In this Blog, we share a quick checklist for marketers to focus on asking the right privacy questions to stay away from eye-watering fines from EU regulators
Quick Privacy Checklist for Marketers
24 April 2019
The EU GDPR allows data controllers to use of personal data for direct marketing to individuals located in EU; however, organisations must also comply other relevant EU national privacy rules, especially when using electronic communications (texting, email, telephone, also referred to as ‘e-Privacy’).
Very high GDPR administrative fines, like the French data protection authority’s €50,000,000 fine imposed on Google1in early 2019 has marketers around the world taking stock of their activities related to collecting personal data of individuals in the EU.
This checklist is intended to prompt marketers to ask themselves some privacy-focused questions before they forge ahead with a new marketing scheme or try to find new uses for the personal data on hand, like data analytics to drive more effective advertising campaigns.
Collaborate with your colleagues specialising in data privacy, including GDPR and e-Privacy
Understand what personal data you have, why you collected it and whether you can use the data for any other purposes
Direct marketing is a legitimate interest when certain conditions and applicable laws are met
Record the ‘balancing of interests’ test and how legitimate interests are balanced and meet the reasonable expectations of data subjects
Use simple words to tell individuals how and why you use their data, give them choices (freely giving consent) and easy way to express a change of mind (e.g., revoking consent)
Privacy notices should include:
Your systems should store proof of consent, revocation and objections to processing tied to specific purposes at collection point along with media channel
Privacy-by-Design and by Default is an obligation under GDPR
Conduct data protection impact assessments and consult data protection authorities if residual risks of harm to individuals are likely before offering or selling your products and services
Transferring personal data outside the EU/EEA requires destination countries to have adequate mechanisms in place to protect EU-based individuals
Be a data privacy champion. Help others ‘get’ why data protection is important
Promptly report data privacy policy inconsistencies to your data protection officer or manager
Watch for news about what people care about and look out for the regulation replacing the directive on electronic communications (e-Privacy)
1 https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
© 2019 Karima Saini, CIPP/E & CIPP/US, CIPM & FIP
The information provided and the opinions expressed represent the views of the author and do not constitute legal advice nor can be construed as offering comprehensive guidance of the various EU member state data protection legislations, regulations or other statutory measures referred to herein.