In this Blog, we share a quick checklist for marketers to focus on asking the right privacy questions to stay away from eye-watering fines from EU regulators
Quick Privacy Checklist for Marketers
24 April 2019
The EU GDPR allows data controllers to use of personal data for direct marketing to individuals located in EU; however, organisations must also comply other relevant EU national privacy rules, especially when using electronic communications (texting, email, telephone, also referred to as ‘e-Privacy’).
Very high GDPR administrative fines, like the French data protection authority’s €50,000,000 fine imposed on Google1in early 2019 has marketers around the world taking stock of their activities related to collecting personal data of individuals in the EU.
This checklist is intended to prompt marketers to ask themselves some privacy-focused questions before they forge ahead with a new marketing scheme or try to find new uses for the personal data on hand, like data analytics to drive more effective advertising campaigns.
- Where are your GDPR colleagues?
Collaborate with your colleagues specialising in data privacy, including GDPR and e-Privacy
- Do you really know if/how customer data can be used?
Understand what personal data you have, why you collected it and whether you can use the data for any other purposes
- Can you rely on Legitimate Interests to process personal data?
Direct marketing is a legitimate interest when certain conditions and applicable laws are met
Record the ‘balancing of interests’ test and how legitimate interests are balanced and meet the reasonable expectations of data subjects
- Is your data collection fair and transparent?
Use simple words to tell individuals how and why you use their data, give them choices (freely giving consent) and easy way to express a change of mind (e.g., revoking consent)
- Is your Privacy Notice GDPR compliant?
Privacy notices should include:
- The lawful bases for processing personal data
- The categories of third parties that data is shared with
- Profiling activities and how to communicate their objection
- Ways individuals can exercise their privacy rights and make a complaint
- Whether data is transferred outside the European Economic Area and how it is protected abroad
- How long data is kept before it is securely disposed of
- Can your systems evidence consent?
Your systems should store proof of consent, revocation and objections to processing tied to specific purposes at collection point along with media channel
- Is privacy top of mind when creating or modifying products and services?
Privacy-by-Design and by Default is an obligation under GDPR
Conduct data protection impact assessments and consult data protection authorities if residual risks of harm to individuals are likely before offering or selling your products and services
- Does your data travel abroad?
Transferring personal data outside the EU/EEA requires destination countries to have adequate mechanisms in place to protect EU-based individuals
- Are you a ‘privacy ambassador?
Be a data privacy champion. Help others ‘get’ why data protection is important
Promptly report data privacy policy inconsistencies to your data protection officer or manager
- Are you tracking privacy news?
Watch for news about what people care about and look out for the regulation replacing the directive on electronic communications (e-Privacy)
1 https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
© 2019 Karima Saini, CIPP/E & CIPP/US, CIPM & FIP
The information provided and the opinions expressed represent the views of the author and do not constitute legal advice nor can be construed as offering comprehensive guidance of the various EU member state data protection legislations, regulations or other statutory measures referred to herein.
