The GDPR is here, and for many American marketers and legal professionals, it can seem like a revolution in data-handling rules. However, savvy Brits and Europeans may experience it as a mere extension of long-standing guidelines for the treatment of private data.

To familiarize American marketers and lawyers with the new rules, Econsultancy's very own VP of Research for the Americas, Stefan Tornquist, will be holding a webinar with expert guest Alan Chapell, Lead Attorney and President at Chapell Associates. On July 24th, join Stefan and Alan for an engaging talk, followed by a Q&A session. Register here.

Econsultancy (New York) recently held its first live event on this topic with Alan Chapell – here are some of the key takeaways from the session:

Takeaway #1: All data is personal data

That means that even cached data falls under the umbrella of GDPR, and you are subject to the GDPR if you are operating in the EU, in any capacity.

Takeaway #2: Everyone has a role to play

Gone are the days of unencrypted transfers of sensitive data. Each person in the digital ecosystem has a responsibility, to one degree or another, to protect the personal data of customers that they come into contact with.

While levels of responsibility will vary depending on seniority and the quantity of personal data passing through a given employee’s hands, marketers and legal professionals anywhere would be wise not to become complacent. Fines for malfeasance can be hefty (up to €20 million, or 4 percent of annual turnover). It’s up to every employee to apprise him or herself of the rules.

Takeaway #3: There is confusion over who’s a data controller, and who’s a data processor

In the words of the Regulation, “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

A processor, then, is any company that takes its direction from a controller and processes data. But what does that mean?

Company XYZ may sell a digital product to consumers, but contract a third party to track users’ engagement; in this example, the seller is the data controller (deciding which data to track and obtaining consent from consumers), while the third party is the data processor.

Takeaway #4: You are your partner’s keeper

You may be responsible for data you use that was collected by a partner who didn’t follow the rules, so choose wisely.

This dovetails neatly into takeaway #3; companies that may think of themselves as controllers in certain situations, and vice versa, may be mistaken about the true nature of their role in the data handling process, potentially leading to trouble with regulators.

Takeaway #5: There is "no such thing as full GDPR compliance"

There are a number of ambiguities in the regulation that make “full compliance” a chimera. Feel free to roll your eyes when processors or controllers tell you they are in full compliance. It's difficult to define.

Join our webinar 

Find your way around the new regulations by getting your questions answered during our live Q&A. Submit questions here, and we'll do our best to answer them during the session.

The webinar will be hosted by:

  • Stefan Tornquist, VP Research at Econsultancy
  • Alan Chapell, Lead Attorney and President at Chapell Associates.

Our experts will offer you a unique opportunity to discuss your concerns or challenges around GDPR and get concrete, expert and applicable advice immediately.

Arliss Coates

Published 19 July, 2018 by Arliss Coates @ Econsultancy

Arliss is a Research Analyst at Econsultancy.

12 more posts from this author

You might be interested in

Comments (1)

Pete Austin

Pete Austin, Founder and Author at Fresh Relevance

Good idea. GDPR compliance rates are extremely low - especially as regards getting valid consent - so it's worth getting more information before deciding what you need to do.

Protips : the ICO in the UK is only taking legal action about twice per week and picking on data breaches and scofflaws. So fix your security first. After that, the main issue is minimising the risk of reputational damage to you.
https://ico.org.uk/action-weve-taken/enforcement/

The issue of what marketing requires consent gets confusing, and I couldn't find a good technical summary, so I produced this...
https://www.linkedin.com/pulse/fresh-relevance-which-types-marketing-require-consent-peter-austin/

25 days ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.