The GDPR imposes new requirements on the collection and processing of personal data. It means a new way of thinking about data, with serious consequences for organizations that do not comply. As a marketing manager, it's important to drive a change in attitude around data that permeates the entire organization. The General Data Protection Regulation (GDPR) came into force on May 25, 2018. The directive builds on and tightens previous rules in the Personal Data Act and in many ways means a completely new approach to personal data, its use and the relationship with previous customers, leads and other contacts. As a CMO, it is crucial to understand what the changes mean and adapt your organization to the new mindset.
Privacy by default
The basic principle of 'privacy by default' emphasizes only collecting and processing personal data that is necessary for specific purposes. This includes the amount of data collected, how it is processed, who has access to it and how long it is kept. Each collection, storage and processing activity must have a defined purpose.
For businesses and organizations, this means a shift from seeing data as something they own to seeing it as something they are trusted to handle, for specific purposes and for a limited time.
Broader definition of personal data
The GDPR introduces a broader definition of "personal data." It is no longer just about names, addresses, email addresses and phone numbers. Now, anything that can identify an individual, including IP addresses and cookie IDs, is considered personal data and must be handled with care.
-
Cookies: Non-essential cookies must be turned off by default until the user actively accepts them and understands their purpose. However, cookies that are essential for the functioning of the website, such as those that manage a shopping cart in e-commerce, do not require explicit consent.
-
IP addresses: Marketers must ensure that they have a legal basis, such as consent or legitimate interest, to store and process an individual's IP address.
Active consent
The GDPR imposes new and stricter requirements for consent. Pre-filled checkboxes are no longer allowed.
-
Consent must be:
-
Voluntary, specific, informed and unambiguous.
-
Actively given, for example by the user checking a box or selecting specific options for what information they want to receive.
-
-
Withdrawing consent should be as easy as giving it.
-
Users need to understand what they are consenting to and for what purposes. For example, they should be able to choose to accept cookies for login details but decline them for targeted advertising.
Organizations must document consent and show when, where and how users gave their consent and for what purpose.
-
Preference Center: A "Preference Center" is essential to allow individuals to manage their communication preferences and avoid losing valuable contacts completely.
The right to be forgotten
Under the GDPR, individuals have the "right to be forgotten," which means they can request that all their personal data be deleted by an organization. This includes the immediate and permanent removal of data from all systems, not just the marketing platform.
Organizations must have processes in place to quickly process such requests and ensure that data is deleted from all interconnected systems, such as CRM and backups.
Data collected before the GDPR's introduction must be reviewed for compliance. If consent was previously obtained and documented according to GDPR requirements, no new consent is needed. However, personal data without proper documentation or valid consent must be deleted.
Conclusion
The GDPR presents challenges but also opportunities to improve data governance and build trust with your audience. By embracing principles such as privacy by default, active consent and the right to be forgotten, organizations can both meet GDPR requirements and strengthen customer relationships.
Regular audits of your processes and ensuring legal bases for processing will help maintain compliance and promote long-term success.
