24 May 2018
Why? Because from May 25th onwards, the way companies and consumers interact with one another will never be the same, that’s why. The New General Data Protection Regulation is here to stay and the most important question you should be asking yourself is, what are the direct implications for your business and if you’re actually ready for it.
Although much of its basic principles are already legally framed within the European Union, the New RGDP will radically change the way data is collected and processed, while broadening the scope of consumer rights in what pertains to data access, as well as data transference to third parties.
With fines that can go up to 20 Million Euros or 4% of you Overall Turnover in case of non-compliance, nothing like making sure you cover your tracks, and probably the first aspect that should be addressed is exactly what’s the definition of “Personal Data” under the New General Data Protection Regulation.
According to Article Four of the New Normative, “Personal Data” refers to any information relating to an identified or identifiable natural person, aka, the data subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Although at first glance it may seem that the only thing arising from the New GDPR will be a ton of headaches and sleepless nights, there are plenty of positives as well; we highlight the increased trust between companies and consumers, since from now onwards there will be a clear understanding of what data is being collected and processed, as well as to serve which purpose.
In essence, the Data Controller “figure” refers to the individual or legal entity, public authority, agency or body which, individually or collectively, determines the guidelines and means in what pertains personal data processing within an organization; while the Data Processor represents the individual or legal entity, public authority, agency, or any other organism contracted to undertake the personal data processing on behalf of the Data Controller.
The Data Controller will be responsible for “making proof” of GDPR compliance regarding personal data processing, guaranteeing its legality, equity, transparency, precision, storage limitation, integrity and confidentiality.
As per the Data Processor, the data treatment may be undertaken on behalf of a controller, responsible for securing the subcontracting of service providers that will guarantee the GDPR compliance, meaning, third parties that reveal evidence of technical and organizational know-how from an implementation standpoint in accordance with the new Regulation.
With that in mind, any company regardless of it being headquartered in the EU or not, acting as a Data Controller or Data Processor, will have to implement the necessary control measures to guarantee that everything is in accordance with the New GDPR, since both parties are responsible and accountable in the eyes of the law.
Implications and applications from a Digital Marketing perspective? Many, as it was to be expected, but at this stage we’re going to shift our attention to Email Marketing, since its probably the area where there will be more significant changes.
1. How to Promote an Email MKT Campaign for Subscriptions Reconfirmation?
1.1. Make sure you clean and sanitize previous listings in specific platforms (in case of need naturally);
1.2. Email send out to all contacts from a particular list, with a link that will allow profile updating as well as obtaining explicit consent;
1.3. Resend to all subscribers who have not opened or clicked on the email;
1.4. Management and elimination of contacts that will not provide the necessary consent.
Feel Free to Check Out a Reconfirmation Campaign Example Here
2.1. Make sure you use the GDPR fields available within Email Marketing platforms;
2.2. Clean and sanitize previous listings in specific platforms (in case of need naturally);
2.3. Include the Legal & Permission Marketing jargon in accordance with the new regulation.
You Can Access a Form Example Here
From May 25th onwards, all data collection of personal information via form submission will need to include a clear explanation on how that data is being processed, as well as to serving what purposes.
And the above mentioned is not exclusive to forms for collecting personal data for marketing purposes, but yet, applicable to any form currently available in one website or mobile application. An example could be forms for course enrollment and/or job application, which will always have the ultimate purpose of creating an individual profile that will allow future contact between the company and the user, as such, the purpose of use of that said data will need to be 100% clear and transparent from the get go.
There is currently not a single major player in the digital Landscape that is not enforcing RGPD implementation and compliance to the letter, and as you might expect, Google, Facebook, MailChimp and/or HotJar are no exception; regardless, the same is not synonymous of you being under no obligation to communicate it clearly to your users.
It is adamant that your Terms of Service and/or Privacy Policies include and communicate in a clear and transparent way which data analysis and/or advertising tools are being used (or any type of similar service) on your website and/or mobile application, as well, as to serving what purposes.
