Join David Booth for an in-depth discussion in this video Roles and definitions, part of GDPR for Marketers.
- It's important to understand some definitions, especially around the different roles that you might play. First, since the GDPR is all about protecting personal data, it's important to understand just what personal data with a capital P and a capital D means. I'll give you the actual definition. Personal data means "any information relating "to an identified or identifiable natural person "who can be identified directly or indirectly, "in particular by reference to an identifier "such as a name, an identification number, "location data, an online identifier "or to one or more factors specific "to the physical, physiological, genetic, "mental, economic, cultural or social identity "of that natural person." So what does that cover? Well this is really important.
That covers just about everything you might already be collecting as a savvy digital marketer. Until GDPR, many of us observed the no PII or personally identifiable information rule. PII was pretty easy to define. Anything that could be mapped back to an individual person, a phone number, a credit card, an email, or a physical address, all of those would be considered PII. But personal data as it's defined in the GDPR is much broader.
This could be an anonymous tracking ID or a cookie, which virtually every single digital advertising technology uses. It could be interpreted that knowing too many anonymous factors about an individual means you actually know who that individual is. If you're collecting different kinds of behavioral data or anonymous attributes like say you know someone is in a certain city, is a male between the ages of 35 and 39, and interested in pet supplies and professional football, that can be considered personal data as it might be just enough to narrow it down to an individual.
While interpretations vary, it's clear that personal data is widely defined. Many are advocating a conservative approach to protecting it. As far as the key roles defined in the GDPR, the first is a data subject. Any EU resident or individual inside the boundaries of the EU is considered a data subject. Article 3 states that "This regulation applies "to the processing of personal data "of data subjects who are in the Union." This is widely interpreted to extend beyond Europeans living in Europe.
If you're working in the EU as a foreigner or if you're on a vacation to Paris, then you are a data subject and you're covered by the protections offered in the GDPR. Generally speaking, you should be thinking of a data subject as the individual whose personal data is being protected. Next, we have the concept of a data controller. If you're a company that markets to individuals directly, then you're a data controller. Strictly defined, a data controller is the entity that determines the purpose and means of the processing of personal data.
As a data controller, you're responsible for all the data collected, whether it's first, second, or third party. First party data is the data that you collect directly from your data subjects. If you have an email signup form on your website or if you collect information through ecommerce or you run a loyalty program, or anything in between that collects personal data, then you're responsible for this first party data as a controller. Second party data commonly refers to data that you obtain from other entities, often through partnerships or by working together.
If you do any kind of promotion or a campaign, or even a webinar with a vendor or a partner organization, and if you share or exchange any lists or information containing personal data, then you're responsible for protecting the rights of data subjects impacted by what you're sharing and by what you're receiving. Third party data is essentially data that you purchase from another entity that contains personal data: marketing lists, survey or segmentation data, behavioral data and attributes, web browsing tendencies.
All of this and more is available on the open market to help marketers target the right audiences. If you're buying it, you're responsible for it as a controller. The last key role is a data processor. If you're in a position to receive, collect, transmit, or use personal data in any way on behalf of any data controller, then this describes you. If you're a controller, then your data processors will include many of your technology or platform vendor partners in the digital marketing space.
If your analytics provider is grabbing any personal data by way of their solution on your behalf, they're a processor of yours. If you're uploading audiences into a system to execute a media buy, you've likely got a few processors along that path. If you're using third party fulfillment services to deliver ecommerce purchases to a doorstep, you've got another data processor. Many of us will find that we span multiple roles. As an individual that visits and works in the EU a fair bit, I'm a data subject with all the rights and protections that GDPR provides.
As a data and analytics consulting firm, we come in contact with and use the personal data of our clients to provide analysis and insights, making us a data processor. As a company that markets our services to other individuals and companies, we play the role of a data controller. Understanding these definitions and roles is a foundational key to understanding the GDPR. Knowing the data you need to protect and the roles you play will help to determine what you need to do to get and remain compliant.
- Define “personal data.”
- Name three data subject rights provided by GDPR.
- Recall the steps that need to be taken to comply with GDPR.
- Explain “privacy by design.”
- Identify the responsibilities of a data protection officer.
- Recognize the steps required to audit your data and processes.