What You Need To Know
GDPR, which stands for General Data Protection Regulation, will affect anyone who has customers in the EU. It is a refresh of the Data Protection Act (DPA) that reflects key technological, digital and social changes that have happened since the original Act came into being in the 1990s. While we cannot provide legal advice on GDPR, we can certainly advise you on some of the aspects of the changes that affect digital marketing agencies. If you need more in depth legal definitions, the Information Commissioner’s Office (ICO) has put together a terrific guide to GDPR which covers all aspects; including the different legal bases for data collection and storage.
So what is GDPR?
GDPR is an update to the Data Protection Act that expands the definition of personal data and redefines what can be viewed as consent to collect, store, process and share this personal data. It focuses on the rights of the individual; the right to be informed, the right to erasure, the right to rectification and the right to restrict processing. The ICO defines these rights in further detail. The following sections expand on this further. If you have any questions about this, please refer to the ICO guidance above or give us a call.
The definition of personal data has changed.
GDPR has expanded personal data to include any unique identifiers like: IP addresses, location data and information devices used to access content. Consent needs to be obtained in order to store and process this data. Data can be defined as names, addresses, geolocations, race, criminal convictions and much more.
You can find the legal definition of personal data under the GDPR here.
What about encrypted data?
Data that has been encrypted by hashing or other means is also considered personal data and covered under GDPR. Having said that, if you pseudonymised your data, you “will benefit from relaxations of certain provisions of the GDPR, in particular with respect to data breach notification requirements (because loss of pseudonymised data is unlikely to create risk of harm)”.
Pseudonymising data takes “the most identifying fields within a database and replaces them with artificial identifiers, or pseudonyms; for example, a name is replaced with a unique number. The purpose is to render the data record less identifying and therefore reduce concerns with data sharing and data retention”
Be careful though, because this process doesn’t anonymise data completely. Treat it like you would any other form of personal data. You can find out more about making pseudonymised data GDPR friendly here.
The definition of consent to use data has changed.
Consent to collect, store and use data can no longer be assumed or implied. Data subjects must indicate clearly that they are happy for this to happen. This involves making sure they do something that is clearly affirmative; such as clicking a checkbox or selecting a button.
According to the ICO, GDPR defines consent as “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The ICO have created an excellent document that details how GDPR defines consent and how this looks in action.
A key example of this is in action is forms where users have to actively tick a box that signifies their consent to data being collected.
As well as this, most information gathering forms like newsletter sign up forms, will need a double opt in. This could mean that customers then also get a confirmation email that has an “opt in” button the user has to click before their data is stored.
There is more than one legal base for consent, are you covered?
While, we cover the Consent legal base, the ICO lists out numerous “legal bases for consent” that cover the legal frameworks by which a data controller can collect the personal data of an individual inside the EU.
Before May 2018, you need to define what your legal basis is for collecting and processing data and acquiring consent to do so. You will also need to determine whether or not you actually need all of the data you collect for that purpose.
Consent must be documented and proven.
You will need to prove that a user has consented to have their data stored. This could mean adding an event to your cookies acceptance, for example.
Get a timestamp for permissions granted and keep a log.
Keeping this data in a CSV is advisable, as it is then easily accessed and shown to a Data Protection Officer, if needed. Also, if a customer asks why you have held data on them, you have clear proof that they have consented actively and can advise them of this.
Data must be stored so that it is easy for controllers to download/amend/delete on request.
The EU citizen’s right to be informed and to access, amend and erase the data held about them is paramount and this could mean a review of where this is kept, how easy it is for you to access/download for the user and delete.
If data is requested, the ICO outlines that “You must provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data”.
You must not charge for this service and must complete the request within one month. Accordinging to the ICO, “you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive”.
Email marketers need to vet their data and data suppliers.
If you buy email data from a third party supplier, you will need to make sure it has been gathered via GDPR-friendly methods. If you have gathered your email data yourself, you will need to evaluate the methods by which you collected it, and re-obtain permission from data subjects if their data has been collected without a double opt-in or with their consent assumed/pre-selected.
Retargeting campaigns will be affected.
It is possible that consent to retarget users could now require consent under GDPR.
According to Campaign Live, brands are going to have to get creative with their online offering or invest in a more “in the moment” approach to marketing. Brands are excited about “moment marketing”; a way of targeting the customer based on what is happening around them at the time, without knowing who they are.
They say that brands will need to: “Ask permission of the user to do this (retargeting). It is likely that many users will refuse permission to have ads follow them around the internet. What was previously referred to as “the right side of creepy”, may become marginalised”.
You’ll need to tidy up your Google Analytics accounts.
First of all, review who has access to your clients’ accounts. Remove anyone who isn’t essential to the account immediately.
If clients have left the agency, remove their Google Analytics account from any shared accounts and advise them that you have done so. If you can’t do this, advise the company that you still have access so that they can remove you.
Personally identifiable information can be collected via Analytics tracking and the potential for this happening must be evaluated as soon as possible. If GA is collecting IP addresses and phone numbers via event tracking, stop this straight away.
Some excellent resources on Google Analytics:
Review your cookies banner so that users know what GA/cookie tracking means.
Capture cookie acceptance as an event so that it can be logged that users are doing this. According to Cookie Law, “consent for cookies will need to become much more clearly opt-in, or at the very least soft opt-in”. Soft opt-in is where cookies are blocked when a user enters the site until they have given consent for them to be activated.