You Can Check a Solid Cookies Policy Here
Google’s GDPR Compliance is absolute, and it extends to all its services and tools, such as the Search Engine and GMail, Advertising and Analytics Services such as Google AdWords, AdSense, DoubleClick, Google Analytics, Search Console and Tag Manager, as well as to Cloud based services and/or future services that may be released and implemented in the future.
Facebook is responsible for complying with the GDPR to the letter, as such, all business advertising with Facebook owned companies, may continue to use those said platforms and solutions in the exact same manner, with each company being responsible for guaranteeing the respective compliance.
For more informations feel free to check the link below:
MailChimp is currently in the process of ultimating and updating all of its internal processes and data systems to guarantee full compliance with the GDPR from May 25th onwards, addressing any request promoted by customers related to their individual rights under the new legislation.
For more informations about MailChimp Policies do check the link below:
MailChimp's Legal Policies
If you are a HotJar customer our recommendation is simple. Make sure your Terms of Service or Privacy Policies clearly communicate to your users that HotJar is used as a tool on your website and/or mobile application, as well as to serving what purposes.
We also recommend that Website and Application Usage Policies are updated and crystal clear.
For more information regarding the Terms of Service you can check out the link below:
Hotjar Terms of Service
Questions, questions and more questions? That’s exactly what we´re here for. To help.
GDPR stands for General Data Protection Regulation and is the New EU Regulation that will replace the former Data Protection Directive (DPD). Approved by the European Union Parliament on April 14th, 2016, it aims at simplifying the flow of personal data across all 28 Member States.
The New General Data Protection Regulation will come into full-effect on the 25th of May, 2018.
Any organization that processes and holds “Personal Data” from citizens residing in the EU, is obliged to comply with the new legislation, regardless of being headquartered in any of the 28 Member States.
The rules for obtaining valid consent to use “Personal Data” will become much tighter from here on out. Therefore, it is up to you to guarantee that the previously mentioned consentment is obtained in a clear, affirmative and plain language, as well as the withdraw consent process, in case of user that wish to do so.
Much alike what already happens with the Data Protection Act from 1998, the GDPR applies to personal data. The Current Directive defines “Personal Data” as: “any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."
However, and despite at heart, the definition in its genesis remains practically unaltered, its enforcing will be vastly expanded, since online identifiers, such as IP addresses, will also start to be classified as Personal Data.
Sensitive Personal Data: GDPR refers to such as “special categories of personal data which uniquely identify a person, such as genetic data and biometric data."
According to Article 5 of the EU’s GDPR, personal data must be:
If you have the formal and explicit consent of all the subscribers from your lists in accordance with the act of receiving Newsletters or other materials about your company (double opt-in), it will not be necessary. However, one should keep in mind that there are exceptions to the law, so, the mere fact of not having the consent from one of the contacts will necessarily translate in the need of promoting a reconfirmation campaign.
If the manually collected elements are intended to create a database, yes, the GDPR applies. In case of isolated initiatives that do not involve the collection and inclusion of personal data in a structured database, then the GDPR may not be applicable.
The GDPR includes a tiered approach, meaning that the severity of the violation will determine the penalty imposed. Fines for noncompliance may amount up to as much as 20 Million Euros or 4% of your Overall Turnover, always prevailing the highest fine.
Less serious violations, such as keeping improper records or omitting security breaches, may result in fines up to 10 Million Euros or 2% of your Overall Turnover.
The appointment of a DPO is not mandatory for all Organizations, since it will depend on a number of factors. According to the OIC, a company should name a DPO if she is:
Any organization can appoint a DPO if they wish to do so. However, even if you choose not to move forward with the appointment because the above mentioned criteria does not necessarily applies, you will still need to guarantee that there are knowledgeable resources staff in-house, able to carry out all obligations under the New GDPR.
There are 8 fundamental rights under the New General Data Protection Regulation:
If you have any questions regarding the General Data Protection Regulation, please contact us using the form below.