Vast.” The dictionary definition is “very great in size, amount, degree, intensity, or especially in extent or range.” (Merriam-Webster) It’s a word you’ll hear often in GDPR discussions, and it is an accurate description. In fact, there are 99 articles in the GDPR, each stipulating new parameters and expectations for data transparency, accountability, storage, and security.  In our prior posts, we’ve highlighted many of these areas, discussing changes to your backend operations, marketing strategies, external partners and provided a graphic overview with our GDPR infographic.

 

As much as GDPR covers, it also raises an equal number of questions.  Many of GDPR’s articles use ambiguous language leaving marketers scratching their heads, and lawyers busy providing clarification. For this reason, we’ve compiled a list of some of the more frequently asked questions and a few of the lesser-known answers, as discussed with our legal team.

 

GDPR – Who?

Q: Does GDPR apply only to EU citizens?

 

A: No. GDPR applies to EU residents, regardless of citizenship. An American living in the EU for three months qualifies for GDPR protection. If your business (B2B or B2C) markets to, does business with, or simply stores or processes the personal or business information of EU residents, you are subject to GDPR requirements regardless of your business’s location.

 

Definition of Personal Data

Q: What is considered “personal” data?  Is B2B information exempt?

 

A: Generic emails, such as “info@,” “contact@” are not personal addresses so do not count as personal data.  All personal (individual) data, whether B2B or B2C, is covered under GDPR. This includes any business information that makes a someone personally identifiable, such as their business email address.

 

Limits for Storing Data

Q: How do we define the duration of storing data? What constitutes “as long as necessary?”

 

A: That depends on the purpose of the data.  Where a contractual agreement exists, (ex: I am buying on Amazon) personal data may be retained as long as the contract runs. (or in our Amazon example, as long as I am willing to keep my Amazon account, which is mandatory to purchase on their site.)  If the data subject is not a customer, then three years after the last contact is a reasonable period, per the French CNIL.  It is the Data Controller’s responsibility to set the limit on data retention and this should be specified in your privacy policy. Be careful not to run wake the dead nurture campaigns on opt-ins that have exceeded the stated time frame.

 

Bundled Consent

Q: Can you bundle consent to receive future communications with other actions, such as a whitepaper download?

 

A: No. Consent is an independent action from a marketing action and your consent language needs to be clear. You can include an opt-in option to receive additional information on your form with an unchecked checkbox,  just make sure the checkbox is not required to submit the form. And, be sure to include a link to your privacy policy on all forms. See an example of a GDPR compliant opt-in form.https://perkuto.com/blog/marketing-strategies-gdpr?utm_source=MarketoCommunity

 

Cookie Law

Q: Does GDPR have any ramifications for EU Cookie laws or is ‘Do Not Track’ still in effect?

 

A: Yes, ...

 

Read the full post on the Perkuto Blog.