GDPR AND ITS IMPACT

ON DIGITAL MARKETING
Assignment 1- Section A

BY -

MANDAR APARAJIT- 190101059

1|Page
GDPR

GDPR, aka General Data Protection Regulation, is a set of rules which were designed in 2012
by the European Commission to give citizens more control over their personal data. It is
made for the simplification of the Regulatory Environment for the business so both citizens
and companies can leverage the emerging digital economy. The reforms in the GDPR include
laws and regulations around personal data, privacy, and consent. This legislation came into
action across the European Union on 25th May 2018.
We can see our day-to-day life revolves around data. Be it social media usage or shopping
over retail or e-retail or watching movies, data surround everything around us. Almost
everything we use involves the collection and analysis of our personal data. Most
importantly, from our address to credit and number is stored by the organisations.
There are numerous examples of data breaches, leakage of the information, malicious usage-
Cambridge Analytica Scam is one of the examples. These bridges violate individual privacy
and take consent for a ride. GDPR terms make it mandatory for the organisations to ensure
that personal data is not only gathered under strict conditions legally, but also its collectors
are obliged to protect the data from any exploitation. Organisations are required to respect the
right of the owner or otherwise face severe penalties.

Personal Data under GDPR:

Data which is considered personal under the existing legislation includes-

 Name, address, photos, etc

 IP address
 Generic data
 Biometric Data

GDPR is applicable to-

 Organisations operating within the EU

 Organisations operating outside EU but providing goods or services to the customers
or businesses in the EU

Impact of GDPR on businesses:

GDPR regulations apply to every company doing business with the EU, and hence this
legislation extends further the boundary of Europe. Any organisation working on the soil of
Europe have to comply.
According to the European Commission, having a single supervisor authority will make it
simpler, as well as cheaper for the organisations to operate within the EU.

2|Page
Impact of GDPR on consumers:
One of the significant changes GDPR brings is providing the consumers with their
fundamental right to know about their personal data or when it has been hacked.
Organisations will need to notify appropriate national bodies in such cases to ensure
consumers will be able to take reasonable measures against data abuse.
Organisations will need to detail how they use consumer data clearly and understandably. In
line with this, many retail and marketing firms are contacting customers to ask if they want to
be part of their database. Also, customers are provided an easy way to opt-out of these
mailing lists. GDPR also provides' right to be forgotten' in which customers can ask to delete
their personal data to the organisation.

GDPR Fines and Penalties for non-compliance

Fines for the failure with GDPR norms range from 10 million euros to four percent of the
company's global annual turnover, which could count in billions for top firms.
Fines depend upon the type of crime and breach, and also how severe the violation is.
Different penalties for the non-compliance are as follows:
1. Maximum 20 million euros/ 4 % of worldwide turnover
 Infringements of the rights of data subjects
 Unauthorised international data transfer
 Ignoring customer request for access to personal data

2. A lower fine of 10 million euros/ 2 % of worldwide turnover

 Failure to report the data breach
 Failure to build privacy by design
 Mishandling of data

The largest GDPR penalty issued so far is €50m. CNIL, The French data protection
authority, issued the fine to Google in January 2019 after it concluded that the search engine
giant violated GDPR rules on accountability and had a legitimate legal basis for advertising
purposes while processing people's data.

3|Page
Indian Perspective:

After the European Union's General Data Protection Regulation (GDPR), many other
countries have either implemented data protection requirements or are in line to apply them.
India, too, is taking necessary steps in the direction of data protection and trying to enact a
proper data protection framework modeled along the lines of GDPR. Data Protection
Committee (DPC), appointed by the government of India, proposed a comprehensive law on
data protection on 27th July 2018. However, the proposed law failed to weigh the economic
costs and benefits of implementing a GDPR-style law in India.

The proposed legislation, known as the Personal Data Security Act, combines several
elements of the EU's GDPR. These include -

 Notification conditions and prior approval for the use of the person data
 Limitations on the purposes for which businesses will process the data
 Restrictions to ensure that only data required to provide a service is collected for the
person in question
 Requirements for data localisation and the recruitment of data protection officers
within businesses.

The bill is said to provide a comprehensive, cross-sectoral privacy and data protection
framework for India. However, the bill differs from the GDPR in some aspects— The
most notable of these is the introduction of criminal liability for damages resulting
from infringements of the bill, and the proposal to regard the relationship between the
data processor and its customer as a "trust" relationship.

Impact of GDPR on Digital Marketing :

In the world of marketing, everything is surrounded by data. Data is available in abundance.

