Skip to content

GDPR Key Changes

Does the GDPR apply to your business

Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. 

The GDPR – or General Data Protection Regulation – will come into force from 25th May 2018. With the introduction of the GDPR comes changes to the requirements placed on businesses that process data from individuals in the EU. It may not sound exciting but it will have a major and immediate impact on the way some marketing businesses – many of which rely on customer data to deliver personalised experiences, for example – handle data.

Below is a summary of some of the key changes that are particularly important for those working in marketing.  Please make sure to review the GDPR for the full text of the rights.  If you work with us at Rakuten Marketing as an advertiser, publisher, or other type of partner, you’re an important part of the data collection chain and therefore have a responsibility to be GDPR compliant. We’re here to help you understand some of the changes that might impact you.

New and strengthened rights for individuals

At its heart, the GDPR aims to give people more power over how their data is used. As such, it creates some new rights for individuals, and strengthens others that already exist under the current Data Protection Act (DPA).  The rights may differ based on which processing ground you will be using (consent, legitimate interest, etc.) so please make sure to understand how each of these rights affect your business. These rights include:

The right to be informed

Emphasises the need for transparency of how personal data is used by a business. This information, typically provided in a privacy notice on a website, for example, must be concise, easily accessible, free of charge and written in plain language.

The right of access

Individuals are entitled to access their personal data from businesses, free of charge (unless the request is unfounded, excessive or repetitive).

The right to rectification

People are entitled to have personal data rectified if it is incorrect.

The right to erasure

Otherwise known as ‘the right to be forgotten’ – people can request to have their data deleted when it is no longer necessary.

The right to restrict processing

Similar to the DPA, people have the right to ‘block’ the processing of personal data.

The right to data portability

Individuals have the right to obtain and reuse their personal data across different services.

The right to object

People have the right to object to their data being processed in certain circumstances, including its use for direct marketing. If you process data for direct marketing:

  • You must stop processing someone’s data immediately, with no exceptions, if someone objects
  • Your users must be told of their right to object “at the first point of communication” as well as in your privacy notice
  • Their right to object must be “presented clearly and separately from other information”

Rights in relation to automated decision making and profiling

Particularly likely to have implications for marketing, these rights are designed to safeguard individuals against risks relating to damaging decisions made as a result of automated processing of data.

‘Profiling’ is defined by the GDPR as automated processing to analyse or predict aspects of a person, for example personal preferences, behaviour or location – elements often used in audience generation for display campaigns, for example.

If you process personal data for profiling, there are a number of things that must be in place for GDPR compliance. For example:

  • You must make sure processing is transparent by providing information about the logic involved
  • Appropriate mathematical procedures must be used for the profiling
  • You must take appropriate measures to minimise and correct errors

Controllers and processors

The GDPR applies to both controllers (those who say how and why personal data is processed) and processors (those acting on the controllers’ behalf). The obligations for processors – for example, being required to maintain records of personal data and processing activities – are new under the GDPR.

Territorial scope

The impact of the GDPR is global. For more detail on this, read our guide: Does the GDPR apply to your business?

The GDPR also sets restrictions on how personal data is transferred outside of the EU – either to a third country or to an international organisation. Data may only be transferred if certain criteria are met – for example, the third country or international organisation in question must offer “an adequate” level of data protection.

Broader definition of ‘personal data’

The GDPR makes it clear that ‘personal data’ extends beyond the obvious, such as name and address. It may also include things such as IP address, which might be used by marketers to determine a person’s location when they visit a website and tailor information accordingly, for example.

Increased accountability

The GDPR introduces new accountability requirements, meaning that businesses must be able to show how they are GDPR-compliant through documentation of data processing activities, for example.

Breach notifications

Under the GDPR, all organisations must report certain types of data breach to the authorities, and/or to the individuals affected within 72 hours.

These are just some of the considerations to be made when understanding what the forthcoming GDPR might mean for your business. For more information, see the ICO’s Overview of the General Data Protection Regulation, on which the above is based.

For further information about the GDPR in general, take a look at our other resources, including FAQs and key considerations, and details of the GDPR’s global impact, in our Resource Centre.

Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.