You will no doubt be aware of the GDPR, or General Data Protection Regulation, which comes into force on 25 May 2018. This article briefly explains what your business and your marketing team need to do before and after that date to become compliant.

What you need to remember about the GDPR

The GDPR is an EU regulation but will continue to be applicable to UK based businesses after Brexit due to the UK’s incoming Data Protection Act 2018. The GDPR will restrict how businesses can handle personal data; that is data that can be used to identify individuals. It does not restrict business-to-business data handling.

The GDPR uses some specific terminology. Data processing refers to almost any handling of personal data. A data processor carries out the processing. A data controller determines how personal data will be processed. A data subject is a person identifiable by personal data. Your business is likely to be both a data controller and a data processor.

Personal data will be required to be processed in accordance with 6 principles. Summarising these principles, data must:

  • Be processed lawfully, fairly and transparently
  • Be collected for specified, explicit and legitimate purposes
  • Be adequate, relevant and limited to what is necessary
  • Be accurate and up to date
  • Permit the identification of data subjects for no longer than necessary
  • Be processed with appropriate security measures

Data subjects will also be given a number of rights. These include rights to information, access, rectification, erasure and portability.

What this all means in practice will be discussed below. Failure to comply with the GDPR could result in your business being fined up to the greater of €20 million or 4% of your business’ global annual revenue. Compliance with the GDPR will be enforced by the Information Commissioner’s Office (ICO) in the UK.

What your business needs to do before 25 May 2018

There are 5 steps which your business must take prior to the GDPR coming into force.

1) Review your data

Compliance with the principles above must be documented, therefore the first step any business must take towards compliance is to identify all of the personal data it processes. This could range from the collection and storage of personal data in employee records to the use of customer email addresses to carry out marketing campaigns. This identification process should result in a map, which shows how data flows in to and out of your business. The map should detail what data is held, from where it was collected, with whom it is shared, and what is done with it.

2) Ensure that all processing is lawful

Having identified what processing activities your business undertakes, you must ensure that each activity is lawful. To be lawful, processing must usually be undertaken either following consent, be necessary as part of a contractual arrangement, or be necessary for your businesses’ legitimate interests.

Consent

Most commonly, consent will be required before processing can take place. Consent must be actively given and cannot be assumed. Data subjects must know what they are consenting to in simple terms, and consent must be obtained separately to an acceptance of other terms. Your business must record this consent, in addition to how and when consent was obtained. Consent may be withdrawn by a data subject at any time. Consent should be obtained in accordance with the GDPR prior to 25 May 2018 to ensure that data processing may continue beyond that date.

Contractual arrangements

An example of a contractual arrangement displacing the need for consent would be the use of a cookie to track products added to a shopping basket prior to purchase. As shopping cart data processing is necessary in the lead-up to an ecommerce contract, consent is not required.

Legitimate interests

A legitimate interest may be used as a lawful basis for processing where processing is necessary to achieve that interest and that interest is not overridden by individuals’ interests. Processing justified on this basis should only take place if individuals would reasonably expect the processing to take place, and there is a minimal impact on their privacy.

Third party data processors

If your company outsources any data processing activities, you are responsible for ensuring the processor’s GDPR compliance in relation to the processing. For example, Impression, as a data controller, outsources many of its HR functions to CharlieHR, an online platform acting as a data processor in relation to employees’ personal data. To help ensure that this outsourcing is GDPR compliant, Impression must have a written contract with CharlieHR, and CharlieHR must only process in accordance with the instructions in that contract. As the GDPR prohibits the transfer of personal data outside of the EU unless strict protections are in place in the destination territory, Impression must also ensure that CharlieHR stores Impression’s personal data inside the EU. As it does, Impression need not find an alternative supplier.

3) Revise privacy notices

All privacy notices, including internal notices and public facing notices, such as website privacy policies, should be updated to ensure that the following information is present:

  • Your business’ identity
  • How personal data will be used
  • The lawful basis for each processing activity (such as consent or a contractual arrangement)
  • How long personal data will be retained
  • That the data subject may complain to the ICO

Notices must be concise, transparent, intelligible, free and easy to access. Legal jargon should not be present.

4) Prepare for data subjects’ new rights

As previously suggested, data subjects are given a variety of new rights under the GDPR. Data subjects may request a copy of all information held about them; request that information is rectified, or request that information held on them is deleted. Subject access requests must be responded to within 1 month and may be rejected with reasons and information about the data subject’s right to complain. Template responses should be prepared to facilitate these requests. It should also be considered how data access and portability requests will be handled. For example, it should be considered in what format customer data could be sent.

