The deadline for the EU General Data Protection Regulation (GDPR) compliance passed on May 25, 2018.
Now, if you’re investigated and found to be out of line with these strict requirements for handling personal data, you could be in trouble!
The first step is to conduct thorough research.
Instead of wading through blog posts, legal papers, summaries, and reviews, we went straight to the expert: Suzanne Dibble, one of the world’s best-known GDPR experts
We asked Suzanne Dibble 10 questions from the AdEspresso community that you won’t easily find answers to elsewhere.
Read on to be sure that you aren’t missing out on critical pieces of the GDPR and other regulatory knowledge that could land you in hot water.
The GDPR is a lengthy and detailed piece of legislation that many teams are still trying to wrap their heads around.
With fines as high as €20 million or up to 4% of your global annual revenue — a lack of protocol can sink a business, a marketing team or even a full-fledged agency.
Not only could your business suffer hefty financial losses, but your brand and reputation might crumble as well. Who wants to work with advertisers who appear careless with critical information?
On the flip side, if you take the necessary precautions to implement secure policies and communicate your strategy to users, third-parties, and (of course) auditors, you will build more loyalty among current and potential customers and create a solid foundation on which to grow!
But what are these “necessary precaution”? How can marketers be sure that they are following the rules in any specific situation? What do they really need to know?
We asked the members of AdEspresso University Facebook group to drop us their “questions impossible”, and promised to find the best answers from the GDPR Top expert: Suzanne Dibble.
We received a load of questions (much more numerous than the 27 comments you see in the image above).
These are YOUR Top 10 questions. You can go straight to the point or keep on reading to get to know our expert a little better.
- Does GPDR Affect Facebook Ad Opt-In?
- Will the GDPR Impact Sharing or Selling Lead Ad Data to Third-Party Providers?
- How Do Marketers Deal With Consent in a Random Prize Draw?
- Will the GDPR Block Advertisers from Running Competitions?
- Will the GDPR Hinder the Creation of Custom Audiences?
- Can Advertisers Use Existing Custom Audiences Uploaded Prior to May 25?
- After the GDPR, Do Marketers Need a DPA?
- How Will the GDPR Affect Companies’ Use of Facebook Pixel?
- If You’re a Marketer Located Outside of the EU but Occasionally Handle Requests of EU Citizens, Are You Subject to GDPR Rules?
- Do GDPR Rules Apply to WhatsApp Messages?
Who Is Susanne Dibble, The Top GDPR Expert
She got the look, she got the brain, and she has an irresistible British flair. Suzanne Dibble is an outstanding person, mom, and professional.
Her Facebook page has over 5k followers.
Here’s how she introduced herself to Garrett Holmes, director of content at DigitalMarketer’s blog,
I’m Suzanne Dibble. I’m a 20-year qualified lawyer from the UK. I know I don’t look it.
There are a few lines around here, but surely I don’t look old enough to have been practicing law for 20 years, but I am a data protection lawyer, and that’s what GDPR is all about.
I have the largest group on Facebook, at the moment, about GDPR, a hugely engaged Facebook group where I just can’t keep up with all the questions, quite frankly.
I’ve done some pretty cool stuff, which I won’t bore you with, in relation to data protection. I know my stuff, in summary, and I think I’m probably the only lawyer that actually, really understands the online space.
You talk to a lot of lawyers who understand data protection, and you talk to them about Facebook retargeting, and they look completely blank. I’ve used digital marketing extensively in my own business. Again, I say I’m probably the only lawyer that I know that actually does that to any effect.
I’m probably the only person that knows the reality of digital marketing together with the complexities of GDPR.”
She started her legal career at DLA Piper (the world’s largest law firm), she worked on several multi-million pounds, multi-jurisdictional M&A, and private equity transactions, and she soon qualified into the corporate department leading teams of 30+ professionals.
She was seconded to Virgin where she worked with Richard Branson.
I went to a few parties at Branson’s Holland Park house, had a memorable(!) dinner with just him and two other people and turned down his offer of a job (and judging by the look on his face I was quite possibly the first person to do that…)
As a result of that secondment, Virgin and DLA’s managing partner nominated me for Solicitor of the Year at the Lawyer Awards (the most prestigious national awards for lawyers) and I was voted runner up which was a massive accolade.”
In early 2010 whilst pregnant with her first child, she started her own legal practice with her niche being mums in business. This venture has proved to be remarkably successful with her winning over 200 clients and 4 national awards (including Highly Commended in the Law Society Solicitor of the Year).
She regularly speaks at conferences and on TV and radio about the impact of the GDPR with recent appearances on The SIGRUN Show.
She has 36k small businesses in her Facebook group GDPR For Online Entrepreneurs and is in demand as a consultant to multinational corporations grappling with GDPR implementation.
The 10 questions that Suzanne digs into below are highly technical and include critical legal details.
You won’t find quick answers to them elsewhere as most resources for marketers aren’t this specific or, with regulations quickly changing, they could be outdated.
These answers are freshly baked! And for your convenience, here are the links, again!
- Does GPDR Affect Facebook Ad Opt-In?
