Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.
As an advertiser, publisher, or anyone dealing with consumer data, it is important for you to have a robust compliance regime in place. Although the General Data Protection Regulation (GDPR) may involve you having to make changes to your data processing policies, it also presents an opportunity. It gives businesses the chance to enhance compliance and demonstrate to their customers that their personal data is in safe hands, especially at a time when privacy is a key concern. At Rakuten Marketing, we’ve put together some basic GDPR insights, specifically for those businesses involved in marketing, to help you get to grips with what the GDPR is and how it might impact your business.
What is GDPR?
The GDPR is the overall regulation on the protection and handling of personal data for the European Union (EU). Even if your business isn’t based in the EU, you may still need to be GDPR-compliant (more information on this below). Those who aren’t compliant can be fined up to 4% of global turnover or €20,000,000, whichever is greater. For marketers, the differences between the GDPR and current UK data protection regulations include, but are not limited to:
- New and strengthened rights for individuals
- New obligations for data processors, as well as controllers
- Increased territorial scope
- Broader definition of ‘personal data’
- Increased accountability
- Breach notification
My Business isn’t Based in the EU, Do I Still Need to be GDPR-Compliant?
A quick way to know if you are required to be GDPR compliant is by answering a few questions:
- Does your business collect, use, or processes personal data from individuals in the EU?
- Does your business offer services or goods to people in the EU?
- Is an office of your business in the EU?
- Do you monitor individuals in the EU?
We’ve created the below flowchart to help you find out if you’re required to be GDPR-compliant. For the full image, click here.
What’s Required to be Able to Use Individual’s Data from the EU?
The GDPR sets out the need for each data processing activity to have a ‘legal basis.’ This means that if you’re processing personal data, it must be based on one of the following conditions:
- Consent– The individual has given clear, informed agreement to the processing of their data.
- Contract– Processing a person’s data is necessary to fulfill a contract.
- Legitimate Interest– Processing an individual’s personal data is strictly necessary for the business. For example; to prevent fraud or because of a criminal investigation.
- Legal obligation and public interest– Processing personal data is necessary to comply with a legal obligation or to carry out a particular task in the public interest.
What’s the Purpose of the GDPR?
Currently, the EU data protection directive of 1995 is in place and the GDPR will replace it. The European Parliament, the Council of the European Union and the European Commission implemented the GDPR regulation with the intention to give consumers more control and visibility into how their personal data is collected and used. In general, there are six data protection principles set out in the GDPR that each processing activity must comply with.
- Fair and transparent – A person needs to know why and how his or her data will be used
- Purpose limitation – Data can only be used for the reason it was collected.
- Data minimization – No more data can be collected than necessary for its purpose.
- Storage limitation – If the data is no longer necessary, it must be deleted.
- Confidentiality and integrity – Data must be stored in a secure manner.
- Accountability – Compliance with the data protection principles must be provable.
What Are Rakuten Marketing Doing to Be GDPR Compliant?
Everyone, including Rakuten Marketing, should be working towards being GDPR-compliant before May 25. For over a year, we have worked on meeting as many of the compliant requirements as possible and have identified four phases relevant to our business to ensure we are compliant by the autumn deadline. The following are some measures we are taking in our GDPR preparations:
- Integrating our global parent company’s Binding Corporate Rules (BCR) scheme.
- Creating a robust compliance program.
- Creating and updating audit schedules.
- Providing additional training to our employees focused on the GDPR and other privacy laws overall.
- Implementing features to complete our ISO 27001
- Modifying our product development lifecycle to include privacy by design.
- Securing data processing agreements with our vendors and our customers. This includes data transfer agreements to meet the regulatory framework(s).
- Reviewing and updating our policies as appropriate.
As May 25th draws closer, we at Rakuten Marketing have committed to providing insightful content that will help guide you through all the details of what the GDPR is, who it affects, how to make sure you’re compliant. Subscribe to our blog or speak to your Rakuten Marketing representative for to keep up-to-date with our future content, including more information on the above bullet points and our four-phased strategy compliance module.
A version of this blog post originally appeared on our UK site which you can read here.