What is the GDPR?

The General Data Protection Regulation (GDPR) is a new European Union (EU) law commencing May 25, 2018.

It imposes stricter rules in regards to the use of personal data of EU citizens by organisations with the intent to harmonise privacy regulation across the EU.

Increased Scope

GDPR covers any company that sells goods and markets products and services to data subjects in the EU, even when that company is not located in the EU.

Do non-EU based companies need to comply with GDPR?

If a company/entity or person processes data or sells goods to EU citizens, or it employs EU citizens, then yes. In short, GDPR will have an impact in how companies treat personal data where it has:

  • Direct operations within the EU; and/or
  • Third parties operating in the EU; and/or
  • EU citizens as clients.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

How about sensitive personal data?

Also referred to as “special categories of personal data” (see Article 9), this usually includes

  1. genetic data;
  2. biometric data;
  3. data concerning health; or
  4. data concerning a natural person’s sex life or sexual orientation.

What is a Data Subject?

A Data Subject is an identifiable natural person to whom the personal data relates.

What are the Lawful Bases for Processing Personal Data?

All companies must have a valid lawful basis in order to process personal data, and it must determine and document its lawful basis before processing. It simply cannot swap to a different lawful basis at a later date without good reason.

Article 6 of the GDPR sets out 6 lawful bases;

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interest
  5. Public Task
  6. Legitimate Interest

What is the Legitimate Interest basis?

Consent that meets GDPR standards is quite hard to obtain – even the ICO admits this. The concept of LI in GDPR refers to the stake that a company processing the personal data may have in that processing. But remember the six bases for processing data and, for marketers, the most appropriate is legitimate interest (LI), with the Direct Marketing Association (DMA) and its partners lobbying for the continued use of legitimate interest.

As marketers, establishing LI can be quite tricky, but performing an LIA (Legitimate Interest Assessment) is a good way of establishing whether there is a valid basis on reliance to establish;

  1. the legitimate interest; and
  2. show that the processing is necessary to achieve it; and finally,
  3. balance it against the data subject’s interests, rights and freedoms.

OK, so what “Legitimate Interest” do Marketers rely on?

  1. Direct Marketing – This is the most obvious. Article 47 of the GDPR states that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest’.  However, marketers need to weigh out other relevant laws, especially around marketing via electronic means (in UK, such as PECR), where consent is still required. Marketers should always be able to demonstrate that it has balanced its reliance with the individual’s interest(s), which leads us to …
  2. Relevant and Appropriate Relationship – is where there is a relationship established between the data subject and the controller (i.e. the marketer) whereby it would be reasonable to assume that the data subjects you’re marketing to would expect to hear from you and not object. It is sometimes suggested that marketing is in the interests of individuals, i.e. offers that are directly relevant to their needs (relevant or “like” offers); and
  3. Reasonable Expectation – This is where the controller understands that a reasonable expectation that doesn’t necessarily require to be explicit exists, such as ‘suppression’, where a marketer needs to keep certain data in order to block/suppress an individual that has requested it. Other examples are where data is kept to personalise the user experience or to improve the site such as the placement of cookies, or web analytics (i.e. assessing the number of page views to optimise future marketing to consumers).

A privacy notice should include both its lawful basis and purpose for processing, especially where it has chosen to rely on legitimate interest.

Why is consent more important under GDPR?

Consent is one lawful basis for processing. The concept of genuine consent is so that individuals are in control, build trust and engagement is built with the company collecting the data, thus enhancing its reputation. Relying on inappropriate or invalid consent could destroy trust and harm a marketer’s reputation – as well as risk to large fines.

The ICO’s insists companies setting out consent requests in a prominent, concise, easy to understand and separate from other terms and conditions. Include:

  1. the name of your organisation;
  2. the name of any third party controllers who will rely on the consent;
  3. why you want the data;
  4. what you will do with it; and
  5. individuals can withdraw consent at any time.

Consent under GDPR – how has this changed for Marketers?

It is no secret that the biggest challenges facing marketers is consent. How does this look under GDPR?

Consent must be ‘unambiguous’ and collected by a ‘clear and affirmative action’. In view of this, companies can no longer rely on an data subject ‘consenting’ to terms and the privacy policy by default simply by ‘ignoring’ or the act of doing nothing.

