Lesson 2
Data protection: Your business - your responsibility
How does the GDPR affect online marketing?
In my personal opinion, the GDPR will permanently change the world of business, especially online. Above all, certain lawyers who specialize in warning letters pose a big problem. They deliberately contact businesses who give the impression that they don’t work in compliance with GDPR. They then demand appropriate sums of money to refrain from reporting it to the data protection authorities.
This is why basically every vendor and affiliate is affected by the GDPR, since he or she primarily deals with personal data in day-to-day business. Developing a customer and prospective customer list is one of the most central aspects of online business. As this deals with personal data, and lawyers as well as consumers have GDPR on their radar, I think that warnings and “penalties” will often be carried out in a very media-savvy way.
Note: The picture that I personally have of the future is that the “landscape of entrepreneurs and self employed people” is becoming more “professional”. Consequently, it is being “adjusted” by those who cannot or do not want to work according to EU regulations, since the implementation of the EU regulations requires a lot of time, money and energy. The data collection practices operated by many companies come with extremely high risks.
Note: Theoretically, companies located outside of the EU are harder for local data protection authorities to “reach”, however they are likewise affected by the laws. Whether there is actually an increased “protection” from EU authorities for such foreign companies, I dare to doubt. After all, the world’s authorities are well connected internationally. Therefore, in our company, we place great importance on the strict EU data protection standard and we trust that this is honored by customers and partners.
Where your responsibility begins
As vendor or affiliate, you ensure that potential customers and buyers come to your website - whether it’s a “normal” website or a landing page. The following applies: your responsibility begins from the moment you collect personal data, since you determine the purpose and means of processing the data. This automatically makes you responsible and therefore also liable.
You might use tracking tools such as Google Analytics or plugins which help you to analyze customer behavior on the website. When using such tools, I advise you to urgently clarify the extent to which personal information is processed. If processing doesn’t anonymize data at the beginning, you need a valid authorization as defined in Article 6 of the GDPR. This is typically consent from the data subject.
Note: The topic “tracking”, for example via cookies, is governed by the E-Privacy Regulation subsidiary of the GDPR.
You are responsible for the customer and stakeholders’ data which is processed by you as soon as you have, for example, convinced them to fill in one of your opt-in forms. Usually, a company also has employees. You also process their personal data - of course for legally underpinned justifications. More about that later.
You must now complete the following things to be GDPR compliant. Here is an overview:
- Look for a certified data protection officer in your contact network or through research. It is true that you don’t necessarily need an officially appointed officer as long as your business doesn’t fall into the category where this is obligatory. However, you will get through these topics faster with a “coach” and the results will be more useful.
- Create a data processing directory: Make an inventory of all the activities in your organization that process data. It is recommended to make a table that lists the data categories (employee data, customer data, etc.), purposes of the processing, the justification (in accordance with Art. 6 GDPR), data recipients, erasure period, third parties who receive data, common responsibilities (in case you decide on the purpose and means of processing data together with a partner company) and data protection measures. The record must be designed in such a way that it complies with the statutory requirements of Article 5 (2) (»accountability«) as well as Article 24 and 30 of the GDPR.
- Work according to privacy by design: In doing so, you already place a focal point on data protection when developing new products.
- Identify all external partner companies to whom you send data (e.g. an email marketing provider such as Klick-Tipp) and make sure you sign a data processing agreement with them. As a rule, providers have to prepare their own data processing agreements which they can send you upon request.
- Define standardized processes in your company to safeguard the rights of the data subjects. These are the right to be informed, to correction, to erasure, to object, to withdraw consent, to data portability, to restrict processing, and to not be profiled.
- Together with your privacy officer, develop TOMs (technical and organizational measures) that you need in your business to be compliant.
- Make a list of possible data privacy incidents that could happen to you (e.g. hacker attack), think about how you can protect yourself and what actions you would take.
- Create reporting processes in your business that define exactly how you will report data protection incidents to the supervisory authorities within the required time limit of 72 hours. You must also contact the affected data subjects in case their rights and freedoms could be compromised by the incident.
