CEB Blogs


Corporate Marketing

10 Things Marketers Need to Know about the GDPR

It's now less than five months until the laws take effect; make sure you're prepared

The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25th this year. Here are some fast facts you should know about important terms, how it might affect you, and how to prepare.

  1. The regulation applies to companies not located in the European Union: Even if controllers and processors are based outside the EU, the GDPR will still apply if they are handling the data of EU residents.

  2. Personal data does not only include “personally identifiable information (PII)”: GDPR expands the scope of regulated data to include information relating to an “identifiable natural person”, even if the data cannot be used to identify that person. Information such as browser cookies and history, downloaded content, and demographic data is covered under GDPR.

    When it’s unclear whether the data is “personal” or not, marketers must establish marketing-specific guidelines to determine how they will treat the data.

  3. The marketing team are likely defined as “controllers”: Controllers are the companies and individuals responsible for making decisions about what to do with collected data. Marketing professionals are one of the most likely employees to be making decisions about what to do with personal data collected by their company, either from customers or third parties.

  4. Your IT department, software providers, and other marketing affiliates are “processors”: Processors, as defined by the GDPR, are the entities that handle and use data. Unless explicitly directed to make autonomous decisions, the processor should use personal data only as instructed by the controller.

  5. It is possible to be both a controller and processor: If an entity both makes decisions about data usage and then processes that data, it falls under both categories.

  6. Processing of personal data refers to any action taken on data: Obtaining, organizing, changing, anonymizing, transferring, analyzing, and even destroying data fall under the umbrella of “processing.”

  7. The activity of “profiling” comes with additional regulations: Most marketers will engage in this activity, defined as “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

    Any activity classified as profiling bestows upon data subjects the right to obtain information about it, object to it, and withhold consent to it being used.

  8. Almost all personal data can be processed but a number of steps are required to ensure compliance: Controllers must determine and document the reasons and legal justification for processing any personal data, identify the personal data to be processed and give a reason for using it, ensure that only processers and processing systems can access the data, and ensure the data is removed from the systems after it is no longer needed.

  9. Consent to data processing must be freely given, affirmative, and specific: Use of the service must not be conditional on consent (except where data is specifically needed to use the service). The GDPR also makes clear that the processing activities and identity of all involved parties be made obvious in plain language. Consent should be given for all purposes of the ensuing data processing.

  10. You may have to appoint a data protection officer (DPO): While not every organization will be required to appoint one, most organizations should hire a DPO to ensure that privacy policies are airtight and data is handled properly. Where “regular and systematic monitoring of individuals on a large scale” takes place, the GDPR requires the inclusion of a DPO.


More On…

  • Marketing & Communications

    Learn more about how CEB, now Gartner can help you improve your marketing and communications capabilities.

Leave a Reply



Recommended For You

Corporate Marketing: 5 Ways to Learn Digital Skills (and Push for Promotion)

All marketers now need an understanding of the digital landscape and how it supports marketing...