The new regulation has an impact on all the professionals in the digital world and the way how they address the data in their strategies, as well as the processes adopted by companies in terms of collecting, managing and storing personal data of European citizens.
As you might know, the definition of personal and sensitive data that the GDPR explains is more extensive and in the case of digital marketing it includes the management of cookies, IP address, geolocation data and the e-mail, among others. Personal data are considered “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR describes this principle as the necessity for controllers to apply appropriate technical and organizational measures, not only to ensure the compliance with the regulation, but also to demonstrate the aforementioned compliance before parties concerned and supervisory authorities.
“The controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.” (74)
Consequently, this could broadly translate into following: the companies should explain the purpose and use of the collected data, storage measures and the personnel or entities that have access to such data.
How to collect the consent of the data subject?
Certainly, this is one of the most important aspects that must be taken into account to comply with the GDPR – the collection of data subject consent. This is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”