Exactag Blog

Trends_Marketing_Attribution_2

14.05.2019 Interview: What are the trending topics around Marketing Attribution?

Jörn Grunert is a MarTech enthusiast and expert in data-driven marketing attribution. For 6 years, he has been Managing Director at Exactag and is responsible for the strategic orientation of the company. With over 20 years of experience as a leader in digital AdTech and MarTech start-ups, he sets the course for innovative technologies.
Read more
Technology_innovation

07.05.2019 4 tips how marketers can keep pace with growing technological innovations

The level of innovation in the technology sector is constantly rising and presents a lot of new challenges to many companies. It is becoming increasingly difficult for marketing managers to keep up with the latest trends and developments in technology. The growing number of AdTech and MarTech solutions poses growing challenges to marketers in terms of budget, staff, training and time.
Read more

General Data Protection Regulation (GDPR) – FAQ

DSGVO_2
14. 02. 2018

The General Data Protection regulation of the EU – GDPR – comes into force on 25th May 2018. A deadline that is rapidly approaching.

The impact is tremendous for many companies. Advertiser, especially B2C companies are particularly affected by the demands of this new regulation, as the majority of them are in possession of personal data.

However, many marketers currently do not fully understand the effects of the GDPR. Some do not believe that their teams are fully aware of the requirements and even admit that their websites are unlikely to be compliant by the end of May.

The penalties for non-compliance can be severe. Companies failing to meet these requirements can pay up to 4% of their annual global income or € 20 million for breach of the GDPR.

For this reason, we have put together the most important facts of the GDPR in a clear FAQ.

 

WHAT IS THE GDPR?

The General Data Protection Regulation (GDPR) is a regulation adopted by the European Parliament, the Council of the European Union and the European Commission with the aim to strengthen and unify the rights of EU citizens with regard to data protection. While national legislation based on the EU Data Protection Directive has so far been very diverse, the GDPR will be applicable for all member states.

 

WHAT IS THE GOAL OF THE GDPR?

The GDPR is intended to ensure the unified protection of personal data of individuals as well as the free movement of data within the European Union. As an EU regulation, the GDPR has direct legal effect in all EU member states.

Specific objectives are (Art. 1 GDPR):

    1. Protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

    2. Protection of fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

    3. Ensure that the free movement of personal data is neither restricted nor prohibited for the protection of individuals with regard to the processing of personal data.


WHEN DOES THE GDPR COME INTO EFFECT?

The GDPR was approved on May 25 2016 - 20 days after its publication in the EU Official Journal. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government, meaning it will be in force on 25th May 2018.

 

WHO IS AFFECTED?

The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding personal data of data subjects residing in the European Union, regardless of the company’s location.

 

WHERE DOES THE GDPR APPLY?

The GDPR is based on whether a provider of goods or services processes personal data of persons located in the EU, regardless of the company’s location. 

 

HOW DOES THE GDPR ACT IN GERMANY?

The relevant regulations of the BDSG are largely replaced by the regulations of the GDPR. Since the new law is a European regulation, it applies directly in all member states and does not require a national transposition law. National legislators will only enact new legislation to repeal the national rules replaced by the regulation. 

 

WHAT DOES THE GDPR APPLY TO?

The regulation “applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system“. (Art. 2 (1) GDPR).

 

WHAT CONSTITUTES PERSONAL DATA?

Any information related to a natural person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. (Art. 4 (1) GDPR)

 

WHAT ARE THE PENALTIES FOR NON-COMPLIANCE?

Data breaches will be more heavily punished from 25 May 2018. The GDPR provides that any breach of duty, i.e. any inadequate organizational and technical measure for the protection of personal data, is penalized with a fine by the controller or the processor.  

The amount of the fine follows a tiered approach with a two-level system:

  • "Easier" violations can lead to a fine of up to € 10 million or up to two percent of the total and worldwide annual revenue of the previous financial year, whichever is greater (Art. 83 (4) GDPR).

  • For more serious infringements and failure to comply with a directive issued by the National Supervisory Authority, a fine of up to EUR 20 million or up to four per cent of the world-wide annual revenue is possible (Article 83 (5) and (6) GDPR).

 

WHO IS THE “CONTROLLER” AND WHAT IS HE RESPINSIBLE FOR?