- Will the GDPR Impact Sharing or Selling Lead Ad Data to Third-Party Providers?
- How Do Marketers Deal With Consent in a Random Prize Draw?
- Will the GDPR Block Advertisers from Running Competitions?
- Will the GDPR Hinder the Creation of Custom Audiences?
- Can Advertisers Use Existing Custom Audiences Uploaded Prior to May 25?
- After the GDPR, Do Marketers Need a DPA?
- How Will the GDPR Affect Companies’ Use of Facebook Pixel?
- If You’re a Marketer Located Outside of the EU but Occasionally Handle Requests of EU Citizens, Are You Subject to GDPR Rules?
- Do GDPR Rules Apply to WhatsApp Messages?
Does the GDPR Affect Facebook Ad Opt-In?
Under the GDPR, you need a lawful ground to process personal data (e.g., a name and an email address).
For marketing purposes, the two relevant grounds are consent and legitimate interests.
Arguably, for now, you can rely on legitimate interests to upload personal data to Facebook’s custom audiences and target them with Facebook ads.
At the moment, while obtaining consent is a smart additional step, it’s not required. However, in the new version of the Privacy and Electronic Communications Regulations, or PECR (expected in 2019), it will be required to obtain consent, and advertisers should prepare accordingly.”
How to Prepare For The New PECR
Even if you’re not in the EU, the Privacy and Electronic Communications Regulations (PECR) is far-reaching. It covers data processing of EU data subjects outside of the EU‘s borders.
So, starting today, make sure that, as you obtain data, you:
- Provide a link to a detailed privacy notice
- Explain your reason for showing content to your audience (e.g., delivering marketing materials in order to generate further interest and grow your business) within this privacy notice
- Give a clear opt-out option
Will the GDPR Impact Sharing or Selling Lead Ad Data to Third-Party Providers?
Now that the GDPR has taken effect, third parties are more cautious about buying personal data. They increasingly want to know how that data has been collected — and make sure it has been done in a compliant way.
If you’re considering selling lead ad data, make sure you can show that the data has been obtained and can be shared in a GDPR-compliant way. Consent will always be the safest route.
To take the extra step to obtain consent, put a tick box at the initial point of data collection.”
The box must not be preselected and must explain what the consent is for (e.g., transferring the data to specified third parties), along with a link through to the privacy notice.
How Do Marketers Deal With Consent in a Random Prize Draw?
In a random prize draw, where the aim is to obtain personal data such as a name and an email address, consent should be requested outside of the terms and conditions of the prize draw.
As a general rule, consent should never be hidden within lengthy terms and conditions!
If you need to share the data with a third-party processor, such as a fulfillment company, then the ideal format is two tick boxes:
- Consent for the data controller to market to the data subject
- Consent for the data processor (or fulfiller) to use the data to deliver the prize (or whatever purposes it needs the data for)
It’s important to note increasing regulatory concerns around incentivizing a user to opt-in (e.g., by encouraging the provision of data in return for the chance to win a prize).
Although the GDPR does not specifically prevent it — as long as the person does not suffer a detriment by choosing not to opt in — as a marketer, you should always be clear about your process and rationale for collecting personal information (even if it includes a reward at the end).
See Facebook’s own resources for more information.
Will the GDPR Block Advertisers from Running Competitions?
There are no rules that block marketers from running competitions — which is good news, since this is one of the best ways to boost engagement and Likes — but it’s still important to make sure your terms and conditions, privacy notice, and cookie policy are up to date to reflect how you collect and use contestants’ info.
For example, consider incorporating a section into your privacy policy that highlights each piece of data collected during the competition and what you are doing with it. Spelling out each point will help cover your company in the event of an investigation.
Your contestants will appreciate and respect you for taking the time to break down your practices. This could set you apart from other contest leaders and help you build user trust and engagement!”
Want to know more? Watch this video of Suzanne Dibble’s GDPR compliance pack which you can customize to your needs.
Will the GDPR Hinder the Creation of Custom Audiences?
If you have existing data on your platform, whether from email lists, LinkedIn, or other groups, you can be considered a data controller.
A data controller is a person who determines (either alone or with others) the purposes for data and the manner in which it is processed.
Note: processing means everything from obtaining, recording, or holding the information to restructuring, adapting, or altering it. It even covers disclosing or transmitting it. (See the full GDPR definition for all of the details.)
If you’re a data controller, you can still create custom audiences, but — as with other online marketing tactics — you must have a clear privacy notice (see question #4) and lawful grounds for data processing.”
Be sure to keep existing custom audiences up to date, in line with email lists. If certain users have opted out of emails, they should be removed from all other custom marketing lists, as well. To stay safe, refresh custom audiences on a weekly basis!
Can Advertisers Use Existing Custom Audiences Uploaded Prior to May 25 2018?
As we’ve said before, under current regulations, you need to prove legitimate interest among your target audience(s) to receive your or your third parties’ content.
After the 2019 update to PECR, marketers will also have to show audience consent. Make sure you update your cookie policy accordingly.
