“Vast.” The dictionary definition is “very great in size, amount, degree, intensity, or especially in extent or range.” (Merriam-Webster) It’s a word you’ll hear often in GDPR discussions, and it is an accurate description. In fact, there are 99 articles in the GDPR, each stipulating new parameters and expectations for data transparency, accountability, storage, and security. In our prior posts, we’ve highlighted many of these areas, discussing changes to your backend operations, marketing strategies, external partners and provided a graphic overview with our GDPR infographic.
As much as GDPR covers, it also raises an equal number of questions. Many of GDPR’s articles use ambiguous language leaving marketers scratching their heads, and lawyers busy providing clarification. For this reason, we’ve compiled a list of some of the more frequently asked questions and a few of the lesser-known answers, as discussed with our legal team.
GDPR – Who?
Q: Does GDPR apply only to EU citizens?
A: No. GDPR applies to EU residents, regardless of citizenship. An American living in the EU for three months qualifies for GDPR protection. If your business (B2B or B2C) markets to, does business with, or simply stores or processes the personal or business information of EU residents, you are subject to GDPR requirements regardless of your business’s location.
Definition of Personal Data
Q: What is considered “personal” data? Is B2B information exempt?
A: Generic emails, such as “info@,” “contact@” are not personal addresses so do not count as personal data. All personal (individual) data, whether B2B or B2C, is covered under GDPR. This includes any business information that makes a someone personally identifiable, such as their business email address.
Implied vs. Explicit Consent
Q: Is there a version of implied consent under GDPR? Does submitting a form with an available privacy statement count as consent to collect that data?
A: No. GDPR requires express consent with a checkbox acknowledgment.
Q: Can you bundle consent to receive future communications with other actions, such as a whitepaper download?
A: How the data will be used, who will use it, and for how long. Use should include behavior such as lead scoring or other propensity-to-purchase calculations and workflows, as well as who has access, such as data enrichment vendors.
“The information set out in this form is registered in an electronic database for the purpose of [commercial prospection, HR…]. This information is intended to be communicated to [internal service of the company, commercial partners…] and retained for [the relationship, xxx months…]. In accordance with the applicable regulation, your rights to access and update your data, withdraw your consent or lodge complaint where applicable can be exercised by following this link [contact of the service, person or authority in charge…]”
Q: Does GDPR have any ramifications for EU Cookie laws or is ‘Do Not Track’ still in effect?
A: Yes, GDPR changes requirements for cookies, since this constitutes personal data. You must now have consent to track visitor behavior. “By using this site, you agree to cookies” messages implying approval upon closure do NOT meet GDPR compliance. This is a departure from Do Not Track legislation. See a cookie notification example.
Limits for Storing Data
Q: How do we define the duration of storing data? What constitutes “as long as necessary?”
Unsubscribe vs. Data Removal
Q: Does unsubscribe mean data erasure?
A: No. They are two separate functions—you will need an unsubscribe from emails and a right to erasure option in the data consent center.
Opt-In Confirmation Emails
Q: We use a double opt-in for emails. Is this allowed?
A: Absolutely! Remember, Germany still requires a double opt-in. For Germans, you may send the opt-in confirmation, but no marketing communication until consent confirmation is provided.
3rd Party Access
Q: Are there any considerations for 3rd party vendors who have access to my data?
A: Yes, these are called processors, and they must also be compliant with specific GDPR obligations regarding security, confidentiality and accountability. As a controller, you must only appoint processors who can provide sufficient guarantee that all requirements under the GDPR will be met and that the rights of data subjects will be protected. For insights into assessing GDPR Processor compliance, view this blog post.
Data Protection Officer
Q: Does my company need a data protection officer?
A: Under the GDPR, Controllers AND Processors must appoint a Data Protection Officer (DPO) if:
- they belong to the public sector
- their main activities lead to regular and systematic monitoring of people on a large scale
- their main activities lead them to deal with sensitive data on a large scale
The good news: your DPO can be an external DPO shared by multiple companies.
Additional Consumer Rights
Q: I’ve heard GDPR grants consumers a number of rights… what do these rights include?
A: Under GDPR, data subjects have the right to request an export of all the personal data a company has collected on them and the right to request complete erasure of all personal data. They also have the right to be informed of your company’s data collection and usage policy upon request, and to be informed within 72 hours of any data breach your company has experienced.
Permissions. Privacy. Regulations. What’s Next?
As consumers, we’ve come to rely on the cyber world; as marketers, we’re learning to communicate our message efficiently amidst new regulations. In 2017, CASL became enforceable; 2018 is the year for GDPR; what will 2019 hold? I expect we’ll see more regulation, rule clarifications, and yes, penalties for non-compliance. My advice for marketers: focus on the needs of your customer, continue to build strong relationships, deliver personalized digital interactions and leverage technology every step of the way. Ultimately, you’ll develop deeper connections across wider audiences and strengthen your brand for any new legislation coming down the pike.
For more information on GDPR, we invite you to download the complimentary guide, “GDPR: A Legal Overview for Marketers.”
Need help evaluating your data practices and processes? Get your questions answered or request a GDPR readiness assessment by our team of Marketo Certified Solutions Architects.
*Note: This post is intended as a starting point for GDPR compliance, but should not be considered legal advice. We’re marketers, not attorneys–and while we did work with our attorneys to put this together for you, the reality is that we wear cool t-shirts, not 3-piece suits, so do make sure you have your own legal eagles review all of your policies and procedures related to GDPR.