GDPR stands for General Data Protection Regulation. It is a EU law, enforceable from May 25th2018, which aims to protect the privacy and personal data of EU residents. If you collect, process or use customers’ personal data (and the definition of personal data is quite broad – see below), then GDPR is likely to be relevant for you. This blog post provides a brief overview of what GDPR is, and what it means for marketers. However, please note that I am neither a lawyer, nor an expert in GDPR. So, do check official sources, like this one prepared by the European Commission, or this one prepared by the UK’s Information Commissioner’s Office. I also found this resource useful, for an overview of this complex piece of regulation.
This blog post is intended, only, as a primer on this topic and, frankly, an eye opener for any marketer that till thinks that GDPR does not matter for them. Before, we dive into the details of GDPR, and the implications for marketers, it is useful to consider the rationale guiding the development of this piece of regulation. The guiding principle behind privacy and data protection initiatives in the EU zone in general, and this regulation in particular, is that data about a person belong to that person – just like their internal organs, or their intellectual property. This is called the principle of ‘informational self-determination’, and it means that the person has the right to control who has access to their data, and who can use them. Moreover, the personal rights and freedoms of the person to whom the data refer to override the rights of any company that collected and/or processed the data (with some exceptions, such as in the case of national security). This approach is in stark contrast with that followed in other jurisdictions – such as the US – where personal data are seen as an economic asset, which can be traded.
This short video explains the rationale for GDPR:
But what is GDPR, then?
It is a regulation that replaces previous directives, and which aims to harmonise privacy and data protection requirements across the EU.
GDPR is enforceable from 25thMay 2018, and it applies to any company processing the personal data of EU residents – even if the company itself is not based in the EU. So, if you are a small trader based in Norway, a social media company based in the US, or a charity based in Iceland, this regulation will still apply to you, if you handle data from EU residents. It also applies to anyone processing data on behalf of those companies, such as cloud-based services. (If you are unsure which countries are part of the EU, here is the list).
What is defined as “personal data”?
In the context of GPDR, personal data is defined as any data point about a person, and which can be linked to them. This includes public information such as professional roles listed on an employers’ website, or social media postings. It also includes information about online behaviour.
Specifically, the European Commission definespersonal data as
“any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Key features of this regulation
GDPR is a long and complex piece of regulation. However, from a marketer’s perspective, these are the key features:
- Privacy by design – Products, services, customer interfaces and other points of data collection need to be designed in such a way that they protect the user’s privacy by default. For instance, users need to give explicit permission (i.e., opt in) to the collection of data, and to the use of the data for specific purposes. Companies also need to keep records of how the data is processed, and these records can be audited by the relevant authorities in each country.
- Data protection by default – The manipulation of the data needs to be done in such a way that it considers and minimises the risks for the persons to whom the data belong. For instance, data need to be anonymised as early as possible after collection. Moreover, companies need to ensure that personal data are protected throughout their processing life cycle, even if the processing is outsourced or the databases are passed on to others (for instance, when drivers’ addresses are passed on to private firms for the collection of parking fines).
- Control of personal data – Because personal data belong to the individuals about whom the data were collected, they have the right to access, move and have the data erased. Specifically, EU residents can access the personal data that companies have about them, and they can obtain information about how their data are being processed. Some experts suggest that this feature may give EU residents the right to challenge decisions made by algorithms that affect them, though it is not clear, yet, whether or how this will happen. Moreover, EU residents can ask for their personal data to be transferred from one system to another, and this must be done in a commonly used, interoperable format. Also, EU residents can withdraw consent for the collection or use of their personal data, and they can demand that their personal data be erased (this is a more limited version of the previously created right to be forgotten).
- Legal obligation to report data breaches – Companies processing data about EU residents need to appoint a data controller. In addition to overseeing the process of collecting, storing and processing personal data, and of ensuring that the company complies with GDPR, this person is under a legal obligation to report any data breaches to the relevant authority, within 72 hours. Data breaches also need to be reported to the individuals in question, if there is an adverse impact resulting from the breach.
Some implications for marketers
The main objective of GDPR is to simplify privacy and data protection within the EU. So, on the one hand, this regulation should make life easier for marketers with customers in more than one EU country.
On the other hand, there is no denying that this regulation is quite extensive, so companies really need to get their act together, which will not be cheap. Moreover, failures to comply with this regulation will result in severe penalties of up to 4% of worldwide turnover. Yes, that’s right – worldwide, not national; and turnover, not profit – so, the tricks that some companies use to reduce tax bills will not work here.
There is also the reputational risk associated with being fined; and, of course, the high reputation risk of having to disclose data breaches very soon after they are discovered (not many years after, as it happened with Uber and others, and which may lull customers into a false sense of security thinking that if nothing happened to them, in the meantime, as a result of the data leaks, then they are fine).
The fact that data will be portable, should reduce the competitive (monopolistic?) advantage of big data aggregators. It should also reduce switching costs to customers, much like the portability of mobile phone numbers made it much easier for consumers to change mobile phone providers. It has also been argued that data portability will make the value of personal data more visible, possibly leading to customers demanding money from companies for collecting or using their data (e.g., a discount).
An interesting question is how companies will handle the rights of EU residents vs. those of other customers. On the one hand, it may be operationally simpler, and perhaps more cost effective, to apply the enhanced data protection features to all customers, even in jurisdictions where this is not required. A case of the tide rising and lifting all the boats. On the other hand, personal data are a major source of competitive advantage for companies that have access to them, as evidenced by the Cambridge Analytica case. So, it is likely that most companies will resist applying the GDPR principles as much as they can – that is certainly the case with Facebook, which is resisting extending to their US customers the protections granted to EU residents. Such a differentiated approach may be viable for companies with limited international visibility, at least in the short term; but less so for large companies like Facebook.
What else should marketers keep in mind, in relation to GDPR?