This week, we hosted a webinar about the General Data Protection Regulation – commonly referred to as GDPR – and, in particular, the impact we see this new set of consumer protections having for both marketers and customer data platforms.* These regulations, which go into effect May 25, 2018, will come with heavy fines and penalties for non-compliance, which is why most of the business world but particularly companies in the EU or with a presence in the EU are so concerned about what they need to do to ensure they comply. And, it turns out that it’s not only lawyers, privacy officers getting work out of the GDPR; cartoonists are getting in on the fun!
Source: www.gdprtoons.com (and there’s a lot more where that came from)
Though tongue-in-cheek, this particular drawing really gets at the heart of the tension that exists in the debate today over what businesses do, ostensibly to better serve customers, but perhaps at greater expense to consumer privacy than the consumers themselves are comfortable with. Indeed, while GDPR brings the most stringent guidelines to date, this discussion isn’t new. In fact, it’s at least as old as the internet.
In the webinar, we go through the four primary topics marketers need to be focusing on today: consent management, data portability, right to erasure, and right to rectification, as well as how BlueConic is going to provide tools to comply with the rules. It includes some of our planned screens for the product to give you a clearer sense of what tools you’ll have at your disposal, too.
Here are some key terms to know:
“An identifiable, natural person.”
“Any information relating to a data subject.”
”The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing the personal data.”
”The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.”
“A natural or legal person, public authority, agency, or body other than the data subject, controller, and processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.”
The stated reason for the data collection.
Consent, per GDPR must be:
Freely given, by “clear affirmative act”
Specific, such that any unique purpose for the data collection is asked about distinctly
In clear language, “(As an) informed and unambiguous indication of the data subject’s agreement to the processing of personal data.”
Also, the burden of proof for consent lies with the controller (i.e. the brand/company)
There’s an incredible amount of commentary and input on GDPR from folks smarter than we are. Check out some of these resources that we’ve found quite useful:
- “Marketers Need to Know About GDPR: Frequently Asked Questions Answered” – Andrew Frank, Gartner (Gartner clients only)
- “Countdown to the GDPR” – Fatemeh Khatibloo, Forrester (podcast)
- European Data Protection Supervisor
- International Association of Privacy Professionals
There will be more to come on this in the coming 7 months leading up to 5/25/2017. Stay tuned and let us know if you have questions or feedback. We appreciate it all!
*Same disclaimer applies here as it did in the webinar: we’re not lawyers or privacy experts so please confirm any decisions you make with those kinds of people in your own organization.