Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]

© 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES

Winter / Spring 2018 Webinar Program


Marketing under the GDPR:

What You Can and Cannot Do

17 January 2018

#trustarcGDPRevents © 2018 TrustArc Inc Privacy Insight Series - trustarc.com/insightseries

Today’s Speakers

James Koons

Senior Consultant, TrustArc

Darren Abernethy

Senior Global Privacy Manager, TrustArc

(Moderator)

2


Today’s Agenda

• An Overview

• Data Statistics

• The GDPR’s Impact on Marketing

• Practical Tips for Marketers

3



#trustarcGDPRevents © 2018 TrustArc Inc Proprietary and Confidential Information

A Quick Overview

4


Overview

5

Source: TrustArc/NCSA


Some Fast Facts on Data

• 2.7 zettabytes of data exist in the digital universe

today – one zettabyte is 931,322,574,615.48 GB

• IDC estimates that by 2020, business

transactions on the Internet - business-to-

business and business-to-consumer – will reach

450 billion per day

• Akamai analyzes 75 million events per day to

better target advertisements

• Data production will be 44 times greater in 2020

than it was in 2009

6


Overview

7

Source: Symantec




The Impact of the GDPR on

Marketing

8


The Impact of the GDPR on Marketing

9



10



11




Practical Tips for Marketers

12


Collecting & Using Business Cards

13


Sharing Delegate Lists

14


Legitimate Interest and Recital 47

…The processing of personal data for

direct marketing purposes may be

regarded as carried out for a legitimate

interest.

15



16

Article 6(1):

Processing shall be lawful only if and to the extent that at least

one of the following applies:

a) the data subject has given consent to the processing of his

or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to

which the data subject is party or in order to take steps at the

request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal

obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the

data subject or of another natural person;

(continued)



17

Article 6(1) (continued):

Processing shall be lawful only if and to the extent that at least one

of the following applies:

e) processing is necessary for the performance of a task

carried out in the public interest or in the exercise of official

authority vested in the controller

f) processing is necessary for the purposes of the legitimate

interests pursued by the controller or by a third party, except

where such interests are overridden by the interests or

fundamental rights and freedoms of the data subject which

require protection of personal data, in particular where the

data subject is a child.



Recital 70

Where personal data are processed for the

purposes of direct marketing, the data subject

should have the right to object to such processing,

including profiling to the extent that it is related to

such direct marketing, whether with regard to initial

or further processing, at any time and free of

charge. That right should be explicitly brought to the

attention of the data subject and presented clearly

and separately from any other information.

18


LinkedIn

19


Existing Contacts Database and Permission

20


Existing Contacts Database and Permission

21


Possible Action Items & Technology Solutions

22

• Mapping data flows — identifying and inventorying EU personal data

• Revising privacy notices to meet heightened transparency

requirements

• Reviewing webforms and consent language/means — for central

storage and audit trail purposes

• Cookie consent solutions to capture end user preferences

• DPIAs for new marketing initiatives that may involve high-risk

processing

• Automatable systems for managing individual rights requests across

the org (Arts. 15-23)

• Marketing vendors assessments and contract reviews for GDPR

compliance

• Certifications/compliance with 3rd party OBA practices and

implementing AdChoices




Questions?

23




Contacts

24

James Koons [email protected]

Darren Abernethy [email protected]

© 2018 TrustArc Inc Proprietary and Confidential Information

TrustArc - A Leader in the EU Consent Market Since 2012

• TrustArc has been an innovator and

leader in EU consent since 2012

• EU Cookie Consent clients include large

and small companies across all

geographies and industries

• Cookie Consent Manager & Direct

Marketing Consent Manager part of

TrustArc Privacy Platform – designed to

help companies comply with over 40

Articles of the GDPR

• Large and experienced team of TrustArc

Technical Account Managers supports

client implementations




Thank You!

Register now for the next webinar in our 2018 Winter / Spring

Webinar Series “Best Practices for Managing Individual Rights

Under the GDPR” and is due to take place on February 14, 2018.

See http://www.trustarc.com/insightseries for the 2018

Privacy Insight Series and past webinar recordings.

26

http://www.trustarc.com/insightseries