Data Protection Marketing (Target Marketing)| GDPR Data Subject Rights

Data Protection Marketing (Target Marketing): The GDPR restricts “profiling” and sets significant GDPR data subject rights to avoid profiling-based decisions.

Advancements in technology have expedited methods for data controllers to gather, analyze, and process personal data for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions in data protection marketing such as target marketing or price differentiation. This is called "profiling."

Under Article 4(4), data processing may be characterized as “profiling” when it involves

  • automated processing of GDPR personal data and
  • using that personal data to evaluate certain personal aspects relating to a natural person. 

Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

"Profiling” requires some sort of an outcome or action resulting from the data processing, and is underscored by the GDPR data subject rights in which the data subject is informed about the “consequences” of profiling decisions

Articles 13 and 15 cover the GDPR data subject rights and addresses the information to be provided to data subject upon personal data collection and--upon the GDPR data subject's request--both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”

When we analyzed Natuvion customer’s current processing times to meet these GDPR requirements that cover GDPR data subject rights, to produce such report (in a useful format for a data subject) on this data, across heterogeneous landscapes, it takes a minimum of two months, and sometimes much longer.  GDPR requires a response in one month.

This is where SAP Information Retrieval Framework helps.  Schedule your one-day GDPR workshop so the Natuvion team can share how hundreds of other SAP customers use free SAP tools to meet these GDPR reporting requirements.


Is GDPR consent required for the use of anonymous data?

Is GDPR consent required for the use of anonymous data?

The GDPR sets very particular regulations on consent. With the new regulation coming in May 2018, companies need to be prepared for new GDPR consent mechanisms for their SAP test and QA systems. Anonymizing data in these systems make GDPR consent no longer mandatory. Natuvion's TDA tool offers a safe way to anonymize data so that it can be safely and rightfully used while expediting the process to full compliance and without the risk of facing GDPR  fines.  

GDPR | Changes for Prospect Management and Prospect Consent

The GDPR changes prospect and customer engagement rules.

The conditions for obtaining prospect consent are stricter under GDPR requirements, as the individual must have the right to withdraw consent at any time. There is also a presumption that consent will not be valid unless separate consents are obtained for different processing activities.

  1. Newsletters | This means you have to be able to prove that the individual agreed to a certain action, like receiving a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough.
  2. Marketing and sales activities | Companies will have to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices. For example in order to sign up for communications, prospects will have to fill out a form or tick a box and then confirm it was their actions in a further email.
  3. Audit Trails | Organizations must prove that consent was given in a case when the individual objects to receiving the communication. This means that any data held, must have an audit trail that is time stamped and reports information detailing what the contact opted into and how.  It must also be possible to permanently delete data from your CRM systems.
  4. Purchase marketing lists | The company is responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data.
  5. Trade Shows | In the corporate world, sales people meet potential customers at a trade show, they exchange business cards, and they add the contacts to the company’s mailing list when they come back to the office. In 2018, this will not be possible anymore. Companies will have to look at new ways of collecting trade show prospect information.

To learn more about managing your prospect data, schedule a one-day workshop for Natuvion to build your GDPR road map.