- Create a data protection strategy for your business. Here, it is especially important that the implementation of the previous points is regarded by company management to be a goal that is equally as important as sales or profit targets. From a legislator’s perspective, legally compliant data protection must be a management issue. As manager, you should create a written corporate policy in which you define data protection as a corporate objective. This should be unique and signed and dated by you so that you can prove to authorities that you are taking data protection as seriously as necessary and handling it in good time.
If you are a vendor or affiliate, you gain economic value from your customer’s personal data. Therefore, it is advisable to take an offensive strategic attitude regarding data protection in your business. From a practical point of view, you should always make sure that the processes for GDPR compliance, especially regarding Art. 5 GDPR (the 7 principles), are examined in your corporate strategy before you establish a new process in the business. Naturally, this also applies retrospectively to existing processes.
When you need a visitor’s consent
An informed, proactive and purposeful consent is a recognized form of justification for data processing. Many data processings, sales transactions or, at a guess, also a seller sending emails directly to his or her customers, do not require separate consent (this is your own personal risk: if you want to be absolutely sure, you should obtain consent from prospects explicitly via a checkbox opt-in form. You can, however, also argue with your legitimate interest (Art. 6 (1) par. f DSGVO in conjunction with recital 47 - direct advertising to customers is legitimate interest). However, I would definitely work with legal consents if it regards an interested party who is not yet a customer.
Note: In some cases, personalized advertising (especially email marketing) can also be classified by authorities, judges, and data subjects as “profiling”. I know this because I have caught wind of it in some conversations with data protection officers who believe this themselves and advised their clients accordingly. As already mentioned, I personally believe that personalized advertising is not profiling as its legal impact does not affect or limit the data subject.
It is possible to insert individual consent texts with checkboxes on the Digistore24 order form. You can find a detailed guide here: https://docs.digistore24.com/knowledge-base/set-up-and-customize-order-form/?lang=en#4-add-individual-input-fields-to-the-order-form
Data processing that you perform which is maybe not on your radar
Important: You are not only responsible for obviously collected personal data such as an email address. You also need to remember that you may be tracking and processing IP-addresses through widgets and pixel data (this also belongs in your record of data processing activities).
Social media widgets from Xing, LinkedIn, Pinterest, Facebook, and so on already process data when entering the site - whether the site visitor wants this or not. However, this is not compliant with data protection, if personal data (non-anonymous) is processed.
In addition, the frequently-used Facebook Pixel requires action.
This tracks website visitors so that Facebook can show specialized adverts according to the visitor’s interests, as well as measure the success.
IMPORTANT
Important: You are not only responsible for obviously collected personal data such as an email address. You also need to remember that you may be tracking and processing IP-addresses through widgets and pixel data (this also belongs in your record of data processing activities).
What you should check and include in your records of data processing activities
Examine your web pages, landing pages, etc. and look closely at everything that you have integrated as well as where data is transferred. Please do not forget your newsletter or contact form. We have provided a checklist below that should help you with this.
If you are using Google Analytics, check whether this is appropriately referenced in your data protection declaration. Read more on the topic of data protection declarations in the next chapter.
You can solve the problem of automatic tracking with the free Wordpress plugin Shariff (to my knowledge it doesn’t clash with Digimember). Through the plugin, the website visitor decides themselves if they allow their data to be tracked by various social networks.
When users visit your site, they must be informed clearly about the data protection implications of Facebook Pixel. The tracking or storage of their data and their rights as the data subject must all be understood by the visitor before tracking goes live. The user must therefore first agree before the code is allowed to be activated. This could be solved through a pop-up.
Downloads / Learning materials
Checklist: what you need to check
Create Cookie Optins with Cookie Script
Wordpress plugin for social media widgets
Overview Lectures
Switch quickly and easily to all lessons of the course.
We would like to expressly point out that this online course in no way replaces legal advice from a specialist lawyer and has no claim to correctness or completeness.