Take the time to spell out for users without a technical background exactly what a cookie is and how it helps sites collect data.”
As the above example from The Guardian illustrates, it’s also critical to provide a link on how to disable them.
After the GDPR, Do Marketers Need a DPA?
A DPA, or Data Processing Agreement, is required when marketers use third parties to process data under their instructions.
This could be adapting, otherwise altering, or simply moving the data.”
This note from the U.K.’s supervisory authority, the ICO, explains more about processors.
It’s important for marketers to clearly define themselves as a data controller and/or data processor to help mitigate against liability in the event of a data breach, as well as designate responsibilities with third parties they work with. Given sensitive operations, it is always important to exercise strict judgment with processors.
You may place the relevant processor clauses in your electronic terms and conditions. It does not need to be in hard copy (i.e., printed, signed, scanned, and sent back).”
To make sure you hit the major points in your DPA, see Suzanne’s small-business resource.
How Will the GDPR Affect Companies’ Use of Facebook Pixel?
Facebook Pixel is a cookie-like code for your website that allows you to measure, optimize, and build audiences for ad campaigns.
For example, when someone visits your website and makes a purchase (or even places an item in their cart), this triggers the pixel, which records the action and stores it for later knowledge.
Marketers use Facebook Pixel to better understand user behavior and interests and create more targeted content.
After the 2019 PECR updates, there will be more emphasis on browser settings. Instead of passively accepting the inevitable use of their browser history by website hosts, users are required to actively select third-party cookies.
Take steps now, such as creating a clear tick box for consent for the use of cookies (see question #2) to get ahead of the game!
Facebook suggests using this API to pause the sending of pixel fires to Facebook.
After your users grant consent, you can reactivate.”
If You’re a Marketer Located Outside of the EU but Occasionally Handle Requests of EU Citizens, Are You Subject to GDPR Rules?
The real question is, do you process a significant volume of personal data of EU citizens and/or have an intention to sell it (regardless of location)?
If you have a few extraordinary data points (one-offs of EU customers), this is less of a concern; however, it’s still important to be comprehensive.
In the past year, the most expensive data breaches came from third-party processors.
If you aren’t processing personal data of EU subjects as a data controller (i.e., you don’t have anyone on your email list from the EU), the GDPR may still apply to you if you are processing the personal data of people within the EU for your clients.
If you’re processing even a small amount of personal data of someone in the EU, you need to be sure that you safeguard it at all stages of the pipeline.”
As a third-party processor, AdEspresso sent this email following the GDPR rules
It can’t hurt to cover all of your bases.
Do GDPR Rules Apply to WhatsApp Messages?
The GDPR applies to any processing of personal data, including WhatsApp messages. If you are collecting information via WhatsApp, you need to:
- Obtain consent or demonstrate your legitimate interest
- Spell out how you are processing that data in your privacy notice
- Provide notification of the right to opt out of future processing (if relying on legitimate interests)
Add a message to your WhatsApp marketing content that links to a privacy notice, describes the reason for obtaining data about the message recipient, and a quick way for the recipient to opt out.
2019 updates to PECR updates will apply to WhatsApp messages, along with Skype messages, Facebook Messenger, and any other type of messenger platform — meaning that consent will need to be obtained!”
PECR and the GDPR are complementary; however, the PECR adds an extra layer of detail regarding electronic marketing (including calls, texts, emails, faxes, and, going forward when it is revised, other types of messenger platforms and display advertisements).
Last famous Words!
You never want to be caught off guard.
Even if you’re a small team and don’t think you’ll be a target for regulators — or you don’t really have a presence in the EU and think the new rules don’t apply to you — think again.
Marketers of all shapes and sizes must do thorough research to know where their gaps are and what they need to do to improve their practices around personal data.
You don’t want to be slapped with a fine and suffer bad brand PR that could sink your business.”
What do you think? Are you happy with what you did to be GDPR compliant? If you have further questions, add them in the comments below.
Suzanne Dibble is a multi award-winning business lawyer with vast experience. She is very commercially minded and clients appreciate her practical, jargon-free solicitor’s advice.
In her spare time, Suzanne loves learning about internet marketing and spending time with her young family.
Ask her any business law question on Facebook, Twitter, LinkedIn and Pinterest.
In the ‘If You’re a Marketer Located Outside of the EU but Occasionally Handle Requests of EU Citizens, Are You Subject to GDPR Rules?’ point, surely the example email isn’t GDPR compliant?
‘Note : This isn’t a marketing or promotional email; it is a legal notice that is required to be sent to all AdEspresso contacts, which is why you are receiving this email even if you have opted out of previous AdEspresso marketing emails.’
If users have previously opted out of marketing, I was under the impression that you can’t knowingly contact them and attempt to opt them into marketing again? This is exactly what Honda did last year, and they were fined by the ICO for it.
Nice and an informative article!
Suzanne, thanks for this.
It feels like there was a lot of hype and hesitation around how we should be handling GDPR here in North America. And although some of it may have been overblown, it now feels like we’ve swept it under the rug – which will probably leave us all scrambling once the first company gets made an example of. Anyways, thanks again for the article.