One North’s Managing Director of Technology Ryan Horner and legal process and technology consultant Bob Beach share details on how the EU’s General Data Protection Regulation (GDPR) could impact digital assets.
This webinar is designed to educate digital marketers, share actionable examples, and provide an overview of how One North can help clients ensure their digital properties are in compliance with the regulation and execute on those efforts. Beyond GDPR compliance, the session will also highlight important information for marketers as data privacy continues to become a critical and strategic component of digital.
Access the recording: https://youtu.be/ruQpN70LGt0
3. Agenda
• Defining GDPR
• Changing Data Privacy Expectations
• 5 Key Concepts for Digital Marketers
• Applying to Marketing Automation
• A Process & Steps to Take Now
5. General Data Protection Regulation (GDPR)
• Standardize data privacy laws across Europe
• To protect and empower all EU citizens from data privacy and
breaches
• “The protection of natural persons in relation to the processing of
personal data is a fundamental right.” -Recital 1
• To reshape the way organizations approach data privacy
• Users own their data and you are just borrowing it
• 261 pages, 173 Recitals and 99 Articles
What When Who/Where Why How
6. General Data Protection Regulation (GDPR)
• Approved by EU Parliament in 2016 and enforcement on
May 25th 2018.
• 63 Days, 7 Hours from Now
What When Who/Where Why How
7. General Data Protection Regulation (GDPR)
• The GDPR... will apply to a organizations located outside
of the EU if they offer goods or services to, or monitor the
behavior of, EU data subjects.
• It applies to all companies processing and holding the
personal data of data subjects residing in the European
Union, regardless of the company’s location (applied
through diplomatic or consular post).
What When Who/Where Why How
8. • Heavy Fines - up to 4% of Annual Revenue or €20 Million (whichever is
greater)
• GDPR is here now, but more regulations are coming.
• Avoid negative brand reputation / PR / news from data privacy
breaches
• Meet users expectations for privacy
What When Who/Where Why How
General Data Protection Regulation (GDPR)
9. • Awareness
• Process
• Team
• Including Legal Counsel
• Note: Each organization is unique and will require its own legal
counsel to interpret the specifics of GDPR in its situation.
What When Who/Where Why How
General Data Protection Regulation (GDPR)
15. The State of Data Privacy
91% of adults agree that they
have lost control of how
personal information is
collected and used by
companies.
PEW Research, 2016
83% of respondents agreed
that trust is the cornerstone of
the digital economy.
Accenture Tech Vision, 2016
74% of respondents say it is
“very important” that they be
in control of who can get
information about them.
PEW Research, 2016
84% of U.S. companies don’t
understand what GDPR means,
and 74 percent are not
confident that they will be
compliant.
Sage Survey, 2018
20. What It Means
• Be transparent and be explicit:
• What you are capturing
• For what purpose
• For how long
• No legalese
• Can't be buried in fine print
• Separate and distinct from Privacy Policy
CONSENT
22. What It Means
• Active Opt In
• Can't auto select checkboxes
• Can't have blanket consent, need to get for each use case
• Must be easy to revoke consent as well
CONSENT
26. USER DATA RIGHTS
What Data Applies?
Any information related to a natural person or ‘Data Subject,’ that can be used to
directly or indirectly identify the person.
It can be anything from:
• a name
• a photo
• an email address
• bank details
• posts on social networking websites
• medical information
• a computer IP address
From https://www.eugdpr.org/gdpr-faqs.html
28. What It Means
• You need a clear way for users to make requests such as:
• Updates (the Right to Rectification)
• Deletions (the Right to Erasure)
• Process
• Verify the requestor
• Track the requests (in a central location)
• Notification of status
• Completion of the request
• You have 30 days to update and respond.
• Tools and Systems
• Know where your user data is stored (CRM, MA, CMS, 3rd parties, spreadsheets, etc.)
• Don’t forget about backups and archives, and other supporting environments.
USER DATA RIGHTS
29. What It Means
• Why Third Parties?
• On Updates, you have to process their request and pass on to 3rd parties you use.
• Make sure you know what your 3rd party event management, recruiting/job posting, alumni
applications are doing.
• Some of these rights are not absolute.
• Excluded when the company is:
• Exercising its right of freedom of expression and information
• Under a legal obligation to retain the data
• In the interest of public health
• Is needed for the establishment, exercise or defense of legal claims
USER DATA RIGHTS
32. What It Means
• You need a means for users to request their data in a structured
format.
• The data needs to exist in a source that can be exported.
