GDPR – Key action points for digital marketers
GDPR has a lot of impact on digital marketing and affects almost all disciplines. From analytics and conversion optimization to display advertising, social media and the use of Google AdWords of Bing Ads. In this article we will discuss the background of the GDPR, which is relevant for digital marketers. In addition, we share a number of key action points for attention that you can immediately use.
GDPR stands for the General Data Protection Regulation. GDRP has been come into effect on 25 May 2018 and replaced Personal Data Protection Act.
Why the GDPR?
The GDPR entered into force on 25 May 2016 with the agreement that it would not be maintained until two years later, on 25 May 2018. For example, a transition period was created between the Personal Data Protection Act and the GDPR. The GDPR extends privacy rights, places more responsibility on the organisations that collect and process personal data and offers supervisors more robust enforcement options. As the supervisory authority, the Authority for Personal Data has the option of imposing substantial fines, among other things. These amount to 4% of the worldwide annual turnover for serious violations (which is higher).
Important legal aspects of the GDPR
As a digital marketer, it is important to be aware of the ethical and legal aspects of your discipline. Not least because violations of the law can also have serious consequences. We therefore list some important legal aspects of the GDPR for you.
3 roles for stakeholders
In principle, the GDPR distinguishes three different roles for data subjects in the processing of personal data. Namely:
- Data subject/involved: the natural person whose personal data is processed, e.g. a visitor, lead, customer or applicant, etc.
- Controller/responsible person: the person who determines the purpose and means of data processing, for example your own organisation.
- Processor/processor: the legal person who processes personal data on behalf of the responsible party. Think of partners/suppliers such as your digital media agency, Google as owner of Google Analytics or the freelancer you sometimes use to support the digital marketing department.
5 legal requirements of GDPR
The GDPR has five crucial legal requirements to keep in mind at all times:
- Opt-in/opt-out: the data subject must have full control over who is in possession of what personal data at what time.
- Clarity on the modalities and efficiency of data processing: the data subject should always be informed in an accessible way about who, what, how and why data processing is carried out. Think not only of the findability of information, but also, for example, of clear language.
- Ownership: the data subject is and remains the owner of the personal data relating to him or her. Data controllers should in some cases also make such personal data negotiable or transferable.
- Privacy by design: when developing products and services (but also when developing a website), the collection, security and retention period of data should be aligned with the purpose for which the data are processed.
- Privacy by default: this means that you take the technical and organizational measures to ensure that by default you only process the data that is necessary for the purpose for which you collect it.
Personal data vs. false anonymous data
With the introduction of the GDPR, the definition of personal data has also been tightened up. When processing data, a rough distinction can be made between personal data, false anonymous data and anonymous data. The table below shows some examples that are relevant for digital marketing.
| Personal Data | False anonymous data | Anonymous data | |
| Phone number | User ID | ||
| Examples | NAW data | Hashed email address | |
| MAC address (deviceID) | Data via tracking scripts | ||
| Location data (GPS) | |||
| IP address | Customer ID | ||
| Definition | Identified or identifiable person | Not traceable to a natural person without additional information, but individualisable | Outside the scope of GDPR |
| Date of birth | |||
| E-mail address | OrderID |
With the introduction of the GDPR, more data types fall under personal data than under the current legislation. But there are more important changes with a big impact on your website and digital marketing activities.
Impact of GDPR on the forms on your website
Nearly all forms on your website ask for personal data. Think of NAW data for quotation or order forms, or the e-mail address for a newsletter subscription. The privacy by design and privacy by default principles of the GDPR require that such data be transmitted in encrypted form via https. In addition, the amount of data requested shall not exceed what is necessary for the purpose for which the data are processed. Also, check-boxes with which consent is requested may not simply be ticked by default, because then there is no longer explicit consent.
Privacy & Cookie Statement
There is a good chance that the GDPR will also have consequences for the privacy and cookie statement on your website. These are some of the important points on which you can check your current privacy statement:
- Simple language: precise and complete description of data processing.
- Efficiency and/or legal basis.
- The data retention period, for each of the types of data you collect.
- Requirement for unambiguous consent, opt-in and opt-out options.
- Profiling that takes place.
- Indication of the persons with whom data is shared.
- Right of access, modification, deletion or transfer of data.
- Possibility of lodging a complaint with the Authority Personal data.
- In addition to company data, the name and contact details of the person responsible for privacy and data processing on behalf of the organisation.
Pay attention specifically to the first three points that you do this for each of the different purposes of data processing. In other words, if your website contains multiple forms that collect data for different purposes, you must describe each of those purposes. For example, a storage period may be different for data from an order form (data subject/involved becomes customer) than for an application form (data subject/involved becomes applicant).
Specified and explicit opt-in and opt-out
Under current law, in some cases, implicit consent based on ‘an act of active intention’ is enough. An example of such an action is clicking through from the web page of entry to the next page of the website after the visitor has been informed in a cookie bar about the use of cookies. Data is then collected on this second page.
Under the GDPR, the condition is that unambiguous consent must have been given. Personal data and false anonymous data may only be used with explicit opt-in and opt-out consent. And only in the case of ‘specified explicit and lawful purposes’. Data controllers should also be able to demonstrate that the consent was validly obtained.
As a marketer, this quickly forces you to use a cookie bar or cookie wall, in combination with a tag management system and database or register of opt-ins and opt-outs. If your website does not yet work with a tag management system or data management platform (DMP), now is the time to seriously consider those options. Without such a system, managing all the tools and tracking scripts on the website is a serious challenge, with all the risks of breaching the GDPR as a result.
Profiling
The profiling of visitors, for example for the construction of interest profiles, retargeting purposes or on-site personalization of content, is only allowed if the exact working of this and the impact on the visitor are clear. Describe the operation and purposes of profiling in the privacy and cookie statement of your website. You must also describe which tools are used, which cookies they place and how you can remove these as a visitor.
But also think of the contracts or (general) terms and conditions that apply to your organization’s relationship with customers. For example, if you use RLSA within Google AdWords or display retargeting for a visitor segment of existing customers, permission is required. It is no longer sufficient for you to include this form of data collection in your privacy statement or cookie policy for these purposes.
Right to obscurity & data portability
With the introduction of the GDPR, natural persons will be given not only the right to inspect but also ‘the right to obscurity’, i.e. the right to be forgotten. This means that natural persons may request all information that has been collected from them. These data must also be deleted on first request. In addition, an individual may request an organisation to transfer information in a standardized data format. For example, data can easily be transferred to another company providing similar products or services, such as an insurer.
Digital marketer: take the lead!
As you have read, with the GDPR you’ll get a lot of benefits as a digital marketer. In this article we have extensively discussed the most important legal aspects of the GDPR. Why? Because If you, as a digital marketing professional, are not at the forefront of the GDPR discussion, you will soon lag behind the facts. This means you run the risk that many analysis and advertising opportunities that are important for your success in digital marketing will be limited or even completely closed off. Out of ignorance about the exact technical effect, for fear of the legal consequences and fines in case of violation, or both.
It is always okay to consult a specialist legal advisor to determine the impact of the GDPR on your own organisation.
Marketing can add a couple of things to give more time to I think. One is to allow people more easily opt in and out and then in again, not that choosing marketing is once in a lifetime, but more to work with customers and allow more flexibility. Second is to review any partner and digital service more throughly to what they do with the data of your own customers and that becomes just better safety and better feeling of working with customers.