Jan 16 | 5 minutes read

Got a GDPR Headache? We’ll Sort Out the Essentials

Throughout 2017, we received a lot of questions regarding the EU General Data Protection Regulation (GDPR) from our customers who use APSIS’ platform for digital marketing magic. In this summary we'll provide you with clarity to enable your comfort regarding the relationship between you and your audience, and the relationship between you and APSIS.

You and Your Audience

What applies to your audience’s “personal data” that you leverage in your marketing activities? Even though our legal expert Anders Hilmansson provides an answer in length in Personal Data: A crash course for marketers, the quick answers are:
  • Every time you process a person’s information – such as names, phone numbers etc. relating to a person – you will process personal data.
  • Processing of personal data for direct marketing purposes is generally permitted - even without the consent of the person whose personal data is processed. Why? The commercial interest in marketing products and services usually balance out the person's interest in protecting its personal integrity. In other words: it’s regarded as a legitimate interest.

    However, the distinction of legitimate interest is hardly a generalised one-size-fits-all. The assessment of legitimate interest must be made on a case-by-case basis. Resultantly, there might be situations where processing of personal data for direct marketing purposes does not constitute a legitimate interest. In general, direct marketing is easier to motivate when the marketing is targeted at the person in his or her professional role, rather than the person as a consumer.
  • The person has the right to object your marketing activities and you must inform the person of their right to opt out. Upon notice of objection, the processing for direct marketing purposes must cease. So, ensure that the person can object your marketing, e.g. by ensuring the person can opt-out in the emails that you send (Note: default in APSIS).
  • To enable further transparency, the GDPR provides a list of information that should be provided by you to the person to enable transparency in relation to your processing, so make sure to shine some light on your processing to build trust.

The GDPR targets all of your company’s processing of personal data –  not solely your marketing activities – and needs to be handled by your company with a holistic approach. This means that your data shouldn't be processed in separate siloes with the marketing department stand-alone.

For example: if you extract data from your CRM for your marketing activities, the CRM should be the main focus for your GDPR compliance work. How did the personal data end up in the CRM to start off with and what are the legal justification(s) for such processing? In general – if the CRM is OK, your processing of data for direct marketing purposes will be OK.

If your company has the above sorted out, the compliance work at your marketing department will run smoothly.
Any other aspects to keep in mind in your marketing activities?
If you send direct marketing via email or SMS you will need to comply with applicable marketing law, in addition to the GDPR. The general rule within the EU for sending electronic communication is consent (or “opt-in” to use industry lingo) – basically the active tick in the checkbox “I want to receive your marketing via email”. And remember: unsolicited communication (SPAM) is never OK!
It’s important to keep in mind that there are other aspects that go beyond what the law requires such as (i) the technical aspect of deliverability of your communication; and, (ii) direct marketing ethics or good practice.
In relation to deliverability of your emails, most people uninitiated into the world of digital marketing are unaware of the networks, such as the Spamhaus Project, tracking email spammers and spam-related activity. Email clients subscribe to filters created by these networks enabling emails sent from spammers or ESPs (used by spammers) to be directly marked as Spam/Junk.

You and APSIS

The relationship with your audience is a very important relationship and the relationship between you and APSIS is another. In relation to the latter, the most relevant GDPR items are highlighted below.
  • You are the “Controller” and will own the relationship with the persons whose personal data is processed (your audience).
  • APSIS is your "Processor", your extended arm, who will process the personal data on your behalf for the sole purpose of enabling you to work your digital marketing magic by leveraging the APSIS platform.
  • The APSIS Terms of Services (regulating your usage of the APSIS platform and forming your documented instruction to APSIS how to handle your data) incorporates the Personal Data Processor Agreement specifically regulating our relationship – as “Controller” and “Processor”.
  • The Personal Data Processor Agreement complies with the requirements under the GDPR (cf. Art 28) and is drafted in the light of how the APSIS platform works and is provided to APSIS' thousands of users such as yourself.
  • In line with privacy by design and default, the APSIS platform is self-served and you can upload, extract, delete and/or change the data being processed yourself, and thus comply with any request from a potential person who wants to exercise his or her rights.
  • The security of your data is a core of APSIS' business and we have implemented technical and organisational measures to ensure the protection of your data. To the limited extent your data is accessed by us, such access will be made solely by authorised staff on a confidential need to know basis for purposes in line with the agreement (i.e. to enable your digital marketing magic).
  • The APSIS platform is hosted on infrastructure located within the EU/EEA.
  • If you in the future decide to leave us (now why would you ever do that?), your data in the APSIS platform will be deleted. 

The APSIS platform is continuously developed to meet the demands of the market and to provide the best UX possible, including but not limited to facilitating your company’s work as Controller.

We hope that the information we've presented has soothed your headache, lowered your GDPR anxiety and most importantly that is has enabled you to focus on the important stuff: to create digital marketing magic!
Increase your understanding of the three main legal aspects of digital marketing with our webinar: Big Data = People.