A controller is the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law“ (Article 4 (7) GDPR). The controller must ensure the lawfulness and purposefulness of the data processing, as well as the rights of data subjects whose data is processed. He must also prove compliance with the GDPR. 

 

WHAT ARE THE KEY CHANGES FOR THE CONTROLLER?

The controller must be able to demonstrate compliance with data protection principles at all times (accountability). This includes the documentation of data processing measures and the establishment of processes to ensure affected rights within the company. In addition to documenting the data processing measures, data subjects whose data is being processed must be more fully informed. Measures to protect the data must always reflect the current state of the art. The protective measures must be selected according to the respective protection requirements. This risk-based approach highlights the call for a process for risk management to determine appropriate technical and organizational measures. 

 

WHO IS THE "PROCESSOR"?

The „processor“ is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller“ (Art. 4 (8) GDPR). The processor processes personal data only in accordance with the instructions of the controller. He takes appropriate technical and organizational measures to protect the data. 

 

WHAT ARE THE MOST IMPORTANT CHANGES COMPARED TO CURRENT REGULATIONS?

The most important changes of the GDPR include:

  • Unified European Privacy:
    As a single European data protection law, the GDPR replaces different laws of the member states. Companies therefore only have to deal with one single, instead of 28 different laws.

  • Scope outside the EU:
    The regulations of the GDPR also apply to companies that do not have a branch in the EU but offer goods and services (including free goods and services such as social media) to EU citizens or monitor their behavior.

  • Privacy assurance:
    Data protection by design and privacy-friendly presets are now essential elements of the EU data protection legislation. Data protection guarantees are integrated into the development of products and services at an early stage and privacy-friendly pre-settings become the norm, for example in social networks or mobile apps.

  • Personal data:
    With enhanced data protection, companies are required to adequately protect personal data. This is defined as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“ (Art. 4 (1) GDPR).

  • Report of privacy violations:
    Businesses and organizations must report any data breaches that have created a risk for the citizen to the national supervisory authorities. In addition, the data subject must be informed as soon as possible of any high-risk violations in order to respond accordingly. Organizations must notify national authorities of serious data breaches immediately within 72 hours.

  • Stronger enforcement of regulations: Data protection authorities can impose fines on companies that violate the EU law. These fines can account for up to 4% of a company's worldwide annual revenue. However, fines are not compulsory and must be appropriately imposed on the individual case and be proportionate.

 

WHAT HAS MOSTLY REMAINED UNCHANGED?

  • Data protection principles that are already in force today, such as earmarking, data minimization and transparency, are retained.

  • The processing of data will continue to require a legal basis, e.g. "fulfillment of a contract or “consent of the data subject”.

  • The essential legal basis for the data processing persists.

  • The handling of personal data continues to be prohibited if it is not permitted either by a permit requirement of the GDPR or other legislation (e.g. special legislation such as Telecommunications Act or Telemedia Act) (Basic principle prohibition with reservation of permission). The usual statutory permits for processing are retained.

  • The processing of particularly sensitive data is still subject to special conditions.

  • The most common legal instruments for transmission to third countries remain largely intact and are even expanded.

  • At least in Germany, the company Data Protection Officer (DPO) remains indispensable for most companies.

 

WHAT ARE NUW DUTIES FOR COMPANIES?

The GDPR extends the existing obligations for companies and increases the legal, operational and technical-organizational requirements for data protection. The most important alterations include:

  • extended obligations in technical data protection (including the obligation to keep a processing list and the co-responsibility of the processor),

  • extension of transparency and information requirements,

  • extended duty to cooperate and reporting obligations,

  • introduction of a privacy assessment and,

  • extension to appoint a Data Protection Officer.

 

UNDER WHICH CONDITIONS IS DATA PROCESSING ALLOWED?

  • Lawful processing requires that one of the following authorizations is met:

  • Consent of the data subject  is present.

  • There is a legitimate interest in the data processing and protected interests of the person concerned (especially children) are not opposed.

  • Data processing is required

    • to fulfill a contract,

    • for pre-contractual actions upon request,

    • to fulfill a legal obligation of the controller,

    • to protect vital interests of the data subject or another natural person,

    • in the public interest or in the exercise of official authority.

 

WHAT DOES "PRIVACY BY DESIGN" AND "PRIVACY BY DEFAULT" MEAN?

