Skip to content

GDPR FAQs & Key Considerations

GDPR FAQs and Key Considerations

Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. 

The General Data Protection Regulation – GDPR – is the overall regulation on the protection and handling of personal data. Although the GDPR is for the EU, its impact is global.

If you’re an advertiser, publisher, or other Rakuten Marketing partner dealing with customer data, it is vital for you to have a robust compliance regime in place. Below, you’ll find a series of frequently asked questions and key considerations, particularly for those businesses involved in marketing, to help you get to grips with what the GDPR is and how it might impact your business.

It’s important to remember that although the GDPR may involve you having to make changes to your data processing policies, it also presents an opportunity. It gives businesses the chance to enhance compliance and demonstrate to their customers that they can trust that their data is in safe hands at a time when privacy is a key concern.

What is the GDPR?

The GDPR – or General Data Protection Regulation – is the overall regulation on the protection and handling of personal data for the European Union (EU). The main rationale behind the GDPR is to give consumers more control and visibility of how their personal data is collected and used.

When does the GDPR come into force?

The GDPR is applicable from 25th May 2018.

My business isn’t based in the EU – do I still need to be GDPR-compliant?

Although the regulation is for the EU, its impact is global and extends far beyond European countries. At a simplified level, if your business collects, uses, or processes personal data from individuals in the EU, or offers services or goods to people in the EU, the GDPR will apply.

For more detail on this, read our guide: Does the GDPR apply to your business?

What happens if businesses don’t comply?

Liabilities and enforcement rules are very strict. Fines of up to 4% of global turnover, or €20,000,000 – whichever is greatest – have been promised.

What are the differences between the GDPR and current UK data protection regulations?

Broadly, the GDPR aims to give more power to individuals over how their data is collected and used. Some of the key changes that are particularly important for those working in marketing include, but are not limited to:

  • New and strengthened rights for individuals
  • New obligations for data processors, as well as controllers
  • Increased territorial scope
  • Broader definition of ‘personal data’
  • Increased accountability
  • Breach notifications

For further details on these points, read our guide – General Data Protection Regulation: Key changes.

What are the different required legal bases for processing data?

The GDPR sets out the need for each data processing activity to have a ‘legal basis’. This means that if you process personal data, it must be based on one of the following conditions:

  • Consent – The individual has given clear, informed agreement to the processing of their data
  • Contract – Processing a person’s data is necessary to fulfil a contract
  • Legitimate interest – Processing an individual’s personal data is strictly necessary for the business, for example to prevent fraud or because of a criminal investigation
  • Legal obligation and public interest – Processing personal data is necessary to comply with a legal obligation or to carry out a particular task in the public interest

Not only must you understand which legal basis applies to your processing of personal data, but you must also document and be able to prove this basis.

How does consent work under the GDPR?

For marketers, the most common legal basis for processing personal data that is likely to apply is consent. So, one of the most common questions from marketers about the GDPR is the implications it will have on their current consent polices. Here are some of the important things you need to know:

  • Consent must be given freely, and be specific and informed. In other words, the person giving consent to the processing of their personal data must be completely clear in what they are consenting to
  • Opt-in consent is a must. Consent can’t be inferred or given silently, passively or by pre-ticked boxes that someone has to opt-out of
  • There must be a simple way for people to withdraw consent if they’d like to
  • Consent must be documented and verifiable
  • As long as any existing consent meets the GDPR standard it will not need to be gathered again

In November 2017, members of IAB Europe’s GDPR Implementation Working Group released its working paper on GDPR consent. The paper aims to explain the definition of consent under the GDPR, and the practical implications of using consent as a legal basis for processing personal data in online advertising. Click here to read the paper.

Please seek help from a GDPR expert to make sure you are getting consent properly or have identified which processing grounds are appropriate for your business.

What are the GDPR data protection principles?

As well as the legal bases for processing, there are six data protection principles set out in the GDPR that each processing activity must comply with. In simple terms, these are:

  • Fair and transparent – A person needs to know why and how his or her data will be used
  • Purpose limitation – Data can only be used for the reason it was collected
  • Data minimisation – No more data can be collected than necessary for its purpose
  • Storage limitation – If the data is no longer necessary, it must be deleted
  • Confidentiality and integrity – Data must be stored in a secure manner
  • Accountability – Compliance with the data protection principles must be provable

What do businesses need to do to be compliant?

This is a difficult question to answer as every business is different. You may only need to make minor changes to your current data processing policies, whereas others might need to make more significant changes.

At a very broad level, the path to GDPR compliance can be thought of as a four-stage process:

  1. Mapping/templates
  2. Strategy
  3. Policies
  4. Implement

In a bit more detail, the stages to compliance might look something like this:

GDPR compliance plan – simplified example

It’s important to remember that the steps businesses need to take to be compliant will vary, as each business is different. We’ve provided this example to help give you a starting point – you will need to shape your own plan to suit your business needs.

It may seem like there’s a lot to do but the good news is as long as you approach GDPR seriously and with enough resource, there is still enough time to be compliant in time for the May 25, 2018 deadline.

How is Rakuten Marketing being GDPR compliant?

We at Rakuten Marketing take privacy and security very seriously. As such, Rakuten Marketing has been working on our GDPR compliance strategy for over a year to meet as many of the requirements as possible by the enforcement date of  May 25, 2018. We have identified four phases relevant to our business through which to be GDPR ready: Mapping/Templates, Strategy, Policies and Implementation. Our efforts are ongoing and will continue well beyond the GDPR enforcement date to make Rakuten Marketing a leader in this space, promoting integrity, transparency and trust.

Where can I find out more?

If you’d like to find out more about the GDPR and how it might impact you as a marketer, or your business, take a look at our collection of GDPR resources. There are also many independent resources available from organisations such as the ICO and the IAB UK. Find out more in our list of useful links and resources.

Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.