2. Index
❖ Data Protection Vs Data Privacy
❖ What is GDPR?
❖ How GDPR Structure lookalike?
❖ Who does the GDPR apply to?
❖ Lawful Basis of Processing
❖ Which Information does the GDPR apply to?
❖ Key Components of GDPR
❖ 6 Steps to Become GDPR Compliant
3. Index
❖ Key Rights for Consumer(Data Subject)
❖ What can a company do to prepare?
❖ Develop a plan to tackle GDPR
❖ How GDPR impact Marketing?
❖ Who is most affected?
❖ Practical Tips on GDPR for Marketing
4. Data Protection VS. Data Privacy
❖ Data protection or Data security pertains to ‘protecting the
data’ against ‘unauthorized access’.
❖ However, authorised or unauthorised access can still breach
privacy.
❖ So Privacy and Security/Protection are 2 different things
5. Data Protection VS. Data Privacy
Protection Privacy
Ensures unauthorised access
is not permitted
Ensures privacy is not compromised
in event of unauthorised and importantly
even when there is authorised
access to data
6. The Background
❖ Data protection reforms were started in 2012 in EU.
❖ One of the key components of this reform is GDPR
(General Data Protection Regulation).
❖ Basically GDPR is a set of rules designed to give more
control to EU Citizens over their personal data.
7. What is GDPR
Under the terms of GDPR, not only will organisations have to ensure that
personal data is gathered legally and under strict conditions, but those
who collect and manage it will be obliged to protect it from misuse and
exploitation, as well as to respect the rights of data owners - or face
penalties for not doing so.
8. What is GDPR?
❖ Though this policy is primarily aimed at EU citizens it also covers those who are in possession
of EU-based personal data. Its focus is to ensure that consumers have rights such as:
❖ The right to erasure
❖ The right to restriction
❖ The right to object
❖ Information notices
Those who fail to comply with GDPR may be punished by fines at the equivalent of up to 4% of
their annual turnover or €20 million.
9. GDPR Application
GDPR applies to any organisation operating within the EU, as well as any organisations
outside of the EU which offer goods or services to customers or businesses in the EU.
That ultimately implies that almost every major corporation in the world will need to be ready
when GDPR comes into effect, and must start working on their GDPR compliance strategy.
11. Who does the GDPR apply to ?
❖ DATA CONTROLLER
A data controller is a central figure when it comes to protecting the rights of the data
subject (a.k.a. the individual or the organization).
12. Who does the GDPR apply to ?
❖ DATA PROCESSOR
Organizations that process the data on behalf of the data controller are called data
processors. For e.g. Facebook
13. Who does the GDPR apply to ?
❖ DATA SUBJECTS: The consumers
14. Lawful basis for processing
Data may not be processed unless there is at least one lawful basis to do so:
❖ Consent: the individual has given clear consent for you to process their personal data for a
specific purpose.
❖ Contract: the processing is necessary for a contract you have with the individual,
❖ Legal obligation: the processing is necessary for you to comply with the law
❖ Vital interests: the processing is necessary to protect someone’s life.
❖ Public task: the processing is necessary for you to perform a task in the public interest or for
your official work
❖ Legitimate interests: the processing is necessary for your legitimate interests or the legitimate
interests of a third party unless there is a good reason to protect the individual’s personal data
which overrides those legitimate interests.
15. What is consent?
You need to have a legal basis to process a EU citizen’s personal data. ‘Consent’
is one legal way to do so, as long as it is verifiable and specific.
Verifiable consent requires a written record of when and how someone agreed to
let you process their personal data.
Consent must also be unambiguous and involve a clear affirmative action. This
means clear language and no pre-checked consent boxes.
16. Which information does the GDPR apply
to?
❖ Personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person
who can be directly or indirectly identified in particular by reference to an identifier, e.g. IP
address, email IDs, User IDs, Photographs, etc.
❖ Sensitive personal data
The special categories specifically include genetic data, and biometric data where
processed to uniquely identify an individual. e.g. Racial, Political Opinions, Health data etc.
18. Six Steps to GDPR Compliant
❖ It is processed fairly, lawfully and transparently
❖ It is collected and processed for specific reasons and stored for specific
periods of time, and that it is not used for reasons beyond its original purpose
❖ Only the data necessary for the purpose it is intended is collected, and not
more
19. Six Steps to GDPR Compliance
❖ It is accurate and that reasonable steps are taken to ensure it remains accurate
❖ It is kept in a form that allows individuals to be identified only as long as is
necessary
❖ It is kept securely and protected from unlawful access, accidental loss or
damage
21. Data Subject Rights
❖ RIGHT TO BE INFORMED
When they are collecting data from you, organisations must properly inform you what data they
are collecting, what they are using for, how long they are keeping it and which organisations it
is being shared with.
