broad legal document. It must be formulated in clear and intelligible language, and must require and obtain the affirmative and extended consent of the data subject. It needs to be obtained for all the activities you want to carry out with its personal data and every time you want to do something new with it. In addition, it must be possible to withdraw consent at any time.

The first principle to remember is that you must not process more data than is necessary to carry out the activities for which the person gives you consent.

To understand the most common mistakes people make when following the GDPR requirements, let’s look at some key terms.

– Personal data means any information relating to an identified or natural person who can be identified, directly or indirectly, including by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This applies to virtually everything that experienced marketers collect about their customers in order to be successful. As we can see, the GDPR defines personal data much more broadly than we are used to. It can be an anonymous tracking identifier or cookie, which are used in virtually all digital advertising technologies. But it is more important to understand that factor X may not be a personal identifier on its own, but in combination with other factors it may become one. If you collect different types of behavioural data, for example if you know that someone lives in a certain city, is a man aged between 35 and 39, is interested in goods for pets and professional football, then all of this together can be considered as personal data, because this information can be sufficient to significantly narrow the pool of individuals and, by process of exclusion, to identify a very specific person.

Data controller – the organisation that determines the purposes and means of the processing of personal data. It is responsible for all data collected, whether it is first-, second- or third-party data.

  • First party data – this is data that you collect directly from the data subject. If you have a form on your website for registering for email, or if you collect information during e-commerce, if you run a loyalty programme or anything else that collects personal data, you are responsible for this first party data as a data controller.
  • Second party data – this is data that you receive from other organisations, often as part of a partnership or joint working. If you run a promotion or campaign, or even a webinar with a supplier or partner organisation and exchange lists or information containing personal data, you are responsible for protecting the rights of data subjects who are affected by what you give and what you receive.
  • Third party data – this is data that you purchase from another organisation that contains personal data: marketing lists, survey or segmentation data, behavioural data. All this and more is available on the open market to help marketers find the audiences they need. If you buy this data, you are also responsible for it.
  • The last important role is that of data processor. If you receive, collect, transfer or use personal data on behalf of a data controller, then you fall into this category. If you are the controller, then your data processors will be many of your technology or digital marketing platform partners. If your analytics service provider collects any personal data using their solution on your behalf, then they are your data controller. If you use an outsourced courier to deliver your purchases in e-commerce, then you have another data controller.

Many people find out that they have to fulfil several roles at the same time. For example, a consultancy specialising in data analysis and analytics comes into contact with the personal data of its clients and uses it to carry out its analysis, making it a data processor. If a company that sells its services to other individuals and companies, it is a data controller. The most important task of a communication professional is therefore to understand the roles used by the company and to prepare on the basis of these findings.

Another important principle: in the GDPR world, the consumer controls who gets the privilege to use his data, and specifically which ones. So the natural question for any marketer is how exactly to get this data from people in a GDPR-compliant way. The answer is both simple and complex: informed consent.

Interestingly, any EU resident or a  person located in the EU is considered a Data Subject (Article 3). In other words, it applies not only to EU residents, but also to EU workers and tourists who are in the EU at a given moment (e.g. on holiday in Paris).

Unambiguous, informed consent is therefore the first mechanism that allows for lawful processing of personal data. In addition to this, there are a number of rules that allow the collection and processing of personal data for the performance of contracts or legal obligations, in medical emergencies or in the general public interest, etc. However, if you do not have explicit consent and none of the above applies, then your last remedy is the so-called “legitimate interest”. Basically, this means that you have a perfectly logical reason to collect and use personal data and that you will only use it for that logical reason.

For example, you have an online shop selling shoes and someone shops with you. In order to deliver that purchase, you have a legitimate interest in knowing the data subject’s home address. Although you need this data to complete the transaction, you should not sell this address to a website selling socks unless the data subject has given his consent, in which case the legitimate interest will not be a reason to avoid a penalty.

