GDPR FAQ: Your Most Burning Questions About GDPR Answered. Part 2/3

In this installment of the series we tackle issues related to GDPR and web analytics, email marketing, opt-outs & many more. Read on to learn how to prepare your business for the changes the new regulation is bringing.

Here you can find the rest blog posts of the series:
Your Most Burning Questions About GDPR Answered. Part 1/3
Your Most Burning Questions About GDPR Answered. Part 3/3

GDPR and Web Analytics

We’ve written a lot about the rules on collecting and processing personal data. You can read more about them here:

• How Will GDPR Affect Your Web Analytics Tracking
• GDPR in Banking – How to be Sure Your Web Analytics Complies With the New Law

There’s one particularly important thing when it comes to web analytics. As it turns out, not every type of tracking will require consent from your users. Although GDPR itself doesn’t provide us with specifics, there are other regulations we also have to pay attention to.

The current wording of the ePrivacy Regulation (Regulation on Privacy and Electronic Communications, a law that supplements GDPR) makes an exception for personal data used for web analytics purposes. So, if you take advantage of a web analytics tool that utilizes the collected data only for tracking your website’s performance, you probably don’t need to worry about this part.

However, if you pass your analytics data to other AdTech and MarTech platforms (like DSP or CDP), use remarketing pixels and tracking codes, or personalize your website content based on user behavior, you’ll certainly need to ask for consent for each of these activities.

Opt-out and GDPR

As we’ve said in our previous post in this series, not every data processing purpose requires consent from the data subject. However, if your purpose is not excluded from the list, you still need to ask your visitors if you can use their data. And even after you’ve obtained valid consent, your site’s users should be provided with an easy way to change their mind. It should be as simple to withdraw consent as it is to give it.

Article 8.2 of the new ruling puts it like this:

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Not sure how to apply this rule? We think that the most convenient way to tackle this issue is by using a Consent Manager – a very useful feature to help manage GDPR data subject requests. We’re releasing our version very soon, so stay tuned for updates from us!

GDPR and email marketing: what about newsletters under GDPR?

To put it concisely – many practices that email marketers previously used to grow their database and communicate with users won’t be compliant under GDPR.

One of the biggest changes concerning newsletters is that now you’ll need to obtain separate consent for each usage of a data subject’s data. For instance, if someone left their email address in exchange for a whitepaper or access to webinar recording, you’re not allowed to add them to your mailing list, unless they agreed to using their data explicitly for that very purpose.

The same rule applies to other purposes for using personal data – every visitor, customer, or partner needs to actively agree to being contacted in a certain way. This means that a pre-ticked box which automatically opts users in is not an option anymore – opt-ins now need to be a conscious decision.

What’s more, GDPR has no grandfather provision. In other words, once it comes into effect you won’t be able to use data from before 25 May 2018 unless it was collected in a way compliant with the new law.

The are also other rules you have to obey that apply to every other instance of collecting, processing, and storing personal data. We have written about them in the following posts. Be sure to check them out:

• [Infographic] GDPR Data Subject Rights – What You Need to Know
• [Infographic] How to Collect and Process Data Under GDPR?
• 3 GDPR Security Requirements You Need to Set Up
• 5 GDPR Rights With Serious Technical Consequences
• How to Make Digital Analytics Processing Lawful Under GDPR and ePrivacy?

Do I need to appoint a Data Protection Officer (DPO)?

The short answer: it’s complicated. Not everybody has to. However, the requirement to have a DPO applies to you when: you’re a public authority or body, your core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or for processing on a large scale of categories of data (this all comes from Art. 37-39 GDPR).

We know this might sound a bit vague. That’s why we asked data protection specialist Aurelie Pols to write a guest post on our blog to help you better understand your responsibilities: To Appoint a DPO – Data Protection Officer – or Not?. Also, be sure to check out the guidelines written by the Article 29 Working Party – you’ll find a lot of practical information in there.

I have a big database that I’ve been collecting for long time. Can I use it after GDPR?

Yes, but only if you’ve collected it in a GDPR-compliant manner.

As we’ve already said – GDPR has no grandfather provision. This means that you can’t use your old data (for example: a marketing database consisting of personal data) if it wasn’t collected in alignment with the new law (for instance, you don’t have users’ consents in place, etc.).

How does GDPR define pseudonymisation?

Article 4(5) of GDPR defines pseudonymization as:

The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.

By using pseudonymization methods, you separate all the identifiers so that nobody can link them to a specific person. However, GDPR makes it clear that pseudonymous data is still considered personal data if the data controller or other party is able to reverse the process of pseudonymisation (which they can in most cases).

Also, Article 29 of the Working Party guidelines considers the method a partial and reversible measure that merely reduces the linkability of a dataset with the original identity of a data subject.

How does GDPR define anonymisation?

Recital 26 of GDPR characterizes anonymized data as:

Data rendered anonymous in such a way that the data subject is not or no longer identifiable.

Anonymisation is a process in which you strip the data of any identifiable information to the point where you’re not able to use it to identify a person. If done properly, it can help you place your data outside the scope of GDPR:

The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

However, you must be aware that anonymisation is a very complex and demanding process you can’t afford to underestimate. Once GDPR is in force, failing to meet those tough standards can result in heavy fines.

Additional reading: Does We Don’t Collect PII Still Work?

Is hashing SHA-256 considered anonymous or pseudonymous?

Hashing is considered pseudonymization, because there’s still a way to re-identify individuals and small groups and link previously collected data to them. As long as you’re able to do so, your data can’t be considered anonymous.

Are there separate rules or guidelines on paper documents and data that is sent by post?

No, it’s all covered by GDPR. GDPR is high-level legislation addressing all types of documents containing personal data. This includes physical formats like payslips, contracts, mails, HR forms, and any other type of data carrier.

Does GDPR apply to me if I don’t collect email addresses or names?

Yes, it does. GDPR has a very broad definition of personal data. In Article 4.1 of the regulation we find the following explanation of the term:

[…] Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

And cookies are included in the list as well. This is detailed in Recital 30 of the new law:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

What’s more, even pseudonymous and anonymous information counts as personal data. This means that it’s virtually impossible GDPR won’t apply to you.

I have ISO 27001 certification. Do I still need to refer to GDPR?

Yes. Although ISO 27001 provides a good foundation for a GDPR compliance framework, it won’t be sufficient by itself to ensure compliance with the new rules.

Some conclusions

We trust that the information presented above has given you some more good tips on preparing for GDPR. And if you like what you’ve read good news – there’s still more to come! So stay tuned for the next part of our Q&A.

That said, if you have some questions that need an immediate answer, don’t hesitate to contact us. Our experts will be happy to help!

CONTACT US

Here you can find the rest of the series:
Your Most Burning Questions About GDPR Answered. Part 1/3
Your Most Burning Questions About GDPR Answered. Part 3/3