We’re back with another season of Yodel Mobile’s Mastering Mobile Marketing video series. As we inch closer to May 25th, we thought we’d share some important GDPR basics that all marketers should be aware of.
In this video, Meg will be covering some of the terminology, the legal bases for processing data, and the rights of users.
GDPR – the basics:
GDPR stands for the General Data Protection Regulation, and it acts as an update to the 1995 Data Protection Directive.
As you can imagine, there have been huge technological advances since this was put in place, and the collection and use of consumer data has skyrocketed in that time.
There is also a sense of distrust from consumers in the wake of a number of high-profile data breaches over the past few years.
GDPR aims to rebuild that consumer trust by encouraging transparency and education from businesses to consumers to create a clear value exchange between the two.
The legal bases for processing data:
Within GDPR, there are data controllers and data processors.
The controllers own and collect the data, while the data processors process the data on behalf of the controller, where processing includes storage, structuring and analysis.
However, the data controller must have a legal basis for processing. There are 6 options within this:
- Contractual Necessity – this means that the processing is necessary for a contract, for example in some fields it is required that a background check is carried out.
- Controller is bound by legal obligation – for example, schoolteachers have an obligation to safeguard children, and therefore they must be aware of any allergies the children have
- The processing protects vital interests – for example, if a person is rushed to A&E, the surgeons are able to operate with the notion that they will gain consent afterwards.
- The priority is to protect someone’s life
- Public Interest – where the processing is necessary to perform a task in the public interest, for example, UCAS can share information with universities
- Consent – the user has given clear consent that you can process their personal data for a specific purpose
- Legitimate Interest – the processing is necessary for your legitimate interest or the legitimate interest of a third party unless there is good reason to protect the personal data which overrides those legitimate interests.
The processing must be lawful, profitable and ethical.
For example, if your processing will compromise the security of a user’s personal data, this may override the legitimate interest.
For most businesses, the basis for processing will fall between consent and legitimate interest.
While legitimate interest may seem appealing and the least difficult to implement, it will be essential to first carry out an assessment to determine whether your legitimate interests are balanced.
It will also be critical to introduce safeguarding such as data minimisation, privacy by design, adding security measures, etc, to show that you have properly considered the implications of the processing.
On the other side of things, consent under GDPR must be freely given, informed, and verifiable.
This means the end of the practice where all rights are bundled under the Ts&Cs – users must understand what they are opting in to.
Pre-ticked boxes or inactivity, common practices for direct marketing and cookie opt in, will no longer count as consent.
This means that marketers and product owners must redesign their registration processes to ensure consent is collected in a lawful way.
The rights of users under GDPR:
It is important to note that with many of the bases for processing comes more rights for the user. These rights are:
- Right to object to marketing and profiling – the user must be made aware that they have the right to object to any profiling, which is automated decision making based on a person’s behaviour and preferences – whether this be e.g. whether to issue a credit card, or personalised emails based on behaviour in-app
- Right to be forgotten – the right to erase personal data and to restrict any data tracked moving forward
- Right to data portablility – users can ask that data held on them is transferred to a new provider in electronic form
- Right to subject access – users can ask to see what data is held – no charge)
Your company must have the structural capabilities to fulfil some or all of these rights, dependent on the basis for processing.
Want to find out more about optimising your app and keeping up with the latest OS capabilities? Make sure to subscribe to our Mastering Mobile Marketing video series. You can also get in touch by visiting the Contact Us page. Follow us on LinkedIn, chat with us on Twitter @yodelmobile, and join our #mobilemarketingUK LinkedIn group.