If the lawfulness of any processing is dependent on consent, systems must be put in place to facilitate data subjects’ withdrawals of consent.

5) Update internal processes

The final step to be taken prior to 25 May 2018 is to prepare internally for the GDPR. The following documentation should be prepared:

  • A draft ICO data breach report
  • A draft data subject breach notification
  • A revised data protection policy, setting out your business’ approach to data protection
  • An information security policy
  • Data protection impact assessments for any processing activities which pose a high risk to the rights and freedoms of data subjects
  • Data protection training materials

Every business should nominate a person responsible for GDPR compliance. An official Data Protection Officer must be nominated if the business carries out “regular and systematic monitoring of individuals on a large scale.” Their responsibilities will be discussed below.

What your business needs to do after 25 May 2018

Once the GDPR is in effect, businesses must ensure ongoing compliance. The regulation intends to inspire a culture of “data protection by design and default” throughout businesses. There will be a general obligation on businesses (data controllers and processors) to illustrate that they are actively considering their data processing activities. The designated responsible person or Data Protection Officer should be responsible for facilitating this culture and training staff in compliance. In addition to illustrating this ongoing consideration by reference to the 6 processing principles, businesses will be required to do the following.

1) Manage ongoing consent and data subjects’ requests

Businesses must respond to data subjects withdrawing their consent to processing activities or submitting the variety of request types within their new rights.

2) Report data breaches

Any personal data breach under the GDPR must be reported to ICO within 72 hours if it is likely to result in a risk to the rights and freedoms of data subjects. If there is a high risk to data subjects, the breach must also be reported to those subjects without undue delay.

3) Carry out data protection impact assessments

If a proposed processing activity is likely to result in a high risk of a personal data breach, such as where a new technology is being used, or where the processing will be systematic and extensive, a data protection impact assessment must be carried out. This assessment must contain a description of the processing activity; an assessment of necessity and proportionality in relation to the purpose of the processing; an assessment of the risks to data subjects, and a description of the controls put in place to address the identified risks.

What marketers need to do

A large proportion of the personal data held by your business will likely be personal data collected for marketing purposes. Marketers must ensure that data held from 25 May 2018 onwards was and is collected in a GDPR compliant manner. If consent is used as the lawful basis for a processing activity, consent must be obtained; data must be managed appropriately, and opt-out measures must be put in place. Alternatively, if other bases are used, individuals should be informed accordingly. Here are some examples of how marketers might justify their processing activities.

1) GDPR and email marketing

Most email marketing data relating to individuals is personal data. Marketers must ensure that names, email addresses and other personal data is collected, stored and used only after users have actively consented to everything to be done with that personal data. Users can only consent after they have been told in simple terms how their personal data will be used. Consent must be recorded and opt-out options must always be available. Email marketing service providers should be checked to ensure that they are GDPR compliant data processors. Although it may be possible to rely on a legitimate interest basis to process data for the purpose of sending marketing emails, there is additional legislation in this area (the soon-to-be-reformed Privacy and Electronic Communications Regulations) which usually requires consent to be provided.

2) GDPR and Google Analytics

As Google Analytics collects personal data such as cookies, IP addresses and User IDs, it is likely that informed consent will be required before Google Analytics can be used on websites from 25 May 2018. Google have said their data storage methods are GDPR compliant and will offer a way for website owners to remove particular sets of data, facilitating compliance with users’ rights of erasure. If consent is used as the lawful basis for processing, users must also be offered a way to opt-out of tracking at any time. If your business uses Google Analytics for a specific purpose such as to understand where website visitors come from and what they are looking for, it may be possible to justify this processing on the basis of a legitimate interest. It is expected that websites will track basic information about their users. Using a legitimate interest, as opposed to consent, to justify this processing does not displace the need for obtaining ‘cookie consent’.

3) GDPR and social media advertising

Similarly to using Google Analytics, the use of social networks’ tools beyond their own websites may require you to have consent and opt-out measures in place. However, as companies have a legitimate interest in getting to know their visitors, provided that visitors are informed about how their data will be used and can control this use, targeted advertising on both websites and social media should be justifiable on the basis of a legitimate interest. Once again, consent to the use of cookies will still be required.

