The document provides an overview of the key requirements of the General Data Protection Regulation (GDPR) and practical guidance for marketers on becoming compliant. It outlines four key GDPR requirements: consent, security and protection, access, and erasure. It then details various "Do's and Don'ts" for marketers regarding analytics, newsletters, data storage, and more. The document emphasizes getting clear consent, having a withdrawal mechanism, documenting breaches, and establishing data processing agreements with vendors.
3. IS THIS REALLY SO
DIFFERENT THAN BEFORE?
No, not really.
It is about respecting privacy.
4. BUT THE FINES ARE:
4%
of global
annual
turnover
or
Whichever is higher.
20
million euro
5. FOUR GDPR KEY REQUIREMENTS:
Consent
Art: 7 + 8
Security &
Protection
Art: 25 + 32
Access
Art: 15 + 16
Erasure
Art: 17
Explicit consent for the
particular purpose. This
consent must be stored
in an audible and
secure way.
Data subjects should
have access to their
own data and have the
ability to modify or
correct it.
The right to be
forgotten, a right for
individuals to have
personal data erased.
Data protection and
security is required by
design.
6. The GDPR does not cover
internet cookies*, device
fingerprinting and other
similar technologies. Those
will be covered in the new
ePrivacy Regulation.
* But consent is linked to the GDPR.
7. OK, BUT HOW DOES THIS
AFFECT MY LIFE AS A
MARKETEER?
11. Do:
MAKE CLEAR
OPT-INS
Let users explicitly
confirm that they want
to be contacted. A
pre-ticked box that
automatically opts in
won’t cut it anymore –
opt-ins need to be a
deliberate choice. Keep
your terms and privacy
policy always separate
from other consent.
13. Don’t:
STORE DATA
FROM
CHILDREN
You cannot process
personal data of
children without the
consent of the parent. In
the Netherlands those
below the age of 16 are
considered children,
but this varies between
the age of 14 and 18 in
other EU member states.
14. Don’t:
ASK FOR
‘SPECIAL
CATEGORIES’
DATA
Racial or ethnic origin,
political opinions,
religious or
philosophical beliefs.
Data concerning health
or a person’s sex life
may only be processed
in case this is obliged by
law.
19. Don’t:
STORE DATA
LOCALLY
Goodbye Excel Sheets!
It’s impossible to be
compliant by storing /
copying data across
multiple data sources,
especially if they are
offline.
20. Do:
MAKE A
SINGLE POINT
OF TRUTH
Get a (global) CRM
system in place, where
you keep the consent of
data subjects who can
view, change and delete
their data. Keep all the
data together and use
this database for third
parties.
22. Don’t:
USE YOUR
CURRENT
MAILING LIST
Make sure the data you
use in your mailing list
meets the GDPR
requirements. Remove
anyone from whom you
do not have a record of
their opt-in.
23. Do:
ACQUIRE
CONSENT FOR
YOUR
MAILING LIST
Acquiring consent is an
opportunity to help you
segment your
customers and focus
your communication
based on specific
interests, rather than
sending a ‘one size fits
all’ email campaign.
24. Don’t:
WAIT UNTIL
THE DEADLINE
TO RE-
PERMISSION
CONSENT
Can you imagine what’s
going to happen in April
2018 as the deadline
looms?
25. Do:
MARKET
YOUR OPT-INS
If you rely heavily on
email marketing,
develop a strategy for
inviting visitors to join
your mailing list. For
example by using a
pop-up on your website,
because the bottom of
the page just won’t do
anymore.
27. Homework:
Google Analytics
Sign the Data Processing
Agreement with Google.
You can find this under
Account Settings (you need
to be Admin).
Source: Google Analytics
28. Homework:
Google Analytics
Make sure you don’t share
the data you collect within
Google Analytics. You can
find the data sharing
options under Account
Settings (you need to be
Admin).
Source: Google Analytics
29. Homework:
Google Analytics
We recommend turning on
the IP Anonymization
feature in Google Analytics.
This requires a code change
to enable. If you use Google
Tag Manager, adjust your
tag or Google Analytics
Settings variable by clicking
into More Settings -> Fields
to Set and then add a new
field named ‘anonymizeIp’
with the value ‘true’.
Source: Google Tag Manager
30. Do:
HAVE A DPA
WITH YOUR
VENDORS
For every vendor
processing data, the
data processor and
controller need to make
agreements regarding
the processing of
personal data through a
data processing
agreement.
31. Homework:
Privacy Policy
The most important update to
your Privacy Policy under
GDPR is that these notices
need to be written in a way
that is clear, understandable,
and concise.
Consider the following questions:
What information is being
collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on the
individuals concerned?
Is the intended use likely to make
individuals object or complain?
32. Do:
DOCUMENT &
NOTIFY
BREACHES
In case of a personal
data breach, the
controller should notify
the data subjects
without undue delay if
the breach is likely to
result in a high risk to
the rights and freedoms
of natural persons.
35. Bottom line, GDPR
compliance is simple:
● Don’t contact someone unless they
specifically ask to be.
● Don’t send them irrelevant information
they didn’t request.
● Do increase your data quality.
● Do make the data transparent.
36. About Burst
Burst is a leading digital agency with Dutch roots,
experienced in blending business, data, creativity
and technology. Like our clients, we have a holistic
view and adapt quickly to new challenges.
www.burst-digital.com
37. Amsterdam
Wilgenweg 12a
1031 HV Amsterdam
The Netherlands
Rotterdam
Delftseplein 30C
3013 AA Rotterdam
The Netherlands
+31 10 82 001 40
info@burst-digital.com