How Digital Marketers Adjust to the General Data Protection Act

A Quick History of Data Privacy Protection

The internet was birthed nearly four decades ago, and as a baby, amazed the world with its clunky tricks and rudimentary abilities. When it became a teenager in 1995 it had developed enough possibilities to need a few rules and regulations in relation to personal data on the internet, and the Data Protection Directive (DPD) was adopted in regard to the processing of personal data within the European Union (EU).

But, as the world continued to shrink as the internet began to expand, new tighter and more specific regulations needed to be set in place. Article 8 of the European Convention on Human Rights provides a right to respect for one’s “private and family life, his home, and his correspondence,” and the new regulation, the General Data Protection Regulation (GDPR) was a comprehensive reform to shore up what the DPD lacked to make a central guiding, EU-wide law. The GDPR builds on the key tenants of the DPD with more specific requirements, broader scope, and stiffer enforcement. The GDPR ensures that citizens have control over their personal data online.

It was approved by the European Parliament in 2016 and became a national law for all EU Member States in 2018. Even though the United States does not come under EU authority, to do business with a European entity, even controllers outside the EU must comply with the GDPR.

 

Then Enters the GDPR

The primary goal of the GDPR is to give the individual control over their personal data and to simplify the regulatory environment for international business. The three overarching ways it will be accomplished is by the:

1) harmonization of the 27 national data protection regulations into one unified regulation,

2) improvement of corporate data transfer rules outside the EU and,

3) improvement of user control over personal identifying data.

For a company doing business within the EU, there are many strict requirements to be in compliance. Controllers and processors of personal data must put into place appropriate technical and organizational measures to implement the data protection principles. All business processes that handle personal data must be designed and built with consideration of GDPR principles. Data controllers must design information systems with privacy in mind and must clearly disclose any data collection. Businesses whose core activities consist of regular or systematic processing of personal data must employ a data protection officer. The GDPR consists of 8 basic rights:

1. The right to access. Individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge, and in electronic format if requested.

2. The right to be forgotten. If consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.

3. The right to data portability. Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine-readable format.

4. The right to be informed. This covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt-in for their data to be gathered, and consent must be freely given rather than implied.

5. The right to have information corrected. This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.

6. The right to restrict processing. Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.

7. The right to object. This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.

8. The right to be notified. If there has been a data breach that compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

 

So who cares? Isn’t this just for Europe?

The GDPR affects all businesses within the EU and UK, businesses that provide goods or services to EU-based people, and any business monitoring online behavior of EU-based individuals. It also includes anyone engaging in business with companies located in the EU, even if that individual is from the US. Though the US has its own online privacy laws, they vary from state to state.

The GDPR matters to marketers because any data that allows the individual to be identified, must be clearly stated and accepted by the individual prior to that data being collected. This includes: email, user demographics, IP addresses, customer interactions, and targeting, but the most noticeable way this affects marketers is through analytics.

By default, Google Analytics allows marketers to gather a wide range of data on our users to help make decisions for digital businesses such as how users navigate a site, what channels conversions are coming from, and general user demographics which is stored information about the user. Without these analytics, it becomes difficult to assess how a website is performing or how to retarget.

 

So what to do with this new normal…

To comply with the increasing data protection laws, Google has created a way to get data on users without actually having their personal data: IP Anonymization. When a customer requests IP anonymization, analytics anonymizes the address at the earliest possible stage of the collection network. The IP anonymization feature sets the last octet of IPv4 user IP addresses and the last 8- bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case, keeping the identifying properties of the address anonymous, but still allowing for basic performance metrics to be tracked in order to make savvy digital decisions.

Bonsai Media Group is dedicated to keeping our clients compliant with necessary privacy acts, and to make swift and agile adjustments. We’re confident in our ability to navigate your business through these regulations with solid and straightforward solutions.