I've attended an IDM GDPR training session and I leant a couple of things I thought it would be useful to share. One thing I can say after it is that there are no black or white situations, there are a lot of grey areas (at least now, before ePrivacy comes into place). You should, on top of everything, use a person's data to their benefit and without causing any potential harm/stress, in a lawful, fair and transparent way.
- Every data controller managing personal data in the EU must comply with GDPR, even if they are targeting someone outside of the EU.
- Every data controller managing personal data outside of the EU must comply with GDPR if they are targeting someone IN the EU, even if the person is not from EU.
- GDPR applies only to identifiable natural people, that is, someone that can be identified, directly or indirectly.
- IP address is considered to be an identifiable variable.
- If an IP address is an identifiable variable, a Marketo Anonymous lead is not a GDPR anonymous lead.
- Having identifiable information does not depend on its visibility in a platform, but rather based on possession.
- In order to know if a person is influences by GDPR is not enough to look at their 'Country' field data, as is a matter of they are at the time you are targeting rather than where they are based.
- Under GDPR, there are a number of different options that allow a company to target a natural person. This can be consent, but it can also be legitimate interest. Here is a link to an article highlighting what can and cannot be considered legitimate interest: DPN Legitimate Interests Guidance - Using LI under the GDPR
- Current customers that have not opted-in can still be considered as opted-in due to contractual needs.
- Consent requirements
- Opt-in is only required with identifiable natural people.
ceo@CompanyName.com - requires both consent opt-in and opt-put
sales@CompanyName.com - requires only consent opt-out
ceo@CompanyName.com is considered an identifiable natural person, even if it doesn't specify the name/surname of the individual. This is because it can be indirectly identified (i.e. check who is the CEO of the specified company).
HOWEVER, after ePrivacy goes live, both examples will need both consent opt-in and opt-out.
- Under GDPR you must show your organisation's privacy policies in every form. However, the fact that you have a link displaying them or even you have a consent checkbox for them, does not mean is GDPR friendly. You must make sure that they are understandable, easy and quick to process. If you have privacy policies that are too long or with details that could cause harm to the individual. Best practice is to put any details that could cause harm/stress to the person outside of the privacy policies link, in the actual form.
Also, you must give people the option of submitting a form without having to consent to privacy policies.
- Harm is considered to be anything that could cause a person physical/emotional stress.
It would be great to know your thoughts on the above and I hope you can find these points helpful.