• NOTE: Whether that format is standardized within industries and
integrated directly or shared with user is not clear.
USER DATA RIGHTS
PORTABILITY
35. What It Means
• You need a way to capture the details on consent.
• Easier if centralized across systems
• With enough detail to handle each type of use
• Including timeframes
• Language they accept
• Bound to each user
AUDIT TRAIL
39. What It Means
Privacy by Design is a formalized approach to creating tools and
systems that forces privacy to be integral to the application. Its
founding principles:
1. Proactive not reactive; preventative not remedial
2. Privacy as the default setting
3. Privacy embedded into design
4. Full functionality – positive-sum, not zero-sum
5. End-to-end security – full lifecycle protection
6. Visibility and transparency – keep it open
7. Respect for user privacy – keep it user-centric
PRIVACY BY DESIGN
42. What It Means
• Need Monitoring / Alerting / Auditing tools to "become aware"
• Timeframes require a pre-defined process.
• Executives, PR, Marketing, IT, 3rd Parties all have to agree in
advance how to execute on this.
• Bad Examples
• Equifax
• Yahoo
BREACH NOTIFICATION
45. Marketing Activity GDPR / Data Privacy Considerations
1. Webinar Signup • Active Opt In
• Clear Language on Use
• Include Timeframe
2.
3.
4.
46. Marketing Activity GDPR / Data Privacy Considerations
1. Webinar Signup • Active Opt In
• Clear Language on Use
• Include Timeframe
2. Niche Newsletter Related to Webinar • Get New Consent?
• Get on First Request?
3.
4.
47. Marketing Activity GDPR / Data Privacy Considerations
1. Webinar Signup • Active Opt In
• Clear Language on Use
• Include Timeframe
2. Niche Newsletter Related to Webinar • Get New Consent?
• Get on First Request?
3. Web Visit with Personalization • Implicit / Explicit Personalization
• Be Transparent
• Indicate CRM Data Usage
• Get Consent on Data Gained Before
• Indicate Any Third-Party Usage
• Similar to Cookie Policy?
4.
48. Marketing Activity GDPR / Data Privacy Considerations
1. Webinar Signup • Active Opt In
• Clear Language on Use
• Include Timeframe
2. Niche Newsletter Related to Webinar • Get New Consent?
• Get on First Request?
3. Web Visit with Personalization • Implicit / Explicit Personalization
• Be Transparent
• Indicate CRM Data Usage
• Get Consent on Data Gained Before
• Indicate Any Third-Party Usage
• Similar to Cookie Policy?
4. Data Right Erasure Request • Prove Identity?
• Acknowledge Receipt
• Complete in 30 Days
• Remove from all 3-4 Systems
• Keep Server Logs, Finance Records for Audits
50. Moving Towards GDPR Compliance
Inventory Web Focus
User ExperienceRisk Level
51. • Comprehensive system diagram – website outward, and including
internal AND external systems/applications
• All data stores holding employee, client/prospect, recruiting, etc. information –
note data flows
• 3rd-party plugins, web analytics, websites, etc.
• Other applications/websites with client/recruiting/etc. Interactions – email
marketing, CRM, HR, etc.
• Don’t forget personal data previously obtained with "blanket" consent.
• QA/test/development environments, DR sites, backups/archives, etc.
Moving Towards GDPR Compliance
Inventory Web Focus Risk Level User Experience
52. • Thorough review of the website
• Page by page, as well as...
• The Content Management System
• Data feeds/web services
• All URLs
• Forms – even (especially!) generic contact forms
• Legal notices – privacy statements, cookie warnings, etc.
Moving Towards GDPR Compliance
Inventory Web Focus Risk Level User Experience
53. • Involve your GC and/or DPO
• Align with your firm's broader GDPR initiative
• What data processing activities is marketing involved in?
• Assess your GDPR risk level: High Risk, Risk, Low Risk
• Define appropriate GDPR risk mitigation
Moving Towards GDPR Compliance
Inventory Web Focus Risk Level User Experience
54. • Consider the user experience when designing a GDPR-compliant
solution.
• Consistent consent form design/layout – opt-in, granular,
withdrawable and transparent
• Consent is not the same as Terms & Conditions.
• Privacy policy – clear, prominent and relevant
• Managing consent, personal data and other preferences
• User self-service or manual email?
Moving Towards GDPR Compliance
Inventory Web Focus Risk Level User Experience
56. GDPR is not just a regulatory
hurdle to comply with, but also an
opportunity to deliver a great user
experience and fuel better
marketing by acknowledging your
users’ ownership of their data.