4) GDPR, remarketing and marketing personalisation

Using collected data to personalise online content and marketing materials should be justifiable on the basis of a legitimate interest, although this will depend on the processing activities taking place. If processing activities impact significantly on the rights of individuals or might not be reasonably expected to take place, consent may be the most appropriate legal basis for the processing activities. Using visitors’ website analytics data to target Facebook ads may be justifiable on the basis of a legitimate interest, however, using email addresses collected from order data to target specific users will be harder to justify on the same basis and may require the use of consent as a legitimate basis.

Conclusion

By carrying out the steps outlined above, your business should be in a good place when 25 May 2018 arrives.

Disclaimer: This article represents the author’s interpretation of the GDPR and does not constitute legal advice. It is recommended that businesses seek professional advice to assist with GDPR preparations. This article was last updated on 4 April 2018. This article was last updated 18 April 2018.

Jamie

Web Developer

Web developer at Impression; fuelled by learning new things and helping clients succeed beyond their own expectations. I also jump out of planes for fun.

5 thoughts on “GDPR: an action plan for businesses and marketers

  1. Veronika Jozifová says:

    Hellou Jamie,
    thanks a lot for a great article, it’s definitely one of the gem of clarity in between other pieces I’ve read. Anyway I still doesň t get an answer for some crucial questions of mine.

    I working as a freelancer mainly with FB ads. So I’m still curious in which cases is up to FB set up all requirements concerning GDPR and when is up to web provider (FB page owner). I guess that everything what using FB features is up to Facebook – for example retargeting based on FB page engagement or retargeting of video viewers.
    If I’m right, it means that my clients has to have on their website some opt-out pop-up (and link to wider info) which dealing with Google analytics usage, Google adwords and FB reatargeting and disagreement will need some technical solution how to not send data of those people to retargeting list as well as GA tracking.

    Who is responsible than for such a solution – did you hear about some third part solution which small eshops or services can implemented?

    The other question concert the data I’ve obtain before 25. 5. 2018. Does it mean that I have to write to all my email lists I got so far and ask for new permission to use them for specific marketing purposes? And those which not send argeement I cannot use anymore even I will see that they even doesnt open the email? Is there something like “silence is agreement”?

    What about long term retargeting lists I create before 25. 5. but continuously using it that time when new law gets valid.

    Hopefully my question are understandable and responsible.

    Thanks a lot again

    best regards

    Veronika

    1. Jamie BallJamie Ball says:

      Hi Veronica,

      I’m glad that you found the article useful.

      It is my interpretation that your clients should be considered the ‘data controllers’ in your first question. They will be responsible for ensuring that all data processing is lawful. This may well mean creating an opt-in solution (such as a popup) to obtain consent. Facebook and Google will be considered data processors and your clients must ensure that they process data in a GDPR compliant manner, which we would expect of them by 25 May.

      To answer your second question; if the information in your lists is personal data (i.e. it could be used to identify individuals), it may only be used in a GDPR compliant manner from 25 May. If ‘old’ data was collected in a GDPR complaint manner, it may continue to be used.

      I hope this helps!

  2. Ben Ritchie says:

    Hi Jamie,

    Thanks for writing this up, I found it very interesting, but this is the first time that I’ve seen any articles that say we need explicit GDPR opt-in to use email address for targeting on Facebook

    Can you provide any more clarity on why you think that is the case, I would have thought that as long as a company has the ‘appropriate consent’ to store and manage the email address they wouldn’t need further explicit consent to use it as a targeting match-key on a social network.

    Would love to understand in more depth your thinking, as you imply it’s a natural follow-on consequence of the Google Analytics interpretation, but I don’t see the connection as being as strong as you imply

    Hoping we can continue the important debate.. 🙂

    1. Jamie BallJamie Ball says:

      Hi Ben,

      I would argue that the use of consent when collecting email addresses for ad targeting is the safest way to ensure that processing of that data is lawful. I have not mentioned in this article the use of legitimate interests as an alternate method of justifying processing as lawful. This method would provide the alternative view to my suggestion of a consent requirement. I shall update this article in the near future to consider the use of legitimate interests.

      I’ll respond to this comment once the article is updated.

      1. Ben Ritchie says:

        Fantastic, I was going to ask about legitimate interest, I look forward to your update notification!

Leave a Reply

Your email address will not be published. Required fields are marked *