WHAT YOU NEED TO KNOW
WHEN WILL THE GDPR APPLY TO YOU?
What does established mean?
The test is whether the organisation exercises ‘any real and effective activity – even a minimal one’ through ‘stable arrangements’ in the EU.
- A subsidiary or permanent business partner
- Representative or a branch
- Website in an EU language
Does the organisation offer goods or services to individuals within the EU?
The question is whether that organisation foresees that its activities will reach individuals in the EU.
Factors to consider:
- Can payment be made in an EU currency?
- Are the services offered in a European language?
What does monitoringbehaviourmean? It includes tracking individuals in the EU on the internet or elsewhere in order to create a profile of them or to analyse their preferences, behaviour and attitudes.
WHAT ABOUT POPIA?
(IF THE GDPR DOESN’T APPLY, THE POPIA WILL)
A GOOD QUESTION
IF WE COMPLY WITH THE GDPR, WILL WE ALSO BE POPIA COMPLIANT?
OK… SO WHAT?
(DO YOU NEED CONSENT TO MARKET?)
WHAT ARE THE RULES?
If the GDPR applies to you or if your subscribers are in the EU these are the rules:
- The GDPR
- Directive on privacy and electronic communications
Old boss, meet the new boss:
There is new E-Privacy Regulation coming. Until then the current directive is applicable.
DO YOU NEED CONSENT TO MARKET?
You might not need consent if:
- The person bought products or services from you
- They knew you would use their details for direct marketing
- You are now marketing similar products or services
- You have always given them an opportunity to opt out
WHAT KIND OF MARKETING?
We are talking about:
- WhatsApp, Facebook Messenger, Skype, Gmail
- Ads ‘presented to’ or directed at specific, identified individuals on the web or social media
It does not apply to:
- Snail mail
But then the GDPR still applies…
SO…HOW DO YOU OBTAIN CONSENT?
Here is what you should be doing:
- Use opt-in boxes
- Specify methods of communication
- Ask for consent to pass details on to third parties for marketing and name them
- Document when and how you got consent
CAN YOU BUYPI?
(HOW DO YOU ENRICH YOUR DATABASE?)
CAN YOU BUY LISTS?
YOU WILL NEED CONSENT.
I BOUGHT A LIST, NOW WHAT?
Here are some things to keep in mind:
- Can you trust the source?
- Do you have a contract with the seller?
- Have they opted in for your marketing in the last 6 months?
- Are the products or services similar?
- Have you deleted excessive info?
- Have you checked that they haven’t opted out already?
- Have you checked a sample for accuracy?
- Do you tell them where you got their info?
- Do you have a complaints management process?
CAN YOU PROFILE?
(WHAT DOES THE GDPR SAY?)
WHAT IS PROFILING?
This is what we are talking about:
- automated processing (without human involvement)
- of personal information
- to evaluate personal aspects about a person (economic situation, personal preferences, interests, behaviour, location, movements)
Just segmenting your audience is not necessarily profiling! You have to make predictions.
DO YOU NEED CONSENT?
Are you making decisions based on the profile?
- To market or not to market…
- Is the profile very detailed?
- How serious are the implications of the decision?
- Will you influence the circumstances, behaviouror choices of the person?
- How intrusive is the process? Are you tracking across different websites or platforms?
- Who are you targeting? Are they vulnerable?
- What kind of products or services are you marketing?
Hypothetically, a credit card company might reduce a customer’s card limit, based not on that customer’s own repayment history, but on non-traditional credit criteria, such as an analysis of other customers living in the same area who shop at the same stores.
This could mean that someone is deprived of opportunities based on the actions of others.
In a different context using these types of characteristics might have the advantage of extending credit to those without a conventional credit history, who would otherwise have been denied.
- Have you been transparent about the fact that you profile?
- Do you give meaningful info about the logic involved?
- Did you explain the consequences of profiling? Use real examples.
- Does the person have access to their information?
- Have you put in safeguards:
- Individuals can obtain human intervention
- They can express their point of view
- Decisions can be contested
- Do you check regularly for bias and prejudicial elements in your dataset?
- Is your data accurate?
- Is the profiling fair?