The Marketer’s Glossary of GDPR Terminology
When the General Data Protection Regulation (GDPR) becomes official May 25, 2018, it’ll usher in a new era of data security and transparency. The measure is designed to give people control over their data while simplifying the legal environment for businesses around the world.
If that overly simplistic definition isn’t enough, we have you covered.
In this blog, you’ll learn the key GDPR terms marketers should be familiar with.
Personal data concerns any piece of information that personally identifies a consumer, either alone, or in combination with other data elements, including names, addresses, ID numbers, health info, racial or ethnic data, political views, sexual orientation, genetic data, and biometric data. Interestingly enough, location, IP address, cookie data, and RFID tags also fall under the umbrella of personal data.
Any piece of information that can be tied back to a specific individual is protected under the GDPR. However, if that data doesn’t identify a person, or is anonymous, the regulation does not apply.
The grey area here is with pseudonymous data. Pseudonymous data cannot be attributed to a specific data subject without additional information. It’s not directly identifiable nor is it anonymous. For example, encrypted data, or data that has been “de-identified” (if the custodian retains the means to relate it, or decrypt it, may actually be pseudonymous. Pseudonymous data isn’t exempt from the GDPR, but marketing departments that adopt the pseudonymization process will be better positioned for compliance.
Right to Erasure
How many times have you found incorrect or old information about you online? Also known as the “right to be forgotten,” this article is one of the more interesting, progressive measures in the entire regulation. Between our various social profiles, email addresses, and applications we use, there’s a boatload of our personal data swirling, but much of it isn’t even correct.
Right to erasure gives consumers the right to have this information removed at any time. How can marketers make sure they’re ready to abide by such requests? Develop processes that easily enable users to access their data and remove content as they please.
Increased Territorial Scope
The GDPR states that any company, regardless of where it resides, must abide by the new privacy regulations if they process or control personal data of data subjects in the European Union or market to them.
The days of pre-ticked opt-in boxes are over. While some marketers might shudder at the thought of losing past data (and the efforts they’ll have to make to compile new, probably less complete data), the GDPR really allows marketers to do what they’ve always wanted to do: compel and engage their audience. The burden of proof is on corporations to prove consent, which means marketing automation platforms will be key in keeping active records of how consent was obtained.
Data Protection Officer
As part of complying with the GDPR, every enterprise must designate a data protection officer. For larger companies, such a position may already exist. However, for smaller companies, hiring a data protection officer becomes a pivotal step to ensuring GDPR compliance. This role will be responsible for an organization’s entire data protection strategy, educating employees on compliance requirements, responding to data subject requests, routinely performing privacy audits, reporting on privacy matters to the highest levels management, and other GDPR-related tasks.
Data controllers are people or companies that decide how collected personal data is used, or will be used, for future purposes. The ways in which a company acts as a data controller would often be through the sales team or marketing team, but also any team that has a lead generation database or manages company contacts.
Data processors include any person or company that processes data on behalf of data controllers. Anything from collecting, recording, modifying, or storing personal data falls under data processing. Common examples include cloud storage providers, marketing automation platforms, accountants, and payroll functions.
Article 6 is one of the bigger grey areas in the GDPR, but how it pertains to marketers is narrower in scope. The main thing to remember with legitimate interest is thinking about what is lawful and not lawful when processing personal information. Marketers are golden if they obtain consent and document and manage that consent. However, there are cases, such in subparagraph (f) that allow for data processing if it can be justified as a legitimate interest, especially in cases where data subjects would reasonably expect their data to be processed. (Of course, most marketing companies would be well-served to stick to consent, since the burden of proof is on companies and GDPR fines are steep.)
For more information about what marketers need to do to prepare for GDPR enactment, check out The GDPR and The Marketer: A Practical Guide for the Marketo Customer or attend our annual Marketing Nation Summit and attend one of our GDPR-focused sessions.