The European Union General Data Protection Regulation (“EU-GDPR”) will come into effect on May, 25th. Your company may think it does not have to worry about this because you are located in the United States, and you may be wrong. If your company processes or holds personal data for a person residing in a European Union country, your company will have to comply.
2. OUR GDPR EXPERTS
Derek Barka
Chief Technical Officer
SilverTech
As the Chief Technology Officer at
SilverTech, Derek leads the team
that helps businesses create
profitable relationships throughout
the entire customer lifecycle.
Paul Creme
VP & General Counsel
SilverTech
With over 30 years of
experience practicing law, Paul
utilizes his extensive legal
knowledge as SilverTech’s Vice
President, General Counsel.
4. Our Work
We believe in the Three C’s
Clients
Crew
Company
CMS
Content Management
Systems
MA
Marketing Automation &
Journey Management
CRM
Salesforce
PARTNERSTECHNOLOGY
SEAMLESS INTEGRATIONS SHARING DATA
5. Agenda
1. Intro to the EU-GDPR
2. GDPR Glossary of Terms & Key Principles
3. How Companies are Complying in the
U.S.
4. Q&A
7. INTRO TO THE EU-GDPR
The European Union General Data Protection
Regulation (“EU-GDPR”) or GDPR was approved in
April 2016 and becomes effective on May 25th, 2018.
8. INTRO TO THE EU-GDPR
The purpose is of the GDPR is to “harmonize data
privacy laws across Europe, to protect and empower
all European Union (EU) citizens data privacy, and to
reshape the way organizations across the region
approach data privacy.”
9. INTRO TO THE EU-GDPR
Failure to comply could cost companies $25 million
or 4% of global annual revenue, whichever is greater.
10. INTRO TO THE EU-GDPR
The stated goal of the GDPR is “to curb marketing’s
insatiable appetite for data and put consumers back
in control of how and when their personal data is
collected, used, shared, and “monetized.” 2
12. GDPR GLOSSARY
Breaches
Under the EU-GDPR, notice of a breach is mandatory and must be done within 72 hours of
first having become aware of the breach. Data processors will also be required to notify their
customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Conditions for Consent
The conditions for consent have been strengthened, as companies will no longer be able to
use long illegible terms and conditions full of legalese. Consent must be clear and
distinguishable from other matters and provided in an intelligible and easily accessible form,
using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Explicit consent is required only for processing sensitive personal data – in this context,
nothing short of “opt in.”
13. GDPR GLOSSARY
Data Controller
From Article 4 of the GDPR: ‘Controller’ means the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the purposes and means
of the processing of personal data.4
Data Processor
‘Processor’ means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller.5
Data Subject
The natural person(s) or individuals covered and protected by the EU-GDPR.
14. GDPR GLOSSARY
Data Portability
GDPR introduces the concept of data portability – the right for a data subject to receive the
personal data concerning them, which they have previously provided in a ‘commonly used
and machine-readable format’ and have the right to transmit that data to another controller.
Data Protection Officers
Your company will be required to maintain internal records and appoint a Data Protection
Officer (“DPO”) if one of your company’s core activities consist of processing operations
which require regular and systematic monitoring of data subjects on a large scale or of
special categories of data or data relating to criminal convictions and offenses.
15. GDPR GLOSSARY
Right to Access
Each person covered has the right to obtain from the data controller confirmation as to
whether or not personal data concerning them is being processed, where and for what
purpose. Further, the controller shall provide a copy of the personal data, free of charge, in
an electronic format.
Right to be Forgotten
Each covered person has the right to have the data controller erase their personal data,
cease further dissemination of the data, and potentially have third parties halt processing of
the data.
16. KEY PRINCIPLES OF THE GDPR
The guiding principle of the GDPR is that
“natural persons should have control of their
own personal data.” 7
18. Personal Data Shall Be:
• Processed lawfully, fairly and in a transparent
manner
• Collected for specified, explicit and legitimate
purposes and not further processed in a manner
that is incompatible with those purposes
• Adequate, relevant and limited to what is
necessary in relation to the purposes for which
they are processed
• Accurate and, where necessary, kept up to date;
every reasonable step must be taken to ensure
that personal data that are inaccurate
19. Conditions for Consent:
• Where processing is based on consent,
the controller shall be able to demonstrate
that the data subject has consented to
processing of his or her personal data.
• The data subject shall have the right to
withdraw his or her consent at any time.
21. HOW COMPANIES ARE COMPLYING IN THE U.S.
Data protection is central to the Facebook Companies. We
comply with current EU data protection law, and will comply
with the GDPR. Our GDPR preparations are well underway,
supported by the largest cross-functional team in Facebook's
history. We’re also expanding our Dublin-led data protection
team which is leading on these efforts.13
22. HOW COMPANIES ARE COMPLYING IN THE U.S.
Businesses who advertise with the Facebook companies can
continue to use Facebook platforms and solutions in the same
way they do today. Each company is responsible for ensuring
their own compliance with the GDPR, just as they are responsible
for compliance with the laws that apply to them today.
23. HOW COMPANIES ARE COMPLYING IN THE U.S.
Google’s new ad policy, published in March 2018, seems to
attempt to switch its status from that of a data processor of
publishers’ data to a data controller which they claim will
enable it to “make unilateral decisions about how a publisher’s
data is used”. 14
24. HOW COMPANIES ARE COMPLYING IN THE U.S.
An internal discussion should occur to make
sure that the relevant people in your
organization understand what EU-DGPR is
and what is needed to be in compliance.
25. CHANGES TO EMAIL MARKETING
‘Reengagement’ emails will have to
disclose the following:
• Why the company is contacting them
• How the company initially acquired their
personal details
• How to update communication
preferences or opt-out of further
communication
• The value that the recipient of the email
will receive for opting-in19
Image Source: Jon Baines
26. CHANGES TO FORMS & COOKIES
Image Source: Kentico, GDPR Compliance and Your CMS
27. Consider the Following:
• If requested, you need to be able to
provide a copy of any data you have
on the visitor
• If requested, you need to be able to
erase any data you have on a visitor
28. Consider the Following:
• An updated privacy policy
• A documented inventory of data that
you track and keep on site visitors
• A documented procedure for
furnishing a copy of the data upon
request
• A documented procedure for erasing
the data upon request