The foundation of this GDPR element is the principle that, ultimately, individuals are the owners of their own personnel data. This means that whether an organization is selling through the channel or is a channel partner of that organization, it has no intrinsic right to the personal data it possesses. The data owner may provide temporary consent to a vendor or its partner to use that data for the purpose of providing services, but no marketing or sales contact can be made without explicit written (digitally accepted) authorization for such contacts.
The law specifically says that each instance of consent by the data owner must be explicit, and cannot be bundled with terms and conditions or with any other agreements. If no such explicit authorization exists, then use of the data is non-compliant. If an organization or reseller reaches out to a prospect for sales and marketing activities with explicit authorization, this may lead to a potential violation.
This could have a profound impact in channel marketing, because in most cases channel partners use email or event marketing as the primary way of sharing information with their existing customers or potential new prospects. If they require the explicit authorization of the target recipients in every instance, most of these vehicles of marketing will be pretty much useless. So, while the world of buying and selling has moved to a digital platform, it is possible one of the most common and easiest means of reaching end prospects may now have become one of the hardest means (from a legal perspective).
GDPR also covers in explicit terms how data needs to be secured and protected, including various mechanisms for disaster recovery that are designed to properly store end-user contact data. As per Wikipedia, “[u]nder the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33)…. However, the notice to data subjects is not required if the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).”
This creates the second major challenge, because in many cases, while channel partners may have consent from their customers and prospects, they may not have the right level of technology to comply with data security policies.
Among the primary updates imposed by the GDPR are new rules related to “Privacy by Design” and “Privacy by Default.” Significantly, data privacy assessments need to be conducted during design stages of all channel marketing processes, and the lifecycle of the relevant data process will be needed to be taken into account. The primary obligation is that the data controller/processor must take appropriate measures in order to protect personal data from unlawful processing. Privacy by Design provides the recognition of this right and how it is to be enforced.
With the GDPR Privacy by Design requirements, channel marketing businesses need to design policies, procedures and systems that comply with the GDPR from the inception of a product’s or process’s development. When designing these, businesses are supposed to consider factors regarding the processing of personal data, including the ease of collection, how the data can be suppressed (for example, if a customer chooses to not receive direct marketing) and how portable the data is.
Privacy by Design lays the groundwork for the Privacy by Default obligation. Under the latter obligation, data controllers must implement appropriate measures on both the technical and organization levels to ensure that personal data collected is used only for the specific purpose mentioned.
Channel marketers must implement a privacy impact assessment template which can be formulated for each new system that comes into being.
Summary of Regulations
The GDPR regulates the “processing” of data extending to collection, storage, transfer or use. The processing of the personal data of EU individuals by organizations is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Data can be processed only if there is at least one lawful basis to do so. The lawful bases for processing data are:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Privacy Law Updates and Non-Compliance
The key updates related to Privacy Law can be summarized as follows: expanded data privacy rights for EU individuals, data breach notification, added security requirements for organizations, customer profiling and monitoring.
The financial penalties for failing to comply with the GDPR are clearly defined: for each instance of noncompliance, the organization could face a fine of up to 20 million euros or 4 percent of worldwide annual turnover (revenue), whichever is higher.
Five Rings of GDPR
Rights of EU Data Subjects
Enhanced rights for data subjects in the EU include access, rectification, erasure and portability within one month of a request.
Data subjects are provided with controller identity and contact details, the purposes and legal basis of the processing, the categories of data concerned, the recipients and the expected storage period.
Security of Processing
72-hour breach reporting is required.
Pervasive and intelligent internal restrictions are implemented to reduce data risks, including monitoring and encryption techniques.
Lawfulness and Consent
Lawful processing is done on the following pretexts: consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest.
Data subjects must be kept informed and requests managed in a transparent, efficient and effective manner.
Accountability of Compliance
Proof of compliance with the principles relating to personal data processing is required.
Design and Default
Data controllers must implement technical and organizational measures to demonstrate compliance with GDPR core principles.
- Personal Data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
- Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data.
- Data Processor – the entity that processes data on behalf of the data controller.
- Data Subjects – “identified or identifiable natural person[s]”; in other words, data subjects are people—human beings from whom or about whom information is collected in connection with a business and its operations.
- Anonymous Data – sets of data that can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) by any means or by any person, ensuring that there is no way in which individuals can be identified. This is a technically complex task.
- Consent – GDPR requirement that businesses have a defined purpose for collection of personal information. This reason (or purpose), should always be supported by a legal basis. A legal basis can be a contractual obligation, a legitimate interest for storing and using data, or that explicit consent has been given.