If you are not worrying about it by now, you should. The General Data Protection Regulation (GDPR) is upon us and with it the need for an everlasting data management.
Ultimately, we all know that this complex set of rules means to protect both users and marketing teams and that is a good – and very necessary – measure.
On the other hand, it also means a huge hassle to demonstrate what should be obvious by now: we are all making our best efforts to keep people’s data safe and oversharing their information was never and will never be an option. But we must bear in mind that the European Union decided to err on the side of caution and, at the end of the day, that is not a bad thing.
So, let’s kick off this handbook to the GDPR with a 101 on the most relevant traits of the legislation. No matter how big or small your company is or how many data sources you grasp on to enhance your marketing strategy, this guide will definitely come in handy.
The General Data Protection Regulation is a set of rules that intends to:
- avoid the abusive collection and use of personal data;
- restrain and supervise the way companies share that data with others.
It defines when data processing is lawful, which ranges from the need for a clear and mandatory consent from the user to the pursuit of legitimate interests by the data collector.
The Power of Pseudonymized People
It specifically focuses on Personally Identifiable Information (PII) and the logic is quite simple: if you can identify a person, you cannot use their data. How do you identify a person? Via a name, an ID number, geolocation data, cookies and many other biosocial components.
So if your customer data is in any way identifiable, you cannot use it. However, the Regulation clearly states that you can use pseudonymized data. This essentially means that, as long you can’t pinpoint whether it was Jane or John Doe to make a specific path in a shopping center, you can use their data for marketing purposes.
And even if, at one point, you could indeed have pinpointed whether it was John or Jane but intentionally chose to hide that information so that at the moment you could never attribute that data to neither of them, you can use their data, as long as you ensure the proper separation between those two data silos: the one with identifiable data and the one that doesn’t contain identifiable traits (and you must be very sure to throw away the key to that door). This is what pseudonymization stands for, that conscious effort to lose the Personally Identifiable Information.
We will focus our second post of this series on the topic of pseudonomyzation, so make sure to come back for more information on this.
First things first: who does this affect? Almost everyone, actually. If you run a business within the EU you have to observe the regulation and if you are not in the EU but in any way collect or store information about EU citizens, you also have to observe the regulation. Even worse, if you’re not a EU company, you might have to name a person there to represent your interests.
Breach of legislation comes with a very, very heavy price. Fines range from €10M or 2% of the company’s revenue to €20M or 4% of the revenue (whichever is higher). The second tier of fines refers to the most blatant infractions, namely, those that have to do with data transfers and basic principles for processing, such as the absence of consent, while the first one refers to “minor” infringements: privacy by design and by default infringements, lack of activity logs and so on.
So, these are pretty much the basics to the GDPR. If all of this is a little baffling, it’s perfectly normal. Just make sure come back in a few days, because we will be back with more on this.