GDPR: Few implications for marketing practitioners

Gautam Dutt | Date: May 17, 2018

Data is the new oil that powers and lubricates the digital economy. For some time, people have been aware of the economic value of personal data. Recent issues related to Facebook data harvesting has brought the issue of data rights of individuals and duties of organizations like never before. In this context, GDPR (General Data Protection Regulation) enacted by European Union which comes into effect in May 2018 is a significant step.

If your organization collects, uses, or shares personal data of EU citizens, GDPR will likely apply, regardless of whether or not you have physical operations in Europe. Serious infringements can result in fines of up to €20m, or 4% of your company’s global annual revenue, whichever is higher. This article will explore some of the key points and their implications for the marketing community.

The first important point is a broader definition of personal data. This now includes online identifiers like IP addresses and cookie identifiers will have immediate implications for marketers by bringing in data sets which were not deemed personal data earlier. Privacy policy and terms of use on websites have to be updated with immediate effect.

The second important factor is the clear enumeration of Rights of data subject. Some of the important ones are:

  • Right of access: confirmation on whether or not personal data is being processed, the purpose of processing, categories of personal data and the recipients of the data
  • Right to object: object to processing of personal data at any point of time if it was collected for public interest or legitimate interest of the data controller
  • Right to erasure: ability to ask for deletion of personal data without undue delay
  • Data portability: right to receive the personal data provided by data subject in a usable format and the right to transmit it to another data controller
  • Automated individual decision making: not to be subject to a decision solely based on automated processing and ask for human intervention (unless explicit consent was given, or it is authorized by law or is necessary for entering into or performance of a contract)

As we can see significant visibility and control is given to data subjects over their own data. Consent must be “freely given, specific, informed, and unambiguous” and made by a statement or by a clear affirmative action. So pre-ticked “I agree” boxes will no longer work. Consumers have a right to ask for revoking data access, something that might have a huge impact on direct marketing companies. Asking for human intervention in algorithmic decision making is very forward looking and will have very interesting consequences vis a vis application of AI in marketing.

The third key point is identification of data controller and processor. ‘Controller’ means the natural or legal person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data. “Processor’ means a natural or legal person or organization which processes personal data on behalf of the controller. The separation of roles will help in assigning clear responsibility and liability to clients and their agencies.

The fourth important factor is an enhanced set of obligations for data controller/processor. Let us look at some of the key obligations in the regulation:

  • Data protection officer: where core activities require processing data regularly and on a large scale, a data protection officer needs to be appointed
  • Data protection by design and by default: implement appropriate technical and organizational measures to implement data protection principles and to ensure processing of only that personal data which is necessary for each specific purpose
  • Record of processing activities: each controller has to maintain a record of processing activities under its responsibilities for example, purpose of processing, category of data subject and personal data, time limit for use etc.
  • Security: implement appropriate measures to ensure a level of security appropriate to the risk like pseudonymization, encryption, regular testing of technical measures etc.
  • Data breach: obligation to inform supervisory authority of any data breach within 72 hours of becoming aware of it.

Its quite clear that accumulation of more and more personal data is not just an asset anymore but it is a responsibility too. Companies are responsible for demonstrating that consent was given. For any marketing activity, a system needs to be devised to record consent. Organisations can only collect data that is adequate, relevant and limited to the intended purpose of collection. Marketers now need to think of the minimum amount of data that can accomplish the task. Apps that ask for full Facebook profile data will face problems. Personal data may only be collected for a specific purpose and may not be used for any new, incompatible purposes. If a company thinks of a new way to use pre-existing data, they need to take fresh approval from the data subject. There is now a limit on the time period for the use of data. So appropriate measures need to be devised to dispose of data after the use period or to get fresh consent.

The first step for any organization is to understand the various kinds of data they are accumulating, how and where it is stored in the company, how data is processed and how does it flow within and out of the organization. This will be a lot of work for some companies in the short term but a necessary exercise that might have unintended benefits for companies like improving the value that a company and its consumers get from data. It is important to make somebody responsible for driving it internally and ensuring that this new thinking is embedded into every aspect of business in the form of changes to systems, processes and resources required.