1

GDPR and Its

Introduction
Impact
What is GDPR?
on Digital
Marketing
GDPR is a set of regulations on data
protection and privacy, implemented in
the European Union(EU). It stands for
Digital Marketing General Data Protection Regulation.
Basically it is a set of rules that are newly
designed to allow EU citizens to have
more control over their personal data in
the digital age. It was apart of the reforms
that that the European Commission
planned to make Europe ready for the
upcoming digital age. The GDPR was
agreed upon on April 2016 and was made
effective from May 25, 2018 and has
replaced the existing Data Protection
Directive 95/46/ec. The aim behind
implementing GDPR is to simplify the
regulatory environment for Businesses as
well as consumers/ citizens. The reforms
are designed in the light of the rising
information age – where data sharing is
the new normal – around data privacy,
protection and consent in EU.

Today, our almost every routine activity

revolves around data transfer. Every
service that we use today, collects and
analyzes our data. For example, social
OCTOBER 24 media( Facebook, Twitter), banks, e-
commerce, Government, etc. These
services collects personal data like name,
Section: C address, e-mail, images, etc. But with
Authored by: Abhishek Chaudhary these data collecting services, data
Roll No: 190103202 breaches are bound to happen, and that is
where GDPR comes in. There are six legal
bases regarding data collection and
2
processing in the GDPR, namely consent, contract, vital interests of data subject, legitimate interest,
legal obligations and legitimate interest.

What are the Requirements to be GDPR Compliant?

Under the terms of GDPR, some of key privacy and data protection requirements are:
1. Requiring the consent of data owner or controller before collecting data
2. Protect privacy by making the data anonymous while processing
3. If there is a data breach, notify the users within a stipulated time
4. Keep the data storage and transfers safe and secure
5. Requirement to appoint a data protection officer to certain companies

So, in simple words, GDPR is a set of basic guidelines that a firm needs to follow to conduct any
operations in the digital space in Europe or concerning European citizens. Companies that fail to
comply by these rules are subject to stiff penalties.

Who Does GDPR Apply to?

GDPR applies to all the businesses operating inside EU as well as the companies outside EU that
provide goods and services to customers or businesses in EU. So, every major global firm need to be
GDPR compliant in order to continue its operations in Europe.

This legislation applies to two different type of data-handlers namely, data controllers and data
processors. Both of these types are explained below.

Data controllers are the ones who are treated by the GDPR as the main parties responsible for the
giving consent and access to the data. As article 5 of the GDPR says, ensuring lawfulness, fairness and
information transparency are the responsibilities and fall under the purview of the controllers. A
controller decides the purpose and processes to be used to analyze the data. Data controllers are
considered the most responsible regarding the protection of privacy rights of the user. For example
the owner of the website of a hotel. Moreover, the controllers need to collect and maintain lists of
data processing activities from all the processors it is working with and, need to present it to the
authorities when requested.

Data processors, on the other hand, are the ones that simply analyze and process the data according
to the terms dictated by data controllers. It is a third party that has been selected by the data
controller to use and process the data. They do not own the data nor do they control it and hence,
they cannot use the data for any other purposes. Continuing the previous example, the hotel
company will use Google analytics to process the data to represent it in an insightful and quantifiable
form. Here Google analytics is the data processor. The processors also cannot use or any other

3
processor, without the permission of the controller in an existing contract. They are also supposed to
maintain a lists of all the processing activities all the controllers it is accepting data from.

Moreover, controllers also need to ensure that the contract with the processors, complies with the
GDPR.

Fines and Penalties for Non-compliance of GDPR

Along with the norms, the fines and penalties for non-compliance are also made stiffer in GDPR than
the previously active Data Protection Directive(DPD). The national authorities are given more power
than the previous DPD. The are given investigative as well as corrective powers like, issuing notice
and warnings, order erasing of data, memo dictating changes to be implemented within certain
deadline, etc. Both, data controllers as well as data processors are subject to the execution of these
powers.

Apart from these, the national authorities can also impose fines on the companies, depending upon
the incident or case of non-compliance or data breach. For the firms that fail to comply by the core or
fundamental or critical GDPR requirements, the fine is up to 20 million euros or 4% of the annual
turnover, whichever is the highest.

What are the basic rights of the citizen under GDPR?

