GDPR Questions. Straightforward Answers.

Michelle_Miles3
Level 9 - Champion Alumni
Level 9 - Champion Alumni

Vast.” The dictionary definition is “very great in size, amount, degree, intensity, or especially in extent or range.” (Merriam-Webster) It’s a word you’ll hear often in GDPR discussions, and it is an accurate description. In fact, there are 99 articles in the GDPR, each stipulating new parameters and expectations for data transparency, accountability, storage, and security.  In our prior posts, we’ve highlighted many of these areas, discussing changes to your backend operations, marketing strategies, external partners and provided a graphic overview with our GDPR infographic​.

As much as GDPR covers, it also raises an equal number of questions.  Many of GDPR’s articles use ambiguous language leaving marketers scratching their heads, and lawyers busy providing clarification. For this reason, we’ve compiled a list of some of the more frequently asked questions and a few of the lesser-known answers, as discussed with our legal team.

GDPR – Who?

Q: Does GDPR apply only to EU citizens?

A: No. GDPR applies to EU residents, regardless of citizenship. An American living in the EU for three months qualifies for GDPR protection. If your business (B2B or B2C) markets to, does business with, or simply stores or processes the personal or business information of EU residents, you are subject to GDPR requirements regardless of your business’s location.

Definition of Personal Data

Q: What is considered “personal” data?  Is B2B information exempt?

A: Generic emails, such as “info@,” “contact@” are not personal addresses so do not count as personal data.  All personal (individual) data, whether B2B or B2C, is covered under GDPR. This includes any business information that makes a someone personally identifiable, such as their business email address.

Limits for Storing Data

Q: How do we define the duration of storing data? What constitutes “as long as necessary?”

A: That depends on the purpose of the data.  Where a contractual agreement exists, (ex: I am buying on Amazon) personal data may be retained as long as the contract runs. (or in our Amazon example, as long as I am willing to keep my Amazon account, which is mandatory to purchase on their site.)  If the data subject is not a customer, then three years after the last contact is a reasonable period, per the French CNIL.  It is the Data Controller’s responsibility to set the limit on data retention and this should be specified in your privacy policy. Be careful not to run wake the dead nurture campaigns on opt-ins that have exceeded the stated time frame.

Bundled Consent

Q: Can you bundle consent to receive future communications with other actions, such as a whitepaper download?

A: No. Consent is an independent action from a marketing action and your consent language needs to be clear. You can include an opt-in option to receive additional information on your form with an unchecked checkbox,  just make sure the checkbox is not required to submit the form. And, be sure to include a link to your privacy policy on all forms. See an example of a GDPR compliant opt-in form.

Cookie Law

Q: Does GDPR have any ramifications for EU Cookie laws or is ‘Do Not Track’ still in effect?

A: Yes, ...

Read the full post on the Perkuto Blog.

5972
13
13 Comments
Tammy_Chan
Level 3

I'm getting push back from people on my side as well- they're saying its not wise to have the prechecks either. What is your method Michelle? What would constitute allowed communications if we can't 'pre-check' what they consented in the opt in? - The only other thing I can think of is - once they've opt'd in they'd get 2 emails- one for whatever asset or confirmation that they wanted to download and a follow up email to have them confirm/set their subscription preferences, but it sounds like it may be too much?

or


do i just not pre-check them and that should solve it?

Michelle_Miles3
Level 9 - Champion Alumni

I simply don't pre-check it. You could have  an option for 'I want all the content I can get!' that opts them in to everything if you are concerned people won't check a lot of individual boxes. Then you know you're covered for GDPR, CASL, or for any future legislation this opt in will be valid. I also link to the privacy policy and have the opt in acknowledge and agree to the privacy policy. I think it makes it very clear the subject is actively consenting to data processing as well. I hope this helps!

Grégoire_Miche2
Level 10

HI Tammy,

The opt-in box cannot be pre-checked. This is very clear under the regulation. But, as Dan said, you can check all your preference center boxes when someone opts in for the first time.

-Greg