“Privacy by Design”: In order to be able to establish a compliant organization of data protection over the entire lifecycle of the personal data in accordance with the GDPR, technical and organizational solutions must be used from conception to monitoring or processing, which correspond to the current "state of the art". In this way, a data breach should not even be possible.

“Privacy by Default” complies with the principle of data economy. Data collection should be minimized individually to the necessary. In addition, if possible, the group of authorized persons should be limited and all data should be pseudonymized and encrypted. The latter is particularly important when data is evaluated by data processing service providers or in a cloud. 

Both principles are about identifying and using as little data as possible and protecting it as well as possible in order to prevent data breaches. 

 

HOW SHOULD COMPANIES PREPARE FOR GDPR?

For an optimal preparation for GDPR, all important and relevant departments within a company must be informed about the upcoming changes in data protection. In addition to the company’s Data Protection Officer, these are especially:·      

  • Management: The management should know about the modified data protection practices in the company. 

  • Law and Compliance: The GDPR is expected to require a large number of contracts to be adapted. The compliance department must also include risks for privacy violations in the risk analysis, which are significantly higher due to the high fines.

  • IT Security: For the required risk assessment to determine technical-organizational measures, organizations should examine how they can complement existing IT security risk assessments.

  • Finance: Due to the adaptation processes, significant costs can arise in the company, which must be taken into account accordingly.

  • Research & Development: Regulations such as "Privacy by Design" and "Privacy pre-settings " also impose requirements for product development and implementation. Therefore, attention should be paid to compliance with data protection principles at an early stage of product development.

  • Human Resources & Works council: For the use of company agreements adapted to the GDPR to regulate employee data protection, the rights of co-determination of the works council should be retained. In addition, training for the employees on the new regulations of the GDPR will be required.

 

WHICH PROCESSES AND DOCUMENTS NEED TO BE REVIEWED?

The following documents should be adapted to the new regulations of the GDPR by May 25 2018:

  • Adaptation of the privacy policy with regard to the extension of the information obligation.

  • Adaptation of the existing company agreements to the GDPR.

  • Adaptation of the declarations of consent.

  • Adjustment of the revocation declaration to the GDPR.

  • Adjustment of data collection agreements - especially the liability regime.

The following processes within your company should also be adapted and, if necessary, re-established to the new regulations of the GDPR:

  • Process for the revocation of a consent form.

  • Process for the implementation of objections.

  • Process and procedure for data breaches.

  • Process of data transmission in a common electronic format.

  • Documentation on data processing measures within the company.

  • Training for the employees on the innovations in data protection by the GDPR.

  • Training for employees on new processes adapted to the GDPR within the company.

 

DOES MY COMPANY NEED TO APPOINT A DATA PROTECTION OFFICER (DPO)?

A Data Protection Officer must be appointed in the case of:

  • public authorities,

  • organizations that engage in large scale systematic monitoring, or

  • organizations that engage in large scale processing of sensitive personal data.

(Art. 37 (1) GDPR)

All you need to know about Marketing Attribution

  

Sources:

https://gdpr-info.eu/

https://dsgvo-gesetz.de/

https://blog.sage.de/digitaletrends/eu-dsgvo/faq-dsgvo/

http://www.rechtsanwalt.de/eu-dsgvo-fragen-und-anworten-faq/

https://www.bitkom.org/Bitkom/Publikationen/FAQ-zur-Datenschutzgrundverordnung.html

 

Disclaimer: The information contained in this article does not constitute legal advice. Any person intending to rely on or use the information contained herein is solely responsible for independently verifying the information and, if necessary, seeking independent expert advice.

Interview: What are the trending topics around Marketing Attribution?

14. 05. 2019
Jörn Grunert is a MarTech enthusiast and expert in data-driven marketing attribution. For 6 years, he has been Managing Director at Exactag and is responsible for the strategic orientation of the[...]

4 tips how marketers can keep pace with growing technological innovations

07. 05. 2019
The level of innovation in the technology sector is constantly rising and presents a lot of new challenges to many companies. It is becoming increasingly difficult for marketing managers to keep up[...]

This is how travel brands benefit from marketing attribution

16. 04. 2019
Bookings via traditional travel agencies are declining nowadays. More and more consumers book their holidays online. The internet offers travelers far more opportunities for comparison and they[...]