GDPR 101: Our guide to the incoming EU regulations

You’ve likely heard the warnings: GDPR is coming. Depending on who you listen to, it could mark the end of digital marketing as we know it, or it could just be a lot of fuss over nothing. Until it comes into effect next year, we won’t know for certain – but you can at least make sure you know exactly what GDPR is, and how it could affect your business.

“The new EU GDPR is the biggest overhaul in data protection laws in over 20 years,” says Sheila FitzPatrick, chief privacy officer at NetApp.

“GDPR’s scope extends beyond existing data protection laws, and replaces them in the course of being implemented, making it arguably the biggest policy development digital advertising has ever faced,” agrees Yves Schwarzbart, head of policy and regulatory affairs at IAB UK.

The General Data Protection Regulation, to give it its full name, is an EU regulation first ratified in April 2016. It’s made up of a whole variety of rules intended to bolster data protection, which we’ll dive into later, but the main focus is on broadening the definition of ‘identifiable information’, from a name or email address, to include IP addresses, cookies and other identifiers.

Technically speaking, GDPR is already law, but a two-year transitional period has been granted, with enforcement beginning on 25 May 2018. From that point on, any companies found in breach of GDPR could face what Nick Johnson, marketing law specialist and partner at legal practice Osborne Clarke, refers to as “eye-watering financial penalties” – up to €20m (£18m), or four per cent of global revenues, whichever is higher.

But with this date fast approaching, the marketing industry doesn’t seem to be prepared for GDPR at all. According to a March 2017 study by the Chartered Institute of Marketing, 50 per cent of marketers said they didn’t really understand what GDPR meant for their business, and only 11 per cent already had systems in place to ensure they are compliant. Perhaps most concerningly, 16 per cent said they didn’t believe GDPR was relevant to their business. With that in mind, let’s quickly outline exactly who GDPR applies to.

Who does GDPR apply to?
If you’re reading this in the UK and thinking  that Brexit means you needn’t worry about this EU regulation, think again. In fact, it doesn’t matter where in the world you are. “GDPR is the first data protection law to be extraterritorial,” says FitzPatrick.

GDPR applies to any organisation that operates, offers its products or monitors the behaviour of individuals within the EU. Basically, if there’s any chance that your data includes a single EU citizen, then you will have to reckon with GDPR, wherever you’re based.

It’s also worth noting that GDPR expands who is responsible for data protection. As well as the ‘controllers’ of data, for the first time ‘processors’ have their own obligations.

Requirement for controllers – those who determine how data is used – are mostly the same as under the current Data Protection Act, with the addition of a responsibility to assess whether the processors they appoint are GDPR-compliant.

Meanwhile, processors – those working with data on the behalf of the controllers – will be required to maintain records of their data-processing activities; may not subcontract the work without direct consent from the controller; and have significantly more legal liability if they’re responsible for a data breach.

Consent and legitimate Interests
So, what do companies actually have to do to make sure they’re compliant with GDPR? Well, that’s where it gets a little complex, because it’s a big chunk of legislation.

One of the most important rulings is that organisations will have to prove they have a lawful basis for handling the data – either because the individual has given direct consent, or because the data is necessary for ‘legitimate interests’.

Consent needs to be demonstrable, and is defined by the regulation as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. This means that there needs to be clear evidence that an individual has opted in for their data to be used – vitally, this rules out consent based on inaction or even pre-ticked boxes – based on an understanding of how it will be used, by whom and for how long. Consent for pre-existing data won’t have to be refreshed, though, as long as all these requirements are met.

‘Legitimate interests’, meanwhile, can include the data being required to complete a contract, such as an address for delivery; for security or legal reasons; or “for direct marketing purposes”. This last one stands out – and it’s currently open to debate exactly what it means. This passage of the regulation has been read, variously, as a sign that marketers will be given carte blanche; that using data to send messages to customers will be treated differently to using it for profiling them; and as a restatement of the higher permission standards that digital marketing will face.

This is far from the only ambiguity present in GDPR. Along with the misconceptions that naturally spring from such a complex piece of legislature, this has led to many questions over its exact boundaries and definitions – and the situation is not being helped by some operators within the industry.

“There is so much misleading information being spun in the market place by companies trying to position themselves as GDPR ‘experts’ by selling tools and technology to obtain compliance,” says FitzPatrick.

The only option, it seems, is to wait. According to IAB’s Schwarzbart, these kinds of ambiguities are “expected to be clarified via guidance from European regulators by the end of the year”, but this, he believes, “would be unsatisfactorily late”.

The Right to Be Forgotten
However, there are other changes introduced by GDPR which are less ambiguous – even if they’re not always widely understood.

Chief among these is the right to erasure. It’s commonly known as the ‘right to be forgotten’, but that name is slightly misleading, as EU citizens can only request to have their data erased under certain conditions, which include the data no longer being necessary for its original purpose, and the individual objecting to the processing or withdrawing their consent.

There are also new rules on accountability for organisations, which will be required to show how they comply with the principles of GDPR, through documentation of processing activities, training, staff awareness and more. Companies will also have to carry out privacy impact assessments, considering the “risk to the rights and freedoms” before processing personal data, and build in protection safeguards and compliance ‘by design and default’.

In certain cases, organisations may also be required to appoint a data protection offer (DPO). A drafted requirement that this would apply to anyone with over 250 employees was dropped in favour of the rather vague condition that any company whose core activities consist of “processing operations which require regular and systematic monitoring of data subjects on a large scale” must have a DPO.

The final major changes concern what happens after a data breach. Processors are only required to report breaches to the controller, who must then notify the appropriate authorities “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. If a breach “is likely to result in a high risk to the rights and freedoms of individuals”, those affected should also be notified without delay. This should mean no more incidents like Yahoo’s reporting, last year, of two record-breaking data breaches that actually took place in 2013 and 2014.

The Bright Side
So, yes, GDPR is coming. And the cost of implementing all the above regulations – which are just a quick summary of everything that GDPR actually requires for full compliance – isn’t going to be small, in terms of time, effort or money.

However, GDPR shouldn’t be the scourge of data-led marketing that some have painted it as. It’s just a case of being more careful how you use data – and these changes might actually be improvements.

“GDPR forces companies to thoroughly review the way they use data and, if they buy in data, who they buy it from,” says IAB’s Schwarzbart. “While this task can be daunting, it can ultimately be an opportunity for companies to get a full understanding of their own data processes.”

Osborne Clarke’s Johnson agrees. As he points out: “Preparing for the GDPR’s tough compliance requirements can actually be a great tool for implementing change more generally in a business.”

Data is enormously important to modern marketing, and ‘big data’ might actually be understating the amount that most marketers have access to. But it can be easy to get lost in that. So if GDPR represents a chance for more transparent, better-quality data, shouldn’t we embrace it, rather than fear it?