Answer
Feb 23, 2018 - 05:58 PM
What is GDPR and what are the implications for marketing?
GDPR is a legally binding framework that governs EU customers’ data and privacy management. It is scheduled to go into effect on May 25 th , 2018.
The framework is extensive and outlines the privacy rights of EU citizens and residents with regard to their Personal Identifiable Information (or PII) data, how that data may be generated, handled, stored, processed and transferred between 3 rd party businesses and entities. It ultimately boils down to PII. You can think of this framework in the following terms –
Individual: Who is the individual whose data is being generated and collected? What rights do individuals have?
Organization: Who is the business or entity that is generating the data about the individual?
Controls: What rules govern how that data is generated, collated, stored, transferred and removed?
Auditing: How are organizations and entities maintaining accountability for the data collected?
Enforcement: How will the EU enforce the GDPR? What penalties are imposed in cases of violations?
Geography: GDPR extends privacy obligations to include companies outside the EU as long as the company is serving a customer within the EU
The Four Cornerstones of the GDPR
Microsoft has been working on building a compliance solution for GDPR and has a chart that summarizes the GDPR into an easily understandable chart below
GDPR Document
The full GDPR document is divided into “11 Chapters”, which are further divided into “99 Articles” as listed below.
Chapter 1 (Art. 1 – 4) - General provisions
Chapter 2 (Art. 5 – 11) - Principles
Chapter 3 (Art. 12 – 23) - Rights of the data subject
Chapter 4 (Art. 24 – 43) - Controller and processor
Chapter 6 (Art. 51 – 59) - Independent supervisory authorities
Chapter 7 (Art. 60 – 76) - Cooperation and consistency
Chapter 8 (Art. 77 – 84) - Remedies, liability and penalties
Chapter 9 (Art. 85 – 91) - Provisions relating to specific processing situations
Chapter 10 (Art. 92 – 93) - Delegated acts and implementing acts
Chapter 11 (Art. 94 – 99) - Final provisions
For example, let’s take a closer look at Chapter 1 – Article 4: Definitions
This section provides definitions and clarity on the people, processes, products and expertise that are required to implement GDPR. The definitions can be found in article 4 –
Note that “Personal data” definition as stated above covers PII data
To read all the definitions, please see Article 4 GDPR - Definitions
Snapshot of the GDPR Definitions
Marketing in the Age of GDPR
Now that we have covered what GDPR is, the follow up question was the implication of GDPR on marketing
(Digital) Marketing functions includes –
Meaning that marketers are ultimately interacting with current or potential customers. Every contact with the customer where manually or automated in the form of email communication, social media engagement, newsletter subscription, etc generates potential PII data about the customer.
If the customer is an EU citizen or resident, then starting on May 25 th , 2018, the marketer or company must take steps to implement GDPR compliance. See GDPR Article 15
The definition of Personal Data above extends to cover PII data including –
What Does This Mean for My Business?
How to Get Started With GDPR
Implications for the Marketing Industry
Yes, GDPR will force a significant change in how marketing industry does business in terms of–
All of these will come at a cost to the business
Additional Reading
Here’s an excerpt of a very insightful Q&A article by eMarketer - What Marketers Need to Know About the EU's New Data Protection Rules
GDPR is a legally binding framework that governs EU customers’ data and privacy management. It is scheduled to go into effect on May 25 th , 2018.
The framework is extensive and outlines the privacy rights of EU citizens and residents with regard to their Personal Identifiable Information (or PII) data, how that data may be generated, handled, stored, processed and transferred between 3 rd party businesses and entities. It ultimately boils down to PII. You can think of this framework in the following terms –
Individual: Who is the individual whose data is being generated and collected? What rights do individuals have?
Organization: Who is the business or entity that is generating the data about the individual?
Controls: What rules govern how that data is generated, collated, stored, transferred and removed?
Auditing: How are organizations and entities maintaining accountability for the data collected?
Enforcement: How will the EU enforce the GDPR? What penalties are imposed in cases of violations?
Geography: GDPR extends privacy obligations to include companies outside the EU as long as the company is serving a customer within the EU
The Four Cornerstones of the GDPR
Microsoft has been working on building a compliance solution for GDPR and has a chart that summarizes the GDPR into an easily understandable chart below
GDPR Document
The full GDPR document is divided into “11 Chapters”, which are further divided into “99 Articles” as listed below.
Chapter 1 (Art. 1 – 4) - General provisions
Chapter 2 (Art. 5 – 11) - Principles
Chapter 3 (Art. 12 – 23) - Rights of the data subject
Chapter 4 (Art. 24 – 43) - Controller and processor
Chapter 6 (Art. 51 – 59) - Independent supervisory authorities
Chapter 7 (Art. 60 – 76) - Cooperation and consistency
Chapter 8 (Art. 77 – 84) - Remedies, liability and penalties
Chapter 9 (Art. 85 – 91) - Provisions relating to specific processing situations
Chapter 10 (Art. 92 – 93) - Delegated acts and implementing acts
Chapter 11 (Art. 94 – 99) - Final provisions
For example, let’s take a closer look at Chapter 1 – Article 4: Definitions
This section provides definitions and clarity on the people, processes, products and expertise that are required to implement GDPR. The definitions can be found in article 4 –
- Personal data
Note that “Personal data” definition as stated above covers PII data
To read all the definitions, please see Article 4 GDPR - Definitions
Snapshot of the GDPR Definitions
Marketing in the Age of GDPR
Now that we have covered what GDPR is, the follow up question was the implication of GDPR on marketing
(Digital) Marketing functions includes –
- Search Engine Optimization (SEO)
- Content Marketing
- Inbound Marketing
- Social Media Marketing
- Pay-Per-Click (PPC)
- Email Marketing
- Marketing Automation
Meaning that marketers are ultimately interacting with current or potential customers. Every contact with the customer where manually or automated in the form of email communication, social media engagement, newsletter subscription, etc generates potential PII data about the customer.
If the customer is an EU citizen or resident, then starting on May 25 th , 2018, the marketer or company must take steps to implement GDPR compliance. See GDPR Article 15
The definition of Personal Data above extends to cover PII data including –
- Computer IP Address
- Cookies (including browser, computer, website and other applications)
- User ID
- Session ID
- Name
- Email Address
- Social Media Posts
- Location Information
What Does This Mean for My Business?
How to Get Started With GDPR
Implications for the Marketing Industry
- Identify all customer data
- Build an inventory of instances where personal data are collected and when
- Develop policies to govern how customer data are collected, stored, shared, transferred, disposed
- Catalog where that data is stored
- Develop protocols and processes to secure data including detecting and responding to vulnerabilities and data breaches
- Implement technologies to monitor and detect intrusions and hacking attempts
- Test and verify that technologies, processes and governance are able to prevent intrusions
- Maintain documentation of technologies, processes and policies and updates to them as well
- Implement report capabilities of intrusions, hacking attempts and compromised systems
- Finally, report all intrusions, hacking attempts and compromised systems
Yes, GDPR will force a significant change in how marketing industry does business in terms of–
- Old process will need to be reviewed
- New technologies will need to be implemented
- New expertise will need to be acquired
- Geographical scope may have to be reduced or extended
- Business objective will need to be revisited for compliance
All of these will come at a cost to the business
Additional Reading
Here’s an excerpt of a very insightful Q&A article by eMarketer - What Marketers Need to Know About the EU's New Data Protection Rules
Add New Comment