By now you’ve probably heard it enough (hopefully): the EU GDPR is coming fast and it’s more than time to act.
The road towards a strategic GDPR compliance strategy is not an easy exercise and the impact and steps to take depend on many factors. Moreover, once you start getting really practical, additional questions might arise, another reason to get informed and to stay on top of things now.
In this article we look at some practical issues that have been pointed out by a few marketing organizations early March 2017 regarding GDPR marketing issues and which in several cases, are valid for other areas of business and industries too. They can help you in identifying practical potential issues when processing personal data and specific data categories for your business.
Four GDPR challenges for marketing – and beyond
The respective marketing associations we’ll mention urge their members and marketing organizations to take action and at the same time lobby to get their questions and remarks heard and specific actions to be taken.
It’s pretty clear that among the many industries and functions which are affected by the General Data Protection Regulation, marketing and advertising is a big one (and information management and capture another one).
Moreover, the ‘digital’ marketing and certainly advertising space will be seriously impacted by the ePrivacy Regulation which we tackled previously and, among others, comes with several changes regarding the usage of cookies. The concerns of marketers and advertisers about the ePrivacy Regulation (which is not the GDPR but is strongly related with it), though touched upon in our overview, are for later.
On March 7th, 2017, three Belgian marketing associations, IAB Belgium, the BDMA and STIMA announced they would join forces to help organizations, specifically in marketing and advertising, to get ready for – and compliant with – the GDPR personal data protection rules and avoid the high GDPR fines and penalties. As we saw earlier it’s needed as Belgian companies do have some GDPR readiness catching up to do, not in the least with regards to GDPR awareness.
They aim to answer questions such as the precise impact of the GDPR on the marketing industry, the role of the Data Protection Officer (which is needed in some cases) and so forth in some joint and some separate initiatives. Similar initiatives are taken by other associations in marketing and beyond.
A GDPR ‘position paper’ with marketing-related issues
At the same time the organizations also signed and shared a GDPR marketing position paper, which is pretty interesting. Unfortunately it’s not available in English, as far as we know, so let’s take a quick look.
“Paradox: invoking the right to be forgotten, which stretches further than the right to object, de facto can lead to less protection than the right to object: data erasure versus data flagging”
Although the BDMA (Belgian Direct Marketing Association), STIMA and the Belgian IAB are, well, Belgian, the position paper pretty much reflects opinions from across the marketing industry overall and even from other industries. Below are a few of the practical issues as seen by the marketing industry.
1. GDPR marketing issues regarding the duty concerning the communication of personal data storage duration
A first point concerns the Regulation’s articles regarding the period for which the personal data will be stored and, specifically, the duty to provide the data subject (EU citizens) with information about this period.
The marketing associations emphasize that this de facto will be very hard in practice as the duration of the storage of personal data depends on specific elements such as the type/category of data. As an example: contact information will be kept longer than data regarding consumption habits.
A second element is the reason why the personal data gets stored: the purpose. As an example: transactional data will be stored less long than personal data, needed for invoicing.
You get the picture: hard to communicate a fixed time of storage duration at the time the data are obtained.
The solution according to the associations: being flexible enough so only the criteria which determine the duration of the storage of the data need to be communicated. On top of that they ask if it wouldn’t be possible to link to a text on a website where the ‘data storage policy’ is clarified instead of having to provide all the criteria, which would also be more convenient in case the data is obtained via other means than the Internet.
For those who look deep into the GDPR, the issue regarding the communication of personal data storage duration concerns Articles 13.2 and 14.2.
Article 13.2 and 14.2 already state the data subject must be informed “with the following further information necessary to ensure fair and transparent processing: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;” so that seems feasible.
2. The challenges of the duty regarding the communication of the source of personal data
The second point made by the associations concerns Article 14 (“Information to be provided where personal data have not been obtained from the data subject”) and Article 15 (“Right of access by the data subject”) of the GDPR.
The problem: prior to the GDPR local legislation said that this duty of information regarding the provenance of the source needed to be communicated IF it was available. Other countries have similar and other stipulations.
You get the picture: when the GDPR becomes enforceable, in principle personal data for which there is no more source information available cannot be used anymore.
The solution according to the position paper: make an exception for data which were obtained before the GDPR becomes applicable, in which case the data controller only would need to try to communicate as much available information on the source as possible.
3. GDPR marketing issues regarding the right to be forgotten
This concerns Article 17 of the GDPR: “Right to erasure”. A technical consequence of the right to be forgotten as the right to erasure is also called is that the concerned personal data needs to be, well, erased completely from “the database” in which it resides.
However, the right of erasure comes with specific conditions (as all the other articles in the GDPR of course do). One of them is that the data subject objects to the processing, again in specific circumstances (more in the full text).
What the marketing bodies say is that when a right of objection is exerted, data is flagged: it can’t be used for marketing purposes anymore. However, when in the context of the right of erasure the data is fully deleted it is perfectly possible that the data subject gets contacted later for marketing purposes again if his/her data are entered into “the database” again via an external source, conform with the Regulation.
You get the issue again: in practice this (could) mean(s) that a person who doesn’t want to receive marketing messages anymore (flagged in the database) is better ‘protected’ than a person whose data is erased.
4. The notification obligation regarding rectification, erasure or restriction of processing of personal data: the disproportionate effort issue
Article 19 of the GDPR, which is about the obligation for data controllers to notify all recipients of personal data when any rectification or erasure of personal data or restriction of processing of personal data is done.
Moreover, the data subject has a right to demand a list of all those recipients to whom the personal data was disclosed.
However, the obligation to communicate these changes, corrections, erasures and restrictions of processing doesn’t apply if it is PROVEN to be impossible or involving disproportionate effort.
Disproportionate effort: a matter of definitions and clarification – or limitation in time?
Remark from the marketing associations: in order to be able to notify all parties who got the personal data, obviously you need a history. As such this is possible but only if it is limited in time as otherwise it would be a disproportionate effort. Maybe a matter of interpretation but a clarification of what exactly a disproportionate effort means is asked. Moreover, the associations ask a limitation in time (until three months prior to the data when the data subject asks for his data to be rectified, erased and so forth).
These are just some of the practical implication concerns of the marketing associations, they do have more and they are mainly requests for clarification of terms within the practical scope of the marketing industry.
For marketing organizations it’s all the more reason to make sure they are very well informed and don’t wait too long before acting as it’s pretty complex and the stakes (and fines) are high.
However, you probably noticed that several of the concerns aren’t just valid for marketers. So, in getting GDPR compliant do look at the issues that are raised outside of your industry and do look at practical issues and needed clarifications in time as well.
Top image: Shutterstock – Copyright: Rawpixel.com – All other images are the property of their respective mentioned owners.