Savvy consumers are aware that their activity and data are being tracked online. That's why it's become so important to have regulations that offer privacy (especially on social media) and allow customers to choose what personal information they share.
The General Data Protection Regulation (GDPR) is a law that was introduced by the European Union on May 25th, 2018. This law replaced the Data Protection Directive 95/46/EC and was designed to:
Top tip: check out our defintitive GDPR Checklist for Marketers for advice on how to get started with ensuring you are GDPR-compliant.
As a regulation enforceable by law, the GDPR is not optional. If a person or organization wants to do business within the European Union, or with EU citizens, it must abide by the regulations.
With GDPR legislation, companies must be explicit about the ways in which they collect personal data for marketing purposes. This means asking specific explicit permission as they collect it, as well as offering consumers a valid reason for having the information.
In essence, the GDPR:
To comply with regulations, the GDPR provides six legal bases for processing and storing personal data. In data protection a legal bases refers to the justification for the processing of personal data.
The six legal bases for processing data under GDPR regulations are:
Digital marketers must understand their specific responsibilities in relation to the six legal bases and the rules associated with data processing and storage.
The Marketing department – and, by default, the Head of Marketing – plays a key role in enabling, supporting, and communicating GDPR and its impact on the business to senior management.
Because of Marketing’s unique role in collecting, processing, retaining, transferring, and deleting data belonging to the public and to the organizations’ users and customers, the person or people within the team nominated to roll out GDPR compliance must be fully aware of the scope and responsibilities of the project.
This is typically a cross-functional team effort, as the digital marketer leading GDPR-related activities will need to work with IT, Sales, Support, Engineering, Customer Success, and Product, for example, to ensure that data privacy processes and any dependencies are understood and supported across the organization.
The appointment of a DPO, or Data Protection Officer, will help to steer the resources into place for GDPR compliance:
[The] GDPR calls for the mandatory appointment of a DPO for any organisation that processes or stores large amounts of personal data, whether for employees, individuals outside the organisation, or both. DPOs must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” like that which details race or ethnicity or religious beliefs.
Digital marketing team members must also be familiar with the Data Controller and Data Processor roles. It’s imperative to understand in which scenarios they are the Data Controller, or the Data Processor.
The Data Controller can be defined as:
The person or body who determines the purposes and means of processing personal data. In plain English, you decide what the data is for – and what’s going to happen to it.
The Data Processor can be defined as:
A person or body who is separate from the data controller (i.e. not an employee) and who processes personal data on behalf of that data controller. In other words, the controller gives the processor a specific job to do – and the processor does it.
It is important for a digital marketer to know when they play either or both of these roles every time they deal with data in their roles.
“Legitimate business interest” means that there must be a clear reason for the business to collect and process particular data about a data subject. For example, this could be the name and home address of a customer for a pizza delivery business. Just because a person orders a pizza does not automatically mean it is legitimate for this information to be used for direct marketing purposes – for example, sending them flyers. Passing this information to a third party without legitimate interest would also likely be considered a breach of GDPR.
The reasons for collecting and processing must not violate any rights of the natural person. As a digital marketer, you must carefully consider: what data is being collected, and why?
For this reason, recording consent is a very important requirement of the GDPR. Consent must be freely given, unambiguous, clear, and transparent to the data subject. There must not be long, baffling reams of legalese for them to read through. Consent must be correctly recorded. Also, the route to unsubscribe must be just as simple – and clear – for the data subject.
Line managers and senior management are also expected to be aware of the complete workings and impact of GDPR on their team as a whole, and that of individual contributors.
Considering an average digital marketing team, what are some of the key roles and tasks that individual contributors, and their managers must be conscious of:
Depending on the industry, some digital marketers will have more rigorous demands than others when it comes to GDPR regulations.
All these organizations require adherence to the most stringent data privacy and data protection policies
So, what are the responsibilities of a digital marketing team for recording, maintaining, and reporting data in relation to GDPR?
Defining and recording email opt-ins and opt-outs
Design an opt-in and opt-out flow that is clear where consent can be interpreted unambiguously; ensure that opting out is as easy and clear as opting in.
Standardizing how a new contact comes into the CRM via all marketing avenues
Understand every data intake process of the CRM under the jurisdiction of the marketing team, and ensure that in the case of EU citizens, each process has clear guidelines around consent.
Outlining the process of honoring data subject requests and deletions
Do a trial run of a data subject request and a data deletion request; refine and document the process, and train the relevant team members.
Communicating data breaches
Understand the time frame within which you have to publish notice about a data breach, and have pre-approved comms templates at hand for a crisis scenario.
Keeping the website's Privacy Page and Terms & Conditions Page up to date
At regular intervals, have your DPO, IT team and a legal expert review your public-facing data usage documentation.
Vetting and approving how CRM data is used for marketing purposes internally and externally
Ensure that your team members have appropriate permissions for data access within the tools they use and that they’re aware of what the data they have access to can and cannot be used for in marketing. Have an established policy regarding co-marketing or partner marketing, where the data subject is protected in accordance with GDPR regulation.
Understanding GDPR regulations, best practices and how you can comply ethically is imperative to your role as a digital marketing professional.
Data protection is now central to any digital strategy. Our digital marketing strategy course will not only cover the fundamentals of strategy but explore automation, analytics, budget, digital channels, leadership, and much more. Enroll today to get started!