There’s a ghost of online marketing. Its name is GDPR. The EU-wide basic data protection regulation, which will enter into force on 25 May 2018, should not be underestimated. The regulation lays down strict and largely new rules for the handling of personal data. Those who do not comply with these must reckon with warnings and severe fines.
Important key points of the GDPR
The purpose of the GDPR is to create EU-wide standardised and binding rules for companies that process personal data:
- The GDPR will enter into force on 25 May 2018.
- From this point on: Anyone who violates the basic data protection regulation will face high penalties. In the worst case, fines of up to 20 million euros or up to 4 % of the annual turnover achieved in the previous financial year may be imposed.
- The basic data protection regulation does not make a difference between B2B and B2C.
- According to article 3 of the GDPR, the regulation applies to all EU member states and to organizations and companies outside the EU if they process data from EU citizens.
In principle, the handling of personal data after 25 May will depend more than before on the specific individual case. Therefore, it is much more difficult for companies to follow general guidelines than in the past.
What is changing in social media marketing – focal points of the new regulation
For lawyer Michael Lanzinger, the focal points of the GDPR with regard to social media can be summarised by the terms “information duties” and “transparency”. The social media sector must therefore become more transparent, which means above all that companies must inform customers more extensively than before about the collection and use of data.
Lawyer Dr. Johannes Öhlböck says:
“In principle, every company should check how social networks are used and how the “social plugins” provided by Facebook and Co. can be used in compliance with data protection regulations. The same applies to the use of advertising and marketing services and website analysis services.”
The handling of data – central information
Data is considered the currency number one of the 21st century. Those who want to collect and use data in the future in a legally compliant manner should now at the latest deal precisely with the requirements of the GDPR. This applies not only to new leads, but also to “old data” that is several months or even years old.
Personal, pseudonymized and anonymous data – definitions
The GDPR differentiates between three types of data:
- Personal information
- Pseudonymized data
- Anonymous data
In the case of personal data, the matter is clear. This is “information relating to an identified or identifiable natural person”, says Johannes Öhlböck. But what about pseudonymized and anonymous data?
“With pseudonymized data, a personal reference can be restored, even if it is not identifiable to the outside world. An example of this is a customer number. On the other hand, anonymous data, as it appear in statistics, has no personal reference.”, says Michael Lanzinger.
Important: Both personal and pseudonymized data fall within the scope of the GDPR. Only anonymous data is excluded.
Tips for handling data already collected
Most companies do not start collecting and processing data on 25th of May. This raises the question of how to deal with legacy data.
“If the users have already given their consent to data processing that meets the current requirements of data protection law, then these will continue to apply after 25 May 2018. If such consent has not yet been obtained, it is advisable to obtain the user’s prior consent in the absence of case-law in this respect.”, advises Johannes Öhlböck.
It is important that there is an informed and voluntary agreement that can be proven. Those who have already used the double opt-in procedure for subscribing users to newsletters are on the safe side. Otherwise, it is recommended to obtain a new consent on the basis of the GDPR. If this is not possible, you should consider carefully whether you should refrain from further use of the data in question.
“The essential element of the GDPR is a well-informed person who is made aware of his or her rights and understands how to exercise them.”, believes Johannes Öhlböck.
Collecting data – you should be aware of this
Plugins are an integral part of many modern websites. The catch is that even plugins collect data unnoticed. Fortunately, this does not mean that we will have to do without them in the future.
This means in detail:
- Many experts also recommend a 2-click solution: a page visitor is shown a hint instead of the plugin. If the visitor clicks on it, he is informed about the collection of data and can give his consent.
Michael Lanzinger also points out that alternatively, for example with Google Analytics, it is possible to prevent the transmission of IP addresses in the settings. That way, you’re on the safe side.
Special form: competition
In the future, companies will also have to be careful when organizing competitions on social networks to collect leads. Until now it has been common practice – and generally legal – to make participation in the competition dependent on consent to receive advertising. The GDPR’s prohibition of coupling puts an end to this.
Article 7(4) GDPR states:
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Confused? This is made clearer in recital 43 of article 7 (4) GDPR:
“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance. “
To put it more simply: In the future, it is at least legally doubtful to make a service (such as participation in a competition) dependent on someone giving you data that you would not need to fulfil the service.
- You disconnect the two services by asking the participant separately for permission to send him a newsletter, for example.
- In addition, a notice should be given that winners will be published.
The disadvantage of this approach is that competitions will contribute less to lead generation than before.
Basic advice from the expert
Those who have already paid some attention to the GDPR will quickly have noticed: Copying texts is not a secure solution for companies with regard to the GDPR.
Michael Lanzinger gives companies and social media managers the following advice:
- Keep an eye on how others do it. That’s no guarantee you’ll do it right, but it gives you some clues.
- Watch how the big players react to the GDPR. After all, Google, Facebook and Co. are in the spotlight.
- Read more on the topic. Pay particular attention to central aspects such as the information obligations in article 13 or the consent pursuant to article 7 of the GDPR.
- In all the discussions about data protection officers, don’t forget the supposed little things like a proper imprint.
Do you have more questions than answers despite thorough briefing on the subject of GDPR? In an interview with Swat.io, data protection expert Dr. Thomas Schwenke gives detailed tips on implementing the new guidelines (sorry to all English-speaking readers, the interview was conducted in German.):
In the long term, the GDPR can also have advantages
Even if some of those responsible feel overwhelmed by the changes brought by the GDPR, our experts largely agree that things are not as bad as they seem. Those who are sufficiently informed and implement the requirements of the GDPR in time do not have to be afraid.
In the long run, you may even benefit from the changes of the GDPR. Michael Lanzinger considers this as a good opportunity to clean up your own workflows and to think about which data is really necessary. In addition, data security is a point that is also well received by customers and potential customers. In spite of all the initial hurdles, the GDPR could even prove to be a stroke of luck in the long term.
Swat.io has also already prepared for the GDPR. Since 2017 we have been working on this topic with the support of our external consulting firm and its lawyers. Fortunately, we have already been able to meet all the requirements concerning our social media management tool and the personal data processed there. Read here to get the details.