Join David Booth for an in-depth discussion in this video When you can process personal data, part of GDPR for Marketers.
- At this point, it's probably clear that in a GDPR world, the consumer is in control of who gets the privilege of using their data. You might be wondering exactly how you're going to manage to get any of that data from individuals that you rely on to do your job as a marketer. The GDPR allows for a few different scenarios under which you can collect and process personal data. And that brings us to the clearest and most straightforward way that you'll likely be doing this: consent.
We'll discuss this in detail later in the course, but generally speaking, the good old days of implied consent, what we've relied on since the dawn of the internet, are over. Implied consent was the concept that by visiting my website or downloading my app, you agree to everything in my 200 page, small font set of terms and conditions that no one has ever read. Under GDPR, this doesn't cut it. You'll need to gain explicit consent for all the things you want to do with an individual's personal data.
That consent can't be a wordy piece of legalize either. It needs to use clear and plain language that requests and obtains a data subject's affirmative and granular consent. You'll need to get it for everything you want to do what their personal data and you'll need to get it again every time you intend to do something new. You'll also need to provide a way for individuals to withdraw consent at any time. When they do, you'll need to immediately stop whatever you were doing with that personal data.
Explicit consent is the first mechanism for you to do lawful processing of personal data. Beyond that, there's a series of provisions allowing for the collection and processing of personal data to do things like perform a contract or fulfill legal obligations, or in cases of medical emergencies or in the broader public interest, things like that. But if you don't have explicit consent and none of that applies, then your last recourse is what's known as legitimate interest. This essentially means that you have a very logical reason for collecting and using the personal data, that you'll only use it for that very logical reason, and that it's not intrusive or overly sensitive information to the data subject.
In short, you'll need to pass the balance test between your use of personal data against a potential intrusion of privacy. Basically, the data subject should very reasonably expect the personal data to be used the way you actually use it. Let's say you've got an online store selling shoes, and someone buys a pair of shoes from you. In order to deliver that pair of shoes, you have a legitimate interest in knowing that data subject's home address. While you need that data to fulfill your obligations under the transaction, you better not go and sell that address to a website selling socks unless the data subject gave you consent.
Because legitimate interest isn't going to cover you there. It's also important to note that the GDPR provides for special categories of personal data that tend to be more sensitive in nature. Things like race and ethnicity, religious or philosophical beliefs, sexual orientation, genetic or biometric data and health data all fall under this category and can only be processed if sensitive personal data processing conditions are satisfied. If you're collecting or processing this kind of data, you'll want to dive into Article 9 of the GDPR to ensure that you're complying.
But generally, it's good to remember that the processing of sensitive information is expressly prohibited unless these very specific and stringent conditions are satisfied. To be clear, the GDPR places the bar very high in these cases and it does this very intentionally. Regardless the kinds of personal data that you're collecting or processing, it's clear that under GDPR you have to have and be able to demonstrate a good reason for doing it. This is consistent with shifting the power over personal information to the individual.
As marketers, we need to be conscious of the fact that this may limit some of the activities we've historically done and force us to examine the way we approach many of the channels and initiatives we've traditionally relied on.
- Define “personal data.”
- Name three data subject rights provided by GDPR.
- Recall the steps that need to be taken to comply with GDPR.
- Explain “privacy by design.”
- Identify the responsibilities of a data protection officer.
- Recognize the steps required to audit your data and processes.