It should be underlined that the GDPR provides for special categories of personal data, which are usually particularly sensitive. Data such as racial and ethnic origin, religious or philosophical beliefs, sexual orientation, genetic or biometric data, as well as health data fall into this category and can only be processed under the conditions for processing sensitive personal data. If you collect or process such data, you should consult Article 9 of the GDPR. The most important thing to remember is that the processing of sensitive information is categorically prohibited if these rather specific and strict conditions are not met.

We have understood the terms, so let’s continue with rights and obligations.

First, under Article 15, the data subject has the right of access to his or her data, i.e. any data subject may at any time request to see in an easily understandable format all personal data that you have stored about him or her. It is not enough to send a pile of logfiles. New tools and systems that can quickly aggregate and provide the requested information in a user-friendly format are therefore likely to be needed. This may even mean the development or purchase of online solutions for self-service purposes that consumers can use independently.

Further, under Article 16, the data subject has the right to rectification. This means that you must give people the opportunity to rectify any personal data you have stored that may be incorrect.

Article 17 of the GDPR gives data subjects the right to be forgotten or to have their data erased. If a person asks you to erase all the personal data you hold about them, you must be able to comply with this request, and quickly. The specific wording “without undue delay” is used to determine how much time you have to erase all the data. The Regulation provides for a number of exceptions, and if these can be applied to you, you should read the full version of Article 17 for more information. If, according to all the grounds, it is not possible to erase all the data about a person completely, then, according to Article 18, the data subject has the right to restrictions on processing. In practice, this means that you can keep it for as long as you have compelling reasons, but it cannot be used for any purpose.

Article 19 provides the right to be informed. This means that if you yourself update, delete or stop processing a subject’s personal data, you must inform all the other persons to whom you may have provided the data so that they can do the same. If you cannot do this, you must be prepared to explain this to the data subject if he asks.

The right to data portability follows the list. This means that the data subject can ask you to provide their personal data to another organisation on his behalf. So, if he used to be an independent customer of Brand X, but something has changed and he now only shops with Brand Y, then if he asks Brand X to transfer all his personal data to Brand Y, it must do so in a structured, commonly accepted and machine-readable format.

The GDPR also grants data subjects the right to object to any processing of their personal data at any time. This means that if you use personal data for targeting, which can include virtually any behaviour or attributes that are used for segmentation or targeting, the person has the right to refuse such usage and you can no longer use his personal data for those purposes.

Finally, the GDPR grants individuals the right to human intervention. Ultimately, this means that no decision that may have a significant impact on the data subject can be based solely on automated processing mechanisms.

To comply with the GDPR, under the new rules you must request, obtain and register unambiguous consent.

To comply with the GDPR, you must do at least the following:

First, you must use clear and understandable language to obtain consent, and you must display your notice in a prominent place where it cannot be confused with anything else. In particular, it should not be hidden in small print, or in tick marks that the user can simply skip if their intention is different.

In principle, it must be fully clear that the user is providing you with precise, informed and unambiguous consent to the processing for which you are requesting consent.

Further, a record of any data subject’s consent must be requested, obtained and kept in a meaningful form. This means that you must obtain specific consent for everything you do:

o Do you plan to use the subject’s email address to send them offers? Get consent.

o Want to use cookies to track behaviour on the site? You need consent.

o Want to track on online advertising platforms? Again, you need consent.

o And if you want to start a new promotion two months later and track who downloads the new voucher, you will again need consent.

Further, children under the age of 16 cannot give consent. Such consent must be obtained from parents or guardians.

The principle behind consent is that you must ask for, obtain and record consent wherever it is needed, every time you start to do something new.

Different organisations do this in different ways. You will also have to make your own decisions. In the online space, many use modal windows or small pop-ups that appear on the website to explain to users what is being collected and why, and ultimately serve to obtain clear and unambiguous consent. This can either be done by the programmers themselves or outsourced to agencies and partners. Or you can use the services of technology suppliers who offer such features in their products.

Some organisations even have internal systems in place that allow users to review and change consent parameters at any time, as well as to review, change and even delete all personal data stored in the organisation in a self-service mode. Whatever you decide to do to request, receive and retain records of consent, it will take time, effort and possibly money to get the system up to scratch.