The bolstered definition of consent and transparency requirements mean Marketing Punch has taken great care reviewing its privacy notices, permission statements and it’s opt-in processes. Consent must be obtained by a positive opt-in (the most common method is via a tick a box), before obtaining and processing their data.

Granular consent (which is getting separate consent for contact methods, profiling, or where data is intended to be passed to a third-party company) is also encouraged for to reinforce transparency, although it may not always be necessary if there is a legitimate interest to do so (see above).

What does ‘explicit’ or ‘unambiguous’ consent mean?

  1. no more long illegible T&C’s full of legalese;
  2. consent must be freely given;
  3. along with consent, the purpose for data processing is explained; and
  4. it must be as easy to withdraw consent as it is to give it.​

Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. 

What is a Data Controller and a Data Processor?

GDPR applies to both data controllers and processors. The Controller is the entity/person/organisation that determines the purposes and means of processing the personal data while the Processor processes that data at the direction of the Controller.

What is the Difference?

Controller

Processor

Both

The brand decides what personal data will be collected and how it will be used The brand interacts with personal data to process under the instruction of the controller Depending on the company’s role, the brand can be a controller for some personal data, and a data processor for other personal data.

 

What are Data Subject Rights under GDPR

GDPR is all about empowering the individual!  Companies must ensure they;

How does the GDPR affect policy surrounding data breaches?

Data breaches which may pose a risk to individuals must be notified to a Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay.

If an EU citizen is located outside of the EU, does GDPR still apply?

This subject is still up for debate. A great article is available here where the author emphasises that some of the most controversial questions surrounding GDPR interpretation is what it protects – citizens, residents or mere visitors of the EU?

Article 3, Section 2 of the GDPR states that it reaches companies not established in the EU if they process “personal data of data subjects who are in the Union” (note the key phrase ‘in the Union’). A research fellow at the Max Planck Institute is quoted as stating that “people seem to agree that the relevant criterion is whether you’re based in the EU at the moment data is collected – citizen or not”. However, many data practitioners feel that non-EU citizens, regardless of where they were when data was collected, is not under the jurisdiction of the DPAs (ex-pats or those with dual citizenship in EU that live there on a permanent basis being exceptions). Article 3, section 2, arguably remains ambiguous. So what does this mean for EU citizens that are outside the Union at the time their data is collected? (for example, a UK citizen signs up to a NZ website whilst holidaying in New Zealand – are they covered by GDPR or under NZ data and privacy laws?).

Unfortunately, there is still no clear interpretations. In the same article, a US based attorney was quoted as saying, “There are a few perfectly valid interpretations out there. [GDPR] is so massive, and… so broadly-worded, that no one can be really sure how the DPAs will interpret the minutiae of it until they start applying it in May.”

Marketing Punch will publish more blogs on this, as information becomes available.

How does GDPR consider Cookies and Online Identifiers?

Cookies are mentioned once in the GDPR (Recital 30). What this tells us it that cookies, where they are used to uniquely identify the device, or in combination with other data, the individual associated with or using the device, should be treated as personal data. There is still debate on whether positive opt-in is required from the data subject before placing a cookie (see the reliance on legitimate interest such as Reasonable Expectation). At minimum, a data subject should be informed when visiting a website that cookies may be placed on their computer.

Other online identifiers however, is not as clear cut. When assessing whether this data collected is personal data, companies must assess it against the objective factors such as how long and how much would it cost to identify a person from that string of raw data (as set out in Recital 26).

What is a DPO?

The DPO is a Data Protection Officer, who is responsible for informing employees of their compliance obligations as well as conducting monitoring, training, and audits required by the GDPR.

Does my business need a DPO?

A DPO needs to be appointed if you:

  1. Process large amounts of personal data
  2. Carry out large scale systematic monitoring of individuals or,
  3. Are a public sector authority

Does Marketing Punch have a DPO?

Yes, you can email our DPO here.


Content disclaimer

The content – including publications – on this website is intended only to provide a summary and general overview on matters of interest. It is not intended to be comprehensive nor does it constitute legal advice. We attempt to ensure that the Content is current but we do not guarantee its currency. You should seek legal or other professional advice before acting or relying on any of the Content.