This week’s webinar had a sense of urgency around it as thousands signed on to learn more about how marketers should be preparing for GDPR enforcement on May 25th of this year.

The live chat was dynamic and engaging throughout the webinar with experts and practitioners alike weighing in and sharing knowledge around the multi-faceted law that is poised to alter the course of marketing forever.

As stated in the webinar, we believe the GDPR represents tremendous opportunity for marketers. We laid out four key areas in which you can start your GDPR  compliance efforts right away.

We received over 16 pages of questions from attendees and below is our first crack at answering these to the best of our knowledge. GDPR is more than the sum of its parts, and there are many parts to consider, so as you tackle the first step – creating awareness and alignment within your organization-  be sure to reach out to stakeholders across Legal, IT, Marketing, and the myriad others for whom GDPR will mean changes to the way they think about managing data.

Q: What exactly is personal data?

Article 4 (1) explicitly describes what is constitutes personal data as follows:

“’Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

GDPR applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.

Further, “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Perhaps the biggest implication of this is that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that has been subjected to technological measures (for instance, hashing or encryption).

This, as you can see, is pretty deep AND pretty broad. Another way to look at it, and an easier rule to follow is: if the data allows a person to be identified (even indirectly, i.e. by combining different data sets, you are able to resolve an identity) then it must be considered to be personal data.

Generally, if you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means not only making sure that data is secure, but also reducing the amount of data you store and ensuring that you don’t store any information for longer than necessary.

Q: Do we have to give an opt-in/opt-out for every single element of our marketing campaigns?

Let’s be clear – when you are seeking consent, opting out is not an option. This is because you need to gain consent in a way that is “specific, informed and unambiguous”. Silence doesn’t count as opt-in. It’s probably safe to assume that your contacts have to opt-in rather than opt-out.

Q: What should we do with data that is stored all around the organization?

This is a common problem, whether you’re a small company or a large organization. There’s data everywhere, and across all kinds of marketing technology from simple spreadsheets to sophisticated CRM and marketing automation systems. You first need to know what you have. Map your data, document it through the process of an audit. This way, you know where you stand and can take the next logical step. You can do this in tandem with managing rights and starting to gain consent, but knowing what data you have and where it is stored, in what format, is absolutely critical.

Q: Is the Customer Data Platform a new technology or is it already part of my marketing toolkit in some form?

A CDP actually layers on top of your existing toolkit – it’s a way to leverage all the cool stuff you’re already doing across CRM, Marketing Automation, Analytics, CMS, and Social – which helps you to deliver something truly Omnichannel. And in the GDPR era, it’s a way for you to more easily manage the way your customers move through their journey with you, on the right side of the law! GDPR is a catalyst for truly personalized marketing and it helps to ensure that your audiences are more engaged with your brand than ever. CDPs are the tech layer that enables this.

 

Q: When does GDPR apply? Can you clarify the whole resident / citizen confusion? For example, am I covered under GDPR if:

  • I’m a US citizen on a student visa living in the EU for semester abroad
  • A French citizen visiting New York City

The specific language of Article 3(2) of the GDPR states:

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The key point here is term “in the Union”. So an EU citizen in Japan working for a company in Japan would not fall under GDPR. However, while this seems clear enough to some, there are others who say that GDPR applies to EU citizens, regardless of whether they are “in the Union” or not (e.g. in another non-EU country). I have read legal arguments on both sides and would recommend that you confirm with your legal counsel on this point. In addition, as the law has not yet been enforced, there is no jurisprudence or interpretation of the law yet by the courts.

In contrast, A student (a tourist or anyone who is in the EU temporarily) would be covered under GDPR if personal data is processed in as a result of an activity or transaction that occurs within the EU territory. So, a US citizen visiting Amsterdam who goes online to buy tickets to a museum in the city would be subject to GDPR. However, an EU citizen visiting the New York City who goes online to buy tickets to a local museum would NOT be subject to GDPR.

With that said, we should be clear that there are some people who feel differently and provide guidance that an EU citizen, regardless of where they reside, would be covered under GDPR. The

Q: We don’t do any online sales via our website. We’re strictly informational. Do I still need to be GDPR compliant?

If you are collecting information about visitors – any information – then the answer is yes. So if you have analytics tools (e.g. Google Analytics) to record and track their visit – or any other tool – then you will have to be compliant. The easiest way of thinking about this is that if you have a tag (aka tracking pixel) for ANY service on your site that collects and sends data about a visitor, you will need to ensure you are GDPR compliant.

Q: What about analytics client IDs or device IDs? Are these considered personal data?

Yes. Much like IP addresses, these would be considered personal data. This is covered under Recital 30, which states in part: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”

Q: Is email subject to GDPR?