Cookies for different purposes must each obtain active assent from the data-subject. Consent must not be assumptive but clear, active and unequivocal.
Google has linked to some great open source tools that you can use to create GDPR friendly banners for users. For other examples, the BBC’s main website has a GDPR friendly consent banner and has done for some time.
Customers need to be informed unequivocally what consent means.
This applies to any tracking or data collection you do for your website or app. If you’re wondering about Google Analytics and other Google Tools, then don’t worry. Google has updated their EU User Consent Policy to be in line with GDPR and the ePrivacy Directive.
You can find the EU User Consent Policy updates that will come into effect on May 25th here.
Privacy policies need to be clear, easy to read and very granular with regards to:
- Customer data that is collected
- What is done with that data
- The right customers have to erase their data
- The right of the customer to access their data in a portable manner
- How that data is stored
Consent must never be bundled in with a service; as in, you should never restrict access to your products and services and make consent a condition of access.
Consent must be granular and unequivocal. This means that if you have different forms of cookies for data processing then you should be really clear about that and make sure the customer has given active and informed, clear, consent to the collection of this data also.
Privacy policies need to document all tracking and data collection that is done on the site. This includes, but is not restricted to, Google Analytics tracking, Google Tag Manager, Facebook pixels, Adwords remarketing pixels; in short, any way in which you collect customer data.
Reconfirmation of consent is required if you have existing data.
If you have existing customer data via past email campaigns, for example, you will need to evaluate how you obtained it and whether it was via a method acceptable under GDPR. If obtained data via an automatically ticked box or via an “inactivity is consent” method, then you will need to get new permission to use this data.
You will need to be able to prove that all existing data was gained according to the regulations of GDPR.
As well as emailing, which may have a low response rate, you can send a mailing or do a phone call that is recorded. Just make sure the customer is aware that calls are recorded.
To be extremely clear, never ever send “repermissioning” emails to people who have not consented to be marketed to in the past. Some big names have got into trouble already for sending a marketing email to a cold lead asking if they could be marketed to.
Repermissioning is for data lists you have gained legitimately but not through GDPR friendly methods.
You must audit your data and existing procedures.
Brands and digital agencies must audit their data to ensure it has been collected via active, informed consent.
Work on the opt-in statement and get this right – This will tell potential data subjects what their data will be used for and provide them with a chance to decline or revoke their permission.
Recording data collection acceptance so that it can be proven will be a big thing leading up to the implementation of GDPR, do this from now and you will have proof that you are trying to work within GDPR best practices.
Make sure data is stored securely, what’s your server looking like in terms of security? Are you hosting websites that are not secure? Does your website have an up-to-date SSL certificate?
Lead generation is going to change with GDPR.
Someone giving you a business card is no longer considered active consent to store and use their data for your campaigns.
However, fear not! This doesn’t mean you can’t collect valuable lead data at networking events; it just means that you will need to collect clear, active and unequivocal consent to get that data. Plus, you and your competitors are all in the same boat!
According to GDPR Report, you should consider handing the user a tablet or phone with a form while you are chatting. They can then input their data and confirm via a confirmation email that they are happy for you to use their data.
Data storage rules are changing.
This article fully explains what must happen to the data being stored in your servers.
With regards to the data you hold on customers or the customers of your clients, you’ll need to advise them to ensure that this data is:
- Easily accessible so that you can provide it to a data subject who asks for it in via a download, for example.
- Amendable, in case the data subject wants to change what you hold on them
- Easy to delete and completely purge from servers if the data subject requests this.
- Stored securely, so that only authorised persons can access it
- Clear with regards to where it has come from
Cloud hosting is affected by GDPR.
You will need to review your cloud hosting frameworks to ensure they are still compliant. This article runs through what is needed.
There are big penalties for breaches of GDPR.
Any breach must be reported within 72 hours of the business being aware of the issue.
Failure to report could result in a fine of 20 million Euros or 4% of turnover, whichever is greater.
Now you’ve read and assimilated that list, here is a checklist we have put together for you to follow. Can you honestly say that you are compliant with each of the points below?
- Are all permission-based checkboxes preselected by default? Change these to deselected if so.
- Do you obtain data from anyone under the age of 16 and, therefore, require parental permission to process the data? If so, do you have these safeguards in place?
- Do all newsletter/subscription type opt-ins have a double opt-in? This can be in the form of a confirmation email that goes out and requires the click of a button to confirm acceptance.
- Do all users that have access to customer data have individual logins? Have you removed access from anyone who no longer needs or is no longer entitled to access that data?
- Do any of your Analytics tools collect personal data like usernames, IP addresses and specific geolocations? If so, strip this out as a priority.
- Is a timestamp taken of when user permission/opt-in to collect data was obtained?
- With regards to existing user data, was this obtained in a GDPR friendly way? If not, content will need to be regathered.
- Are cookies used for the tracking and profiling of customers? If so, has the website user confirmed they are happy with the use of these? Is this consent active, granular and unequivocal? If not, rework how this is presented on your site.
- Where is data from the website stored and processed (which systems)? Is it stored securely?
- Is all server data on EU customers stored outside the EEC?
- Have you documented all systems that store data from the website and how they can be exported or deleted on an individual basis?
If you are worried about the effects of GDPR on your business, let us know and we can do a website review for you. This website review will pinpoint weak areas and give you recommendations for how to strengthen these.
While we can’t offer legal advice, our website review will point you in the right direction and help you navigate GDPR. Get in touch with us now on +44 (0) 1243 373444.