Marketers are using data increasingly and in a personalised way so as to gather leads,
generate sales, improve customer experience, etc. Maybe this massive use of personalised
data contributed to the need for General Data Protection Regulation. We can study the impact
of GDPR on various aspects of Marketing.
1. Data Collection

Data collection is a core of marketing, and GDPR targets this very first step. In the
past, company can collect any data needed from whichever preferred source, but after
the introduction of GDPR, one can't take data as pleased. GDPR requires six legal
bases for processing data, these are-

4|Page
 Consent
 Contract
 Legal Obligation
 Vital Interests
 Public task
 Legitimate interests

Marketers need to take consent for all the data to be used for marketing.
Contacting data subject without consent and participating in unsolicited
communication are the two violations of the GDPR.
Previously marketers use to rely on implied consent. For example, in email or
SMS marketing, having built-in email lists based on customer orders or use of old
pre-checked checkbox to automatically gather consent to add customers to your
email list. These actions are GDPR violations now. The law demands that consent
be granular, positive, and given freely. Ideally, if a company wants to sign up a
customer for an email campaign and an SMS campaign, then they need to ask for
permission separately for each one using a permission feature, which can be seen
in the case of checkbox.
At a minimum, the consent to marketing must be distinct from any agreement to a
Terms and Conditions or Privacy Policy. Marketing is distinct from agreeing to
the Terms or Buying Agreement and is outside the marketing realm and comes
under the 'contract' legal basis. The contract includes occasions when data need to
be processed in order to meet the contractual responsibilities of a client.
The GDPR needs advertisers to make the opt-out as simple as opting-in. In other
words, consent must be given openly during the customer interaction at all times,
not just within the process of signing up.

5|Page
2. Impact on Targeted Ads

Data targeting, including location targeting and geofencing, enables advertisers to use
data to deliver ads precisely tailored to the preferences of the consumers. This data
still needs to be collected and processed according to the GDPR, including GDPR's
definition of consent.
Not every targeted ad is under the chopping block. If the commercials run are based
on contextual ads and do not use any personal details, then it is acceptable. But if data
like the viewers' geo-location or any other demographic or piece of granular data is
used, then it is crucial to think more carefully about what you're getting, and whether
you're allowed to have that data.
One way is to ask for permission and take consent for contextual marketing, which is
also done by Starbucks. You can opt-in to emails of Starbucks, but you can also opt-in
to targeted advertising based on your behaviour and details:

3. Chatbots

Chatbots are an increasingly famous tool for digital marketers. They cut costs by up to
30%. It is estimated that 85% of customer interaction will take place via chatbot by
next year rather than with a human.

Though primarily chatbots are focused on customer service; they're an equally

significant data collection tool. The main problem with chatbots is making sure to
know what information you are gathering and why you are gathering that information.
It should also be included in the Privacy Policy of the company.
If the organization rely extensively on the chatbots, it may even consider publishing a
privacy policy for Chatbot. PricewaterHouseCoopers asks all its customers to consent
to its version of this statement for the use of its chatbot:

6|Page
4. Affiliate Marketing

In the GDPR, there's no particular clause that targets affiliate programs. It threatens
all data processors and controllers whether you participate in a program or run a
global company. Any personally identifiable data is needed to be treated the same as
done in any other type of marketing.

The Amazon Affiliate Program allows all its participants to use a privacy policy that
discloses their involvement in the program, as well as any data collection or
monitoring. For, eg.

The opt-out is extremely important among affiliate marketers and something of a

sticking point.

7|Page
 Secondary Studies on EU's GDPR

1. The European Centre for International Political Economy published a study that
focused on the external or cross-border implications of the GDPR. The study said that
although the export of US services to the EU would be adversely affected by the
GDPR, the EU's export of services to the United States will be much more negatively
affected. The study also predicted an overall substantial decrease in the EU's GDP —
between 0.8 to 1.3 percent if foreign companies were forced to create companies
within the EU to manage data transfers from EU citizens.
2. Another ECIPE study on the impact data localization requirements in the GDPR state
that if other economies –such as India, Brazil, Indonesia, South Korea, or Vietnam–
also impose similar economic-wide data-localization measures, significant GDP
losses could result. For example, in India it estimates a loss of up to 0.8 percent of
GDP should the country adopt a requirement for localization. The study also predicts
a decrease of up to 1.4 percent of domestic investment in India due to criteria for
localization.
3. Another ECIPE study, "Do Data Policy Restrictions Impact Company and Industry
Productivity Performance? " explains that restrictive data policies do show a
significant negative impact on corporate productivity in sectors that use data to a
significant extent to produce goods and services. It also finds that this impact is
compounded if the company is placed in a country with more stringent data usage and
transmission requirements.
4. L. Christensen and others found through a study that the costs of enforcement would
have an important negative effect on EU SMEs, as GDPR compliance would require
EU firms to redesign their systems and procedures for data protection completely. The
study goes on to note that the search for professionals with the appropriate labor skills
related to data protection (for example, a data protection officer) is also expected to
add "friction" to the EU's unemployment market by impacting a firm's job creation
decisions. This could reduce long-run sectoral employment within the EU by 0.3
percent, and the number of companies themselves could decline by 3 percent
5. Another collection of the literature suggests contradictions between new technologies
and some of the GDPR criteria. For example, one paper argues that the data
processors' unique responsibilities are fundamentally incompatible with big data.
Similar questions were raised about the usage of blockchain and the criteria for
anonymisation and pseudonymisation in the GDPR.

Hence we can see GDPR, andit's extended legislation have a high impact on businesses and
customers. Marketers in the world are making the necessary changes to accommodate the law
as seen the examples above.

8|Page