22. Data Subject Rights
❖ THE RIGHT TO ACCESS
You have the right to contact an organisation and ask them to provide the data they hold on
you. This includes the data they hold, why they hold it, and what they are doing with it,
including which organisations it is shared with.
23. Data Subject Rights
❖ THE RIGHT TO RECTIFICATION
You have the right to ensure that information about you is correct, and to ensure that
information is corrected if found to be inaccurate.
24. Data Subject Rights
❖ THE RIGHT TO ERASURE
Also known as the “right to be forgotten”, this means you have the right to demand that
information a company holds about you is deleted, in part or entirely. This is not an absolute
right, and in some circumstances this request can be refused.
25. Data Subject Rights
❖ THE RIGHT TO RESTRICT PROCESSING
You have the right to deny consent for an organisation to process your data, even if you have
given consent for it to do so in the past. This right also is not absolute and can in some
circumstances be refused. But an organisation must be able to show you what it is doing with
your data so you can decide to restrict processing if you wish.
26. Data Subject Rights
❖ THE RIGHT TO DATA PORTABILITY
This right gives you the opportunity to take the data an organisation holds on you and extract it
for use elsewhere. A good example are the features that Facebook or Google offers that allow
you to download the profile information accumulated on the service. This is to promote
competition, so that users are not forcibly tied to an uncompetitive service due to the weight of
accumulated data.
27. Data Subject Rights
❖ RIGHT IN RELATION TO AUTOMATED DECISION MAKING
Finally, with the growth in profiling and the use of data to make automated, from targeted
advertising or content to credit decisions or job applications, this provides individuals with the
right to object to or appeal against automated decisions that affect them. This is particularly the
case where decisions have serious legal consequences or similar. All such processing
requires the explicit, informed consent of the individual.
28. Data Subject Rights
❖ THE RIGHT TO OBJECT
This allows you to demand that organizations stop using your data in ways you object to. For
example, sending direct marketing, or making nuisance commercial phone calls.
31. Develop a Plan to Tackle GDPR
❖ Integrate your IT and marketing departments
Between the threat of cybercrime and the necessity for specific monitoring and
implementation strategies, your IT department will be your new best friend.
32. Develop a Plan to Tackle GDPR
❖ Hire a Data Protection Officer (DPO)
DPOs assist you to monitor internal compliance, inform and advise on your data
protection obligations, provide advice regarding Data Protection Impact
Assessments (DPIAs) and act as a contact point for data subjects and the
supervisory authority
33. Develop a Plan to Tackle GDPR
❖ Educate your Staff
Anyone who handles information needs to be educated about GDPR. This
includes staff that interacts with new customers or users, those that maintain CRM
systems, and even data entry personnel.
34. Develop a Plan to Tackle GDPR
❖ Create Tools Which Ensure Privacy
Every day there are more and more companies popping up with pseudonymization
solutions and other ways to keep compliant. Work with your DPO and your IT
department to find the solution that works best for you.
35. Develop a Plan to Tackle GDPR
❖ Do an Audit of your Current data security system
The best way to ensure compliance is to have an accurate assessment of your
current data processes. That way you can identify high-risk areas and fix any
potential problem areas before enforcement begins
36. Develop a Plan to Tackle GDPR
❖ Work with third-party providers who are GDPR-
compliant
This includes your email service provider, your CRM service and your marketing
and PR agencies. You can be held responsible for breaches made by processors
you work with. It’s important to ensure that all aspects of your data processing are
in compliance.
37. How Does the GDPR apply on the basis of Geolocation
Standpoint
❖ Sell or market goods or services to EU citizens (regardless of where they
live) or current EU residents.
❖ Employ EU citizens.
❖ Monitor the behavior of EU citizens or residents.
❖ Collect, process or hold the personal data of EU citizens or residents.
38. How Does the GDPR apply on the basis of Functional
Standpoint
❖ The technical answer is that you need to know whether you’re a processor
and/or a controller as defined by the GDPR.
❖ Controllers store personal data. A payment platform like PayPal is a good
example.
❖ Processors use that data for a specific purpose but don’t store it once that
purpose has been achieved. One example would be people who sell things
online and use PayPal to process payments. They use a buyer’s information for
shipping and payment purposes but don’t store that data after the transaction
has been completed.