Email tracking in its current form (e.g. reads, forwards, etc.) absolutely falls under GDPR. According a report by the Working Party 29, email tracking records personal data about addressees’ behaviour and transmits this without an unambiguous consent of a relevant addressee. Such activity that is not transparent to the user therefore would not pass Article 6, which pertains to lawful processing of data.

Q: Under what conditions do I need to appoint a Data Protection Officer (DPO)?

Article 37(1) outlines the requirements for appointment of a DPO. You must designate a DPO if you are a government body, you undertake large scale processing, or you process sensitive data.  For most digital marketers, you likely qualify under the “large scale processing” clause and would therefore need to appoint a DPO. That said, you should absolutely seek legal guidance on this.

Q: Does GDPR apply to collection of personal data or does to the storing and/or processing on a third-party data platform –  for eg: a web analytics solution ?

It applies to both the collection and the processing. Data Controller is collecting the personal data and the third party data platform (e.g. analytics solutions) is processing the information.  GDPR applies to both.

Q: If I can’t delete information from Analytics, which is currently the case, how to deal with the right to be forgotten?

If your analytics data contains personal data for which you have not provided consent, you as controller have the requirement to respond and demonstrate that you have erased that data. If you cannot delete personal data, then you should take steps to not collect that data.

 

Q: If a German citizen working for JP Morgan in NY – GDPR doesn’t apply?

GDPR applies to natural persons located within the EU. It does NOT apply to an EU citizen who resides outside the EU (e.g. a German national working for JP Morgan in NY). Note that GDPR also applies to natural persons who are in the EU, even if only on vacation, for work, in transit, etc.

Q: Where do Email Tracking and Email Tracking providers fall?

Email tracking in its current form (e.g. reads, forwards, etc.) absolutely falls under GDPR. According a report by the Working Party 29, email tracking records personal data about addressees’ behaviour and transmits this without an unambiguous consent of a relevant addressee. Such activity that is not transparent to the user therefore would not pass Article 6, which pertains to lawful processing of data.

Q: If you aren’t selling anything, but a person in EU browses your site — do you still have to be compliant?

If you are collecting information about them, the answer is yes. So if they visit your site and their visit is recorded by your site analytics tool – or any other system – then you will have to be compliant. The easiest way of thinking about this, is that if you have a tag (aka tracking pixel) for ANY service on your site that collects and sends data about a visitor, you will need to ensure you are GDPR compliant.

Q: What about telecom operators and their partnerships?  

The information that US telecom operators collect about their US clients GDPR. A Verizon subscriber in NJ would not create the need for Verizon GDPR compliance. If an EU resident went to the Verizon website, the data generated as a result of that interaction would trigger GDPR compliance requirement (for that data subject’s data only).

Q: Is it personal data if our clients collect name and email of their clients through our website?

Absolutely.

Q: Does GDPR apply to collection of personal data in the first place or does it apply to storing or processing on a third-party data platform –  for eg: a web analytics solution ?

It applies to both the collection and the processing.  Data Controller is collecting the personal data and the third party data platform (e.g. anlaytics solutions) is processing the information.  GDPR applies to both.

Q: Is GDPR focus on ‘resident’ or ‘citizen’? In many cases we see term resident used and elsewhere citizen – what is underlying rule? Can you confirm if I am EU citizen and resident in Japan and working for company located in Japan GDPR does not apply?

This is a common question, so I’ll reference the specific language of Article 3(2) of the GDPR:

3.(2): This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The key point here is “in the Union”. So an EU citizen in Japan working for a company in Japan would not fall under GDPR.  If you’re in the EU, you’re a resident. If you go to Italy on a vacation, you’re covered by the GDPR.

Q: What about analytics client IDs, are they considered personal data?

Yes. Much like IP addresses, these would be considered personal data. This is covered under Recital 30, which states in part: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”

Q: If company is complying with GDPR, can a US citizen have the same rights? eg. data portability, privacy by design, etc.?

Rights is a very specific word with a legal context. While the US citizens wouldn’t have rights, they could always ask.

Q: How can we prove to the data subject that their data has been erased?

The right to erasure, and the five grounds under which it may be requested by a data  subject are outlined in Article 17 of the GDPR. The manner, systems and tools that you would use to ensure that that any such requests are addressed in a timely fashion. You should familiarize yourself with the language. You must designate a DPO if you are a government body, you undertake large scale processing, or you process sensitive data. If you are not sure, you should seek legal guidance on this.

Q: Is a Data Protection Officer necessary? What is the threshold?

Article 37(1) outlines the requirements for appointment of a DPO. You must designate a DPO if you are a government body, you undertake large scale processing, or you process sensitive data.  If you are not sure, you should seek legal guidance on this.

 

This is just a handful of some of the more commonly asked questions. To drill down further into practical steps for addressing GDPR as a marketer, please contact us: info@cardinalpath.com for a brief consult.