GDPR – the main points and what you just have to do *
Last Updated on February 7, 2022 by justin
The big difference from previous laws that regulated this area is that it allows for extreme penalties – 4% of the company’s global revenue up to 20 million Euros.
The greatest effect on marketing will be the GDPR (General Data Protection Ordinance) for those who have engaged in buying email lists and / or sending unwanted emails.
Only collect necessary personal information
The new basic principle will be “privacy by default”, which aims to collect only the personal data that is necessary – this means that a collected data point must now be linked to a specific purpose and is no longer something that companies can see as an asset to use as they want. For example. you may not use a collected email address to do targeting in Facebook’s advertising network unless it has been stated that the purpose of collecting the email and generic approval is not accepted as “By using our website you agree to our privacy policy” or even “[…] remarketing policy”.
New definition
Personal data is given a broader definition and will now also include other attributes that can identify a user, such as cookies and IP addresses.
The abuse rule disappears
In the past, it has been possible in Sweden to handle PUL and handle personal data in running text or lists as long as it has not been offensive to anyone, but this simplification is removed.
Active consent
Active consent is now required for an organization to be allowed to use personal data in marketing, it has also been the case before, but the difference now is that it is required that they are not pre-ticked and that every way the organization wishes to use the data individually is accepted. If you want to collect an email for Newsletter and Facebook retargeting, it needs to be two separate boxes and not one collected for “marketing”. Consent must be documented based on when and where the user has accepted the use of personal data and for what.
Legitimize or clear out existing personal data
Personal data collected before the law enters into force must either be legitimized or cleared from the systems. This does not apply to information that is already legitimized, of course – remember to keep track of what you can use them for, however, and that it can be demonstrated.
Fullständig avregistrering
Opt-out should be as simple as opt-in, which means that it should be easy to find your own settings for marketing and be able to check off what you have previously checked.
Companies must also be able to offer the possibility to completely remove a user’s digital footprint – a complete cleansing of all systems (this is where many can have major problems with their infrastructure).
A personal data assistant agreement is required if someone else (including an agency) is to handle your customers’ personal data
If a company hires a provider of, for example, cloud services or digital marketing based on collected personal data on behalf of the company, it is required that the two companies enter into a written so-called personal data assistant agreement. This is something like e.g. will affect us at Growth Hackers Sthlm (and most media agencies and SaaS services in sales and marketing) if we want to do retargeting based on Google analytics or adwords, facebook pixels or mailing lists.
As a rule, information may not be provided by the EU – review the agreements
As a general rule, it is forbidden to transfer personal data to a country outside the EU, such as the United States. There are exceptions, e.g. it is permitted to transfer personal data to the American company that has registered in the so-called Privacy Shield program. So review your cloud services (start with CRM).
All official information is posted here.
* Disclaimer: Growth hackers Sthlm are not lawyers or certified GDPR consultants so this text should not be construed as legal advice on how your company should approach the GDPR. This information can not be considered as a substitute for legal advice regarding the GDPR based on your circumstances.