39. How GDPR Impacts Marketing
❖ There are only 3 key areas that marketers need to worry about – data
permission, data access and data focus.
40. 1. Data Permission
❖ Data permission is about how you manage email opt-ins –people who request
to receive promotional material from you.
❖ For example, instead of assuming that visitors who fill out a web form want to
receive marketing emails, organisations now need ask visitors to specifically
opt-in to newsletters by ticking the sign up box. This opt-in proof is necessary
to be stored and be available for any audits
42. 2. Data Access
❖ The right to be forgotten has become one of the most talked about rulings in
EU Justice Court history. It gives people the right to have outdated or
inaccurate personal data to be removed and has, in some instances, already
been implemented by companies like Google, who were forced to remove
pages from its search engine results in order to comply.
43. 2. Data Access
❖ As a marketer, it will be your responsibility to make sure that your users can
easily access their data and remove consent for its use.
❖ Practically speaking, this can be as straightforward as including an unsubscribe
link within your email marketing template and linking to a user profile that
allows users to manage their email preferences (as shown in the next slide).
45. 3. Data Focus
❖ As marketers, we can all be guilty of collecting a little more data from a person than
we actually need.
❖ Ask yourself, do I really need to know someone’s favorite movie before they can
subscribe to our newsletter?
❖ GDPR requires you to legally justify the processing of the personal data you
collect.
46. Who is affected most by GDPR in
marketing
❖ Email marketing managers
❖ Marketing automation specialists
❖ Public relations executive
47. 9 Practical Tips on GDPR FOR
Marketing
❖ Start auditing your mailing list now
❖ Review the way you’re currently collecting personal data
❖ Educate your sales team about social selling techniques
48. 9 Practical Tips on GDPR FOR
Marketing
❖ Start centralizing your personal data collection into a CRM system
❖ Understand the data you’re collecting in more detail.
❖ Try using push notifications
49. 9 Practical Tips on GDPR FOR
Marketing
❖ Update your privacy statement
❖ Invite visitors to add themselves to your mailing list by launching a pop up on
your website
❖ Invest in a content marketing strategy by creating white papers, guides and
eBooks that visitors can access and download in exchange for them sharing their
contact information.
50. eMail- GDPR
❖ Forms on websites should have checkboxes for opt-in consent
❖ Explain how and why you would use this data
❖ You should double check if any integrations do not automatically add data to
your database (e.g. Facebook leads)
❖ Allow access to users to their personal profile stored at your end, so they can
update their data
51. GDPR and emailing
❖ Create a consent email campaign and send to all users to ask specific
consent
❖ Create an ‘Update Profile’ campaign and let users update their profiles
❖ Create a ‘segment’ of compliant users in your database/
52. Privacy Policy and GDPR
Please include the following details in your Privacy Policy:
▪ Who is collecting the data?
▪ What data is being collected?
▪ What is the legal basis for processing the data?
▪ Will the data be shared with any third parties?
▪ How will the information be used?
▪ How long will the data be stored for?
▪ What rights does the data subject have?
▪ How can the data subject raise a complaint?
53. Cookies & GDPR
❖ While cookie in a browser is just an ID, however when combined with other
data (IP address, device, Unique IDs, login IDs etc.) it may be used in
identifying a person, hence cookie data is termed as personal data.
54. Cookies & GDPR
Consent should be given by a clear affirmative act establishing a freely given, specific, informed
and unambiguous indication of the data subject's agreement to the processing of personal data
relating to him or her, such as by a written statement, including by electronic means, or an oral
statement. This could include ticking a box when visiting an internet website, choosing technical
settings for information society services or another statement or conduct which clearly indicates in
this context the data subject's acceptance of the proposed processing of his or her personal data.
55. Cookies & GDPR
❖ Just Agree and Not agree options are not enough
❖ Companies, ideally should, give users an idea about what type of cookies are
being used and allow them to choose the cookies they allow.
❖ Cookies and other files that may be stored in users’ browsers should also be
revealed in Privacy statements or consent forms descriptions
56. Types of Cookies & GDPR
❖ Essential Cookies- which are important for a website’s functioning (session
log in, add to favorites/cart etc.)
❖ Analytics Cookies- Not essential for functioning of website, but are important
for monitoring purposes. You may want to elaborate and give a choice to
users to accept or not accept these cookies
❖ Third Party Ads/Affiliates- Non essential.
57. Cookies & GDPR
1. Users should know how will
their data be used.
2. Can also allow users to choose
which cookies they want to accept
58. Please note
❖ This presentation is educative in purpose and not a legal advice. Please
consult your legal advisor on GDPR before proceeding further