GDPR has a lot of impact on digital marketing and affects almost all disciplines. From analytics and conversion optimization to display advertising, social media and the use of Google AdWords of Bing Ads. In this article we will discuss the background of the GDPR, which is relevant for digital marketers. In addition, we share a number of key action points for attention that you can immediately use.
GDPR stands for the General Data Protection Regulation. GDRP has been come into effect on 25 May 2018 and replaced Personal Data Protection Act.
The GDPR entered into force on 25 May 2016 with the agreement that it would not be maintained until two years later, on 25 May 2018. For example, a transition period was created between the Personal Data Protection Act and the GDPR. The GDPR extends privacy rights, places more responsibility on the organisations that collect and process personal data and offers supervisors more robust enforcement options. As the supervisory authority, the Authority for Personal Data has the option of imposing substantial fines, among other things. These amount to 4% of the worldwide annual turnover for serious violations (which is higher).
As a digital marketer, it is important to be aware of the ethical and legal aspects of your discipline. Not least because violations of the law can also have serious consequences. We therefore list some important legal aspects of the GDPR for you.
3 roles for stakeholders
In principle, the GDPR distinguishes three different roles for data subjects in the processing of personal data. Namely:
5 legal requirements of GDPR
The GDPR has five crucial legal requirements to keep in mind at all times:
With the introduction of the GDPR, the definition of personal data has also been tightened up. When processing data, a rough distinction can be made between personal data, false anonymous data and anonymous data. The table below shows some examples that are relevant for digital marketing.
|Personal Data||False anonymous data||Anonymous data|
|Phone number||User ID|
|Examples||NAW data||Hashed email address|
|MAC address (deviceID)||Data via tracking scripts|
|Location data (GPS)|
|IP address||Customer ID|
|Definition||Identified or identifiable person||Not traceable to a natural person without additional information, but individualisable||Outside the scope of GDPR|
|Date of birth|
With the introduction of the GDPR, more data types fall under personal data than under the current legislation. But there are more important changes with a big impact on your website and digital marketing activities.
Nearly all forms on your website ask for personal data. Think of NAW data for quotation or order forms, or the e-mail address for a newsletter subscription. The privacy by design and privacy by default principles of the GDPR require that such data be transmitted in encrypted form via https. In addition, the amount of data requested shall not exceed what is necessary for the purpose for which the data are processed. Also, check-boxes with which consent is requested may not simply be ticked by default, because then there is no longer explicit consent.
There is a good chance that the GDPR will also have consequences for the privacy and cookie statement on your website. These are some of the important points on which you can check your current privacy statement:
Pay attention specifically to the first three points that you do this for each of the different purposes of data processing. In other words, if your website contains multiple forms that collect data for different purposes, you must describe each of those purposes. For example, a storage period may be different for data from an order form (data subject/involved becomes customer) than for an application form (data subject/involved becomes applicant).
Under the GDPR, the condition is that unambiguous consent must have been given. Personal data and false anonymous data may only be used with explicit opt-in and opt-out consent. And only in the case of ‘specified explicit and lawful purposes’. Data controllers should also be able to demonstrate that the consent was validly obtained.
As a marketer, this quickly forces you to use a cookie bar or cookie wall, in combination with a tag management system and database or register of opt-ins and opt-outs. If your website does not yet work with a tag management system or data management platform (DMP), now is the time to seriously consider those options. Without such a system, managing all the tools and tracking scripts on the website is a serious challenge, with all the risks of breaching the GDPR as a result.
The profiling of visitors, for example for the construction of interest profiles, retargeting purposes or on-site personalization of content, is only allowed if the exact working of this and the impact on the visitor are clear. Describe the operation and purposes of profiling in the privacy and cookie statement of your website. You must also describe which tools are used, which cookies they place and how you can remove these as a visitor.
With the introduction of the GDPR, natural persons will be given not only the right to inspect but also ‘the right to obscurity’, i.e. the right to be forgotten. This means that natural persons may request all information that has been collected from them. These data must also be deleted on first request. In addition, an individual may request an organisation to transfer information in a standardized data format. For example, data can easily be transferred to another company providing similar products or services, such as an insurer.
As you have read, with the GDPR you’ll get a lot of benefits as a digital marketer. In this article we have extensively discussed the most important legal aspects of the GDPR. Why? Because If you, as a digital marketing professional, are not at the forefront of the GDPR discussion, you will soon lag behind the facts. This means you run the risk that many analysis and advertising opportunities that are important for your success in digital marketing will be limited or even completely closed off. Out of ignorance about the exact technical effect, for fear of the legal consequences and fines in case of violation, or both.
It is always okay to consult a specialist legal advisor to determine the impact of the GDPR on your own organisation.