As a marketeer that uses data for marketing purposes, you need to think about the protection of the privacy is your target audience, the consumer. The new European legislation involves new guidelines for you as a marketeer and new rights for consumers. What are those rules? How do we as a data company deal with protecting personal information? You are reading the first part of my blog series about privacy.
The GDPR officially replaces the current Personal Data Protection Act as of 25 May 2018. This means you need to be compliant as an organisation. Four important points to keep in mind when using data for marketing purposes.
When can you process personal information
Processing personal information is only allowed if:
- It is necessary.
- The goal cannot be achieved in a different way that infringes less on the privacy of the person involved.
- The processing is proportional, meaning that you do not process more personal information than strictly necessary for the purpose.
The processing agreement
Under the new law, you are obliged to conclude a processing agreement with all parties you engage to process data on behalf of your organisation. This can be a hosting party, a marketing agency or a data company such as Matrixian Group. If these parties process data on behalf of your company on a large scale, you need to check whether they are compliant with the GDPR. This is because you have a so-called accountability. Matrixian Group has a processing agreement ready, which is signed with the customer with every new assignment.
In that processing agreement, you make agreements about, among other things, the security of the data, the duration of processing and the removal of data at the end of the assignment. The processor must ensure that everyone involved in the processing of the personal data handles it confidentially. The watchdog can impose a fine of 2% of the total global revenue or 10 million for not concluding a processing agreement.
Document all data
All personal data you collect for your marketing or sales must be documented. With the new legislation, all consumers, at every level, have the right to access their data, correct it, and the right to be forgotten. In addition, you must be able to demonstrate – both to consumers and to the personal data authority – where that data comes from. This is a major difference from the old legislation, because you now need to record it in advance rather than just demonstrate it afterwards. Matrixian Group has a solid system for logging data and meets the documentation requirement.
This is an important point and something that changes under the new privacy law: clearly and actively asking consumers for permission to collect and use their data in advance. A tacit agreement was already not an option, but is even explicitly excluded under the GDPR. Pre-checked boxes are no longer allowed: consumers must make a conscious, active decision.
In addition, permission must be unambiguous; there can be no doubt whether or not the relevant person truly agrees. An oral agreement to an unclear question, or granting permission with the push of a button while the customer thought they were only downloading the app, are not unambiguous enough, for instance.
Matrixian Group uses data from public sources. For this data, permission for use by third parties has already been granted or it concerns statistical data. This means you can rest assured that you are allowed to use our data for marketing purposes.
What else does Matrixian Group do to protect personal data?
- We report all of our processing operations to the Dutch Data Protection Authority, which is a requirement under the GDPR.
- We have a data protocol ready, which describes how we deal with requests of consumers to access, correct or remove their data. So we work with a solid, standardised process.
- Privacy guarantee label of the trade association for data-driven marketing (DDMA).
- ISO Certification: Matrixian Group is in the process for the application for the ISO 27001 certification for information security.
- Encrypted file transfer: data is transferred securely.
- Privacy officer: Matrixian Group has appointed a privacy officer.
- Data is stored with a Dutch service provider with ISO certification 9001, 27001, 14001, 7510 and PCI DDS.
In the next blog, I will elaborate about the privacy regulations for fraud prevention. In the parts after that, I will go deeper into the GDPR and the obligation to report data leaks.