Gijsbert Pols and Swee Huang Hustedt-Teo from Ingenious Technologies explain the impact of GDPR
On 25 May, the General Data Protection Regulation (GDPR) will be enforced. We all know by now that the GDPR provides legislation for all organisations that generate and process personal data related to EU-citizens.
It’s a great legal framework to put users’ rights first and foremost, giving them control about what information they would like to give away to online businesses – just as they would for offline businesses.
This has become among the most disruptive regulation rocking the online marketing world because it applies to virtually any online business (regardless of location) that sells to EU citizens – and they will have to adhere to GDPR or risk costly penalties.
The online marketing industry is getting (understandably) jittery, as it primarily functions because of data collected from customers’ behaviours for purposes of personalisation and targeting of advertisements. Because of GDPR, this very basis is being questioned – but for a fairer collection and usage of data. GDPR gives rise to the four main questions that online marketers need to be able to answer.
Is your collected data personally identifiable?
Personal data is defined as any information relating to an ‘identifiable natural person’. This person can be identified ‘directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity’.
This is a very broad definition since it also includes data that can allow indirect identification. This includes not only names and data containing names but also means an email address is considered personal data. Images, customer IDs and perhaps data on behaviour could considered personal data too.
Is consent given for the use of the data?
Any storage and usage of personal data must be preceded by a request for consent to the individual involved ‘using clear and plain language’. This consent must be requested granularly: data subjects must be able to choose which personal data can be stored and which cannot.
What’s new is that silence, pre-ticked boxes or inactivity no longer constitutes consent. Data collection must now be on an opt-in basis, rather than by default opted in. In addition, there needs to be clear explanations as to what the data is used for when requesting consent. If the data is used for multiple purposes, consent needs to be given for each and every one of them.
Can your data be accessed and exported?
For those, whose data you are collecting, they have the legal right to obtain information from you as to ‘whether or not personal data concerning him or her are being processed’, what they are processed for, and who is processing these data. On the other hand, you will need to provide a readable copy of all personal data that is undergoing processing relating to this individual.
This also means that businesses need to ensure that they have the right IT infrastructure to summon up this information when an individual requests it.
Do your data subjects have the right to be forgotten?
Data subjects have the right to request for the stored personal data to be erased, for instance when their data is no longer necessary for the purposes they were collected for – and you are obliged to concede to this request ‘without undue delay’. This underlines the integrity of ensuring your reason for collecting is clearly and comprehensively explained, so that your data subjects know exactly what they are consenting to.
On the other hand, if they withdraw their consent and there was no legal ground to process the data in the first place, then these data must be removed. This is likely to apply to all previously collected data, which had not been properly consented to before.
According to some articles, GDPR leaves the door slightly ajar where it allows passive consent for the storage and usage of data in case of a ‘legitimate interest’ on the side of the organisation collecting the data. However, this legitimate interest must be balanced with the interest of the individuals involved, and there is much debate on how to keep this balance.
The key terms to grasp GDPR are consent, transparency and accountability. Personal data can only be generated when individuals have given their consent, and it should be possible to revoke consent at any time.
When personal data is collected, individuals have the right to know how they will be stored, to what aims they will be used and by whom. The storage and usage of data should be properly managed and supervised. Naturally it is advised for businesses to educate the team, hire a data protection officer, change policies and ensure compliance.
Perhaps the real question for businesses, the elephant in the room so to say, is whether you should work towards being able to collect and erase the personal data you collect, or – if possible – not collect any personally identifiable data at all.
Gijsbert Pols is product manager, and Swee Huang Hustedt-Teo is marketing manager at Ingenious Technologies