It is also important to have an action plan in case of a personal data breach.

There are a number of important considerations that should be taken into account:

  • First, this applies to both data controllers and data processors. If you are a data processor and you become aware of a personal data leak, under the GDPR you must inform the data controller without undue delay

The GDPR uses this phrase several times, and it remains to be seen exactly what it means, but the point is clear – you need to do it as soon as possible. As soon as a data controller becomes aware of a breach, it must notify the GDPR to the controlling authority as soon as possible, or within 72 hours at the latest.  The controller must also inform the data subject of the breach where it may affect his or her rights and freedoms, and must do so without undue delay.

In addition to the response measures following a repeat breach, organisations must ensure the secure processing and storage of the personal data collected. In terms of access and management, this means implementing different roles with different levels of access to personal data. It means encrypting any identifier associated with the different records and anonymising or pseudonymising any personal data.

At the same time, it is important to understand the difference between anonymisation and pseudonymisation.

Here’s a small example. Let’s say you sell several different products and you want to understand your customers’ behaviour. If you went through your entire list of products sold, but anonymised each buyer, you would essentially have a long list of products sold, but you would not be able to do extensive analysis on the buyers. But if we make the data pseudo-anonymous, then we can do the analysis without anything to do with personal attributes. Without using personal data, we can see that, for example, products C and D are usually bought together, so we can try to combine these products or recommend one of them if the other is in the basket. Such analysis is very useful for a successful business and does not require us to collect or use personal data. Remember that a value is only considered a pseudo-anonym if it cannot be linked to another dataset and thus become identifiable, so make sure you are not using customer identifiers or anything similar.

As we can see, in order to comply with the GDPR, personal data must be handled in a series of ways. For many organisations, this means first finding out what data you have, where it is stored and where it is used. Depending on how large or complex your organisation is, this can also be a complex task. From a marketer’s perspective, there are many places where personal data can be stored or processed. There are a number of steps to follow when conducting an information audit and creating a data map. First, the stakeholders need to be identified. Of course, these are the people in your organisation who plan, manage and execute the marketing functions, but your partners and suppliers should not be forgotten either. Your agency ecosystem, which includes media and advertising, digital marketing, CRM, analytics, etc. – all of this also applies to the data processor. As a data controller, you need to ensure compliance with all requirements.

Once the stakeholders have been identified, the “digging” must begin. This means identifying all data sources, which may contain anything that could qualify as personal data. It should start by identifying all the tools and systems that use data in the user’s work process.

Once everything has been identified, the data should be classified. Is it personal data? Is it first, second or third party data? Where is it stored? On your systems, in the cloud? Is it controlled by a separate platform or partner that you work with? How is it generated? Is it through code that you own or through third party technologies and platforms? Who interacts with them? Who collects, manages or processes the data – you or the agency or the partner supplier?

The following are at least four key considerations that need to be understood for each piece of data:

  • First, how were they obtained?
  • Was the consent process followed?
  • Can you specify where the record of consent is stored and how you can access, amend or delete it if asked?
  • Specifically for what purposes is the data used?

Third, you need to know how data is exchanged. Does data move outside your organisation after collection? Do you pass it on to partners for any processing, from simple storage to extended analysis or anything else? Remember that you are also responsible for all your data processing partners.

Fourth, how long do you have to keep the data? Alongside compliance with the GDPR and the prohibition of indefinite data retention, it seems like a good time to understand how long it is worth keeping this data, given the specific apps where it is stored.

Of course, this is a huge effort, but it is absolutely necessary in order to continue to comply with the legislation. Initially, it seemed that it would be impossible to obtain users’ consent to processing, but it took a few years and users realised that targeted advertising and personalised offers are much more convenient than an incomprehensible stream of information, so more and more people are willing to share some of their personal information. It is an extremely important task for a communicator not to betray the customer’s trust, but for this it is important to go deep and understand the requirements of the Regulation.

The article is written in collaboration with Publicis Groupe Latvia PR or communication agency MSL Baltics.