GDPR provides the following 8 basic rights to the individuals:
1. Right to Access – Under this right the individual can ask the company for access to his
personal data that is being collected and what are the processes that are performed on it.
2. Right to Data Transfer – Individuals have the right to transfer their info. from one company to
another.
3. Right to Object – This right gives the individuals power to stop the processing on their data for
direct marketing purposes, at any point in time. And the company has to abide by it as there
are no exemptions.
4. The Right to be Informed – Under this right the individual needs to be informed about the
information needed to be collected, before it is collected.
5. The Right to be Alerted/ Notified – In case of a data breach the user has to be notified about
the incident within 3 days of occurrence or company becoming aware of the breach.
6. The Right to be Forgotten – If the customers want, they can withdrew their consent from
allowing companies to collect and process their data and have the right to have the data
deleted from the company servers.
7. The Right to have Information Collected – This empowers customers to update their data if
they feel that it is outdated, inaccurate or incomplete.

4
How Does GDPR Impact Digital
Marketing?
It has been more than 2 years since the GDPR came into effect and has triggered various paradigm
shifts in the ways in which businesses operate in the digital space. Following are some of the aspects
that are observed in the digital marketing industry, post the implementation of GDPR:

More Power to the Customers

With the GDPR implementation and its stringent laws regarding non-compliance and stiff penalties,
the customers are given more power to choose what and with whom they share their personal data.
As consent is at the core of GDPR, it has enabled customers to demand more transparency in from
the companies regarding the usage of their data. This, has a positive impact for the businesses as well
as the customers feel that their data is more secured as the firm holds the accountability if anything
happens to their data.

Examples
1. The apps on google play ask for the permission to access various data like images, contacts,
etc. upfront, before they start using the app.

More Personalized ads for the Customers

This has led to a more personalized experience for the customers. Thus, many firms claim that post
GDPR, though their list of prospects was down their sales have increased. This has eventually

5
increased the ROI of the firms on their digital marketing efforts. A smaller target market has allowed
the marketers to shift from generalized communication towards more accurate and tailored
communications to the customers. This especially true for email marketing. GDPR enforcement has
forced the companies to adopt a more user-centered approach and and focus on the users wants and
needs in every email that I sent to the user.

Examples
1. The unsubscribe option given in e-mails along with relevant content that the user has
searched for in near past.

Appropriate Tools and Technology

Marketers believe that the GDPR implementation has made their marketing efforts more difficult and
costly. However, companies are still willing to go along with it as these charges are minuscule
compared to the heavy fines and penalties that GDPR demands for non-compliance. Apart from
preventing breach it is also the responsibility of the data controller to provide the user information on
how his/ her data used. Hence, they also need to employ accurate tracking systems in place that
monitor and saves the processes conducted on data at each and every stage.

Also, firms like Google and Facebook are required to make their collected data transferable to other
businesses. This regulation somehow disincentivize the process of data collection, due to sharing of
data with a probable competitor.

More Usage of Contextual Advertising

Contextual advertising is a form of advertising that appears on a webpage related to the content of
the page. Ads appear on the page on the basis of keywords.

Native advertising is a form of contextual advertising that the firms have been using even before
GDPR implementation. In this form, the sponsored ads are positioned and designed in a way that they
appear to be a part of the content on the page. However, this form of advertising is also sometimes
regarded by the users as a deceptive technique.

Behavioral advertising is another form of contextual advertising in which ads are designed on the
basis of the users behavior rather than targeting on the basis of the keywords of the used by the user.

Though these forms of advertising are difficult to implement and execute, firms believe that such
practices are the future and will be highly common as we move into the future.

6
References
 https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-
understanding-and-complying-gdpr-data-protection
 https://gdpr-info.eu/
 https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
 https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
 https://ec.europa.eu/info/law/law-topic/data-protection_en
 https://digitalguardian.com/blog/data-controller-vs-data-processor-whats-difference
 https://www.ironmountain.com/resources/general-articles/d/data-processor-vs-data-
controller#:~:text=According%20to%20Article%204%20of,processing%20on%20the
%20controller's%20behalf.
 https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-
marketing/
 https://digitalmarketingphilippines.com/ways-gdpr-will-transform-the-digital-
marketing-industry-infographic/
 https://www.wordstream.com/contextual-advertising
 https://hbr.org/2018/05/how-gdpr-will-transform-digital-marketing#:~:text=GDPR
%20will%20force%20marketers%20to,dependence%20on%20behavioral%20data
%20collection.&text=To%20protect%20consumers'%20privacy%20and,use
%20activities%20within%20the%20EU.
 https://www.superoffice.com/blog/gdpr/
7
 https://www.cmswire.com/digital-marketing/two-years-later-how-has-gdpr-affected-
your-marketing/
 https://www.smartinsights.com/customer-relationship-management/customer-
privacy/recent-data-privacy-legislation-and-the-operational-impact-on-digital-
marketers/
 https://www.ama.org/2019/05/30/the-impact-of-gdpr-and-ccpa-on-digital-marketers/
 https://digitalmarketinginstitute.com/blog/gdpr-and-digital-marketing-how-your-
company-will-be-affected