The GDPR is no joke, yet there are still so many people that still don’t fully understand it. So, we have put together a list of the most asked questions and gave brief, simple answers to help enlighten those who still may not know the basics of the GDPR.
Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.
69 days and counting…the GDPR is coming quickly and, according to eMarketer, only 6% of firms say they’re completely prepared! What’s even more scary is the fact that 17% of firms say they’re not required to be GDPR-compliant. Granted, it may be true that some companies won’t be affected by the GDPR, but we are here to help MAKE SURE you aren’t actually needing to be compliant. So how do you know if you’ll be affected? The following will give some insight to this question, as well as some other popular questions being asked about GDPR.
Read our new whitepaper: Defining the GDPR Impact on Digital Advertising
Who does the GDPR affect?
Just because you’re not located in the EU doesn’t necessarily mean that the GDPR doesn’t apply to you. If you’re a US-based company but gather and measure data from around the globe that includes places like the UK (yes, even with the uncertain ‘Brexit’, they still apply), France, Italy, Germany, etc., then this GDPR regulation affects you. Everyone participating in receiving, using and processing data from consumers in the EU will need to be compliant with the GDPR requirements.
How does it affect you?
- Businesses: If you’re a business that processes personal data from EU consumers, you must gain the data through one of the following conditions:
- Consent – The individual has given clear, informed agreement to the processing of their data. This is an opt-in to usage instead of an opt-out.
- Contract – Processing a person’s data is necessary to fulfil a contract.
- Legitimate interest – Processing an individual’s personal data is strictly necessary for the business, for example to prevent fraud or because of a criminal investigation.
- Legal obligation and public interest – Processing personal data is necessary to comply with a legal obligation or to carry out a particular task in the public interest.
Advertisers & Publishers: Advertisers and publishers will both be affected by the GDPR since both use data. Advertisers need to be more careful what data they buy for clients, which can affect campaigns and strategies. With this reduction of user data advertisers have access to, it will “force advertisers to buy ads on sites with recognizable brands rather than target audiences whenever they wind up on the web, which should send more ad dollars to premium publishers,” a source from a comScore 200 publisher states.
- Consumers: Although consumers aren’t necessarily having to change anything they’re doing, they are gaining control back over their personal data. The GDPR gives consumers:
- The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
- The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing – Refers to an individual’s right to block or suppress processing of their personal data.
- The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
- The right to object – In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
- Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
How can you be sure to be compliant?
When it comes to pulling consumer data, be sure to follow the “Principles relating to processing of personal data” EU GDPR article that basically states that personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
What constitutes as personal data?
Any information related to a natural person/data subject that can directly or indirectly identify that person. Some examples are:
- Name, email, address & phone number
- Persona Info (Sexual orientation, gender preference, racial identity)
- Bank details
- Medical info
- Computer IP address, cookie ID’s
Stay tuned for more GDPR-based blog posts that will give insight, guide and help on all things GDPR. For more information right now, check out the Rakuten Marketing UK Resource Center where there has been a high amount of time and work dedicated in creating an excess of GDPR-content.