Legal Analysis by Tal Itzhak Ron and Stephanie Attias, Tal Ron, Drihem & Co., Law Firm
On May 25th, 2018, the European Union introduced the General Data Protection Regulation (GDPR) with the objective of increasing the protection of individuals’ personal data. The regulation replaced the 1995 Data Protection Directive and allows regulators to fine companies who mishandle personal data or who are not sufficiently transparent on how their business uses personal data.
What is actually meant by "Personal Data"? According to the Information Commissioner’s Office (ICO), personal data is: “Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a range of personal identifiers including name, identification number, location data or online identifier.” Therefore, Digital Marketers must make sure to only collect data that is necessary or falls under a ‘legitimate interest’ to operate their business.
Do such data protection laws apply to you? A few misconceptions we generally face in our daily practice include: “GDPR doesn’t affect us since we are not located in the European Union”, “We don’t hold personal data so GDPR is irrelevant”, “Our IT, Cloud, security provider is responsible for this, not us”. Such statements are incorrect. Indeed, under the GDPR both your business "the Controller" and your provider "the Processor’ will be responsible, regardless of where the data is stored. Second of all, it is important to remind our readers that GDPR applies to all businesses that deal with the personal data of any European Citizen, regardless of where the business is geographically located.
How should Digital Marketers use personal data under data protection laws?
With opt-in becoming a mandatory requirement, marketers must, amongst other things , establish whether or not the current level of opt-in permission they use meets GDPR requirements. Most of the discussion relating to the effect of data protection laws on digital marketers focuses on consent, email marketing, and other relevant channels such as social media.
GDPR specifically requires an explicit consent. Under GDPR, "implied consent" or "soft opt-in" methods will no longer be an option to gather B2C personal data. To this extent, companies must be able to provide signed proof that each data subject actually elected to opt-in and wasn't added to the company's list by default or automation.
You should also note that according to the GDPR's "right to be forgotten", each data subjects should also be informed about the right to opt-out at any time. In order to fulfil this right, you should check your Company's technical integrations and ensure that personal data can be removed immediately from all relevant databases and platforms pursuant to the data subject's request.
As we recently witnessed with Facebook, such requirements could lead to a significant drop in European users. However, digital marketers cannot afford to ignore GDPR, especially with fines of up to €20 million, or 4% of the company's total worldwide annual turnover, whichever is higher.
Our advice is that you should always be as transparent as possible with consumer data in order to build more relevant, valued relationships with your customers. Marketing should not be aggressive or mysterious. If a user understands why they’re opting into your services and perceive the value they’ll gain, you will have a trustful relationship, a better audience and higher conversion rates. Therefore with a more receptive audience, the benefits could actually outweigh any negatives relating to data protection laws.
Watch Out for Third Party Compliance
Many digital marketers work with third-party tools and third-party providers. In this case, it is extremely important for marketers to make sure each third parties they interact with is ready and prepared for GDPR compliance. Before working with any third party, you should make sure they have successful measures in place to store, process, and integrate data appropriately according to data protection laws. Failure to do so, or failure to sign a Data Processing Agreement with such third party could make the marketer liable for any data breach performed by the third party. Each party must have a process in place to respond quickly and manage any data breach immediately in compliance with data protection laws.
GDPR's Influence Across the Globe
Overall, data protection laws involve more relevant marketing and greater transparency. Our recommendation is that you remain as compliant as possible because we are seeing an increasing trend in the adoption of data protection laws around the world.
Following the result of the Brexit vote when Britain decided to leave the EU, many were unclear as to whether the UK would implement GDPR. However, the ICO has confirmed that the GDPR will be incorporated into UK law and will remain in effect even once the UK has left the EU.
On June 27 2018, California lawmakers also passed one of the toughest data privacy laws in the United States which is set to come into effect at the start of 2020. The California Consumer Privacy Act (CCPA) of 2018 has been characterized as the first “GDPR-like” privacy statute to be enacted in the United States. The CCPA will require many organizations that process personal information of California residents to take stock of their privacy and security practices, update or implement new policies, procedures and controls to address the law. Indeed, companies that store large amounts of personal information (such as Google and Facebook) will now be required to disclose the types of data they collect, as well as allow consumers to opt out of having their data sold.
As you can see, it is only the beginning of Data Protection Laws! Therefore, you are highly encouraged to obtain legal advice as quickly as possible to adopt the required compliance procedures.
Disclaimer: This article is purely informative and should not be used as legal advice for your company to use in complying with EU data privacy laws like the GDPR. For further information you should contact your legal advisors to analyse your business in detail, and pinpoint any requirements you may be required to follow.
Read more like this here.
Check out our latest events in the videos below: