The General Data Protection Regulation (GDPR) regulates how personal data is collected and stored by organizations. It provides individuals several rights around their personal data, including rights to access, rectify, erase, and port their data. GDPR applies to any organization that does business in or markets to individuals in the EU. It requires organizations to obtain informed consent to collect personal data, securely store data, notify authorities of data breaches, and could result in fines of up to 4% of global annual turnover for noncompliance. GDPR goes into effect on May 25, 2018 for all EU member states.
2. C O N F I D E N T I AL
GDPR
+ General
+ Data
+ Protection
+ Regulation
WHAT DOES GDPR STAND FOR?
3. GDPR WHAT DOES GDPR DO?
GDPR regulates how personal data is collected and how it is stored by
organizations. Personal data is defined as:
Data that can be attributed to an individual person
+ My address, my favorite color, my shirt size, etc.
Data that can would be considered sensitive personal data
+ Race/ethnicity, religious beliefs, membership data, health and
biometric data, etc.
Data that would be considered pseudonymous data
+ The IP address I was on while browsing the Gap UK website
Data that is anonymous
+ Literally any data point – whether it is on a site that collects
information or not
4. C O N F I D E N T I AL
GDPR
T H E R I G H T TO B E I N F O R M E D
+ Clear, concise and easily accessible information should be
provided to individuals free of charge regarding how organizations
use data provided by, or inferred from, users
T H E R I G H T O F AC C E S S
+ Individuals have the right to accessing their personal data held by
an organization, and be confirmed of any data being processed
T H E R I G H T TO R E C T I F I C AT I O N
+ Individuals have the right to have their personal data rectified if it
is inaccurate or incomplete
+ If that data was provided to third-parties, the third party must be
informed of the rectification request and the individual has the
right to know their data was shared with that third-party
T H E R I G H T TO E R AS E
+ Individuals have the right to request their data be erased and no
longer processed
+ Business can refuse deletion under a few limited circumstances
THE GDPR PROVIDES THE FOLLOWING RIGHTS FOR INDIVIDUALS:
T H E R I G H T TO R E S T R I C T P R O C E S S I N G
+ Individuals have the right to request that their data no longer be
processed
+ Records can still be stored, but only enough information to ensure
process block restriction
T H E R I G H T TO D ATA P O R TAB I L I T Y
+ Individuals have the right to move, copy or transfer personal data
from one secure environment to another
T H E R I G H T TO O B J E C T
+ Individuals can object direct marketing (including profiling), data
processing based on legitimate interests, and data processing for
research and statistics
R I G H T S I N R E L AT I O N TO AU TO M AT E D D E C I S I O N
M AK I N G AN D P R O F I L I N G
+ Individuals have the right not to be subject to a decision when it
was made via automated processing
5. C O N F I D E N T I AL
GDPR
GDPR applies to all organizations that do business in or market to
people within the EU – regardless of where a company is physically
located.
+ Organizations are responsible for compliance and must be able to
demonstrate this compliance when requested.
+ Data compliance will be a large component – how the data is
collected, how it is stored, how it is transferred, how it is made
available when requested by law or the individual, etc.
+ Privacy policies will need to be updated to include how the
organization collects and will use any data provided by customers
WHAT DOES GDPR REQUIRE OF BUSINESSES?
6. C O N F I D E N T I AL
GDPR
+ Any email address collected must be freely given with clear,
specific, informed consent
+ Pre-checked boxes for opt-in are not allowed – they are not
considered informed consent
+ Information on how the data will be used by the brand must be
presented at the time that consent is requested
+ Consent given only applies for the situations and usage as
outlined at the time consent was granted
+ Any consent that is given must be clearly documented and stored
+ Recommended that consent forms and privacy policies be stored
to prove compliance
+ All data must be stored securely, and in the event a data breach
should happen the EU Data Protection Authority must be notified
within 72 hours and all affected parties informed as soon as
possible
+ Any data collected prior to the enforcement of GDPR must be
brought into compliance before the implementation of GDPR
WHAT DOES GDPR MEAN FOR EMAIL MARKETERS?
7. GDPR WHEN DOES ALL THE FUN START?
+ 25 May 2018 is when the GDPR becomes immediately
enforceable as law in all EU member states.
+ Non-compliance is punishable by fines up to €20 Million or 4% of
a brand’s total global annual turnover (whichever is higher).
8. GDPR WHERE CAN I GO TO LEARN MORE?
+ EU International Commissioner’s Office GDPR Resource Guide
for Organisations
+ UK DMA: series of webinars and articles
+ Litmus blog post, “GDPR: What Europe’s New Privacy Law
Means for Email Marketers”
+ Salesforce Trailhead on GPDR
+ The Spot for Pardot blog post, “GDPR Compliance in Pardot: The
Freaky Fast & Un-Boring Guide”
+ ISIPP blog post, “How Email Marketing must Comply with the EU
General Data Protection Regulation (GDPR)”