GDPR for Marketing - Intro
Updated
What is GDPR ?
The European regulation known as GDPR (General Data Protection Regulation) is the major 2018 update to existing privacy laws in all EU member states. It governs the protection of personal data. Among other things, it refreshes the rules on how websites, companies, organizations, public sector … can collect, protect, and process personal data.
GDPR’s innovation included its extraterritorial scope, which has lead to its global impact. This means that no matter where in the world your company located, it has to comply with GDPR if it processes personal data from individuals in the European Union (e.g. if your webshop targets EU-based visitors).
Various other EU and local laws complement GDPR’s privacy rules. These are best known as the ePrivacy Directive, which EU member states transposed into national law (e.g. UK’s PECR, Belgium’s Law on Electronic Communications). These requirements apply to using cookies and similar technologies on websites. They also provide exceptions to send marketing emails to existing customers without their prior consent (‘opt-out’ rule). It is important to comply with these rules as well. Breaking them will also mean the marketing activity does not comply with GDPR either.
GDPR’s data protection regime requires companies (known as “controllers”, or “processors” in case they provide services to a controller) to have an appropriate legal basis to process the personal data of individuals (“data subjects”). It also has a heavy emphasis on being transparent to individuals. This is where privacy statements, cookie banners and the like come into play – they explain what personal data is processed and why.
What data are we talking about?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual.
Consider the very broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but may also include data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual.
Which legal base can we use as marketing department?
For marketing practices, the most common legal basis for processing is prior consent. Put differently, we will usually need an individual (prospect, customer) to consent to receiving marketing materials (‘opt in’) or to allow tracking and analytics cookies (website visitor). GDPR has clarified that certain marketing and CRM activities can take place on the basis of our legitimate interest. One example includes sending e-marketing materials to existing customers (‘opt out’). However, other rules (like ePrivacy) that may impose opt-in requirements, will always take precedence over legitimate interest possibilities.
Is GDPR also applicable in UK after Brexit ?
Now that the UK has a Withdrawal Agreement with the EU, there will be a transition period until the end of 2020 to allow time to negotiate a new relationship with the EU. During the transition period the GDPR will continue to apply in the UK. You can find more info on the website of the ICO (UK’s privacy authority).
SD Worx’ Legal & Compliance department has analysed and monitors the impact of Brexit on Marketing. The impact of Brexit on Marketing operations will be limited. If anything, where an EU-based SD Worx entity (e.g. SD Worx People Solutions) contracts an UK-based partner or agency, additional contractual measures may be required. Please see the guidance on Third Parties for more information.
Did we update our privacy policies?
Yes, we updated our privacy statements on all our public website and portals according to the GDPR requirements. You can find an example of our updated privacy statement here.
