Glossary Data Protection & Privacy

What is ‘anonymisation’ or ‘pseudonymisation’?

Marketers often talk about anonymised or pseudonymised data, amongst others in (Google) Analytics accounts. They simply assume that in the context of GDPR no personal data is processed in these cases.  However, a certain measure of caution is advised.  

‘Pseudonymisation of personal data’ means this personal data is processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information. For instance, with an analytics identifierthat doesn’t identify the person by name but that does contain a host of information on the underlying person. Information that, by linking it with, for example, an IP address or device fingerprints, will be able to identify a person in the future. Pseudonymised personal data does remain personal data under the GDPR.  

In order to speak of ‘anonymous data’, it must be definitively and irreversibly impossible to identify a person.  The French and Irish authorities, among others, have quite rightly pointed out that often personal data regarded as anonymous is in fact anything but anonymous, because at some point it can indeed be traced back to a specific individual, for instance by linking several databases.  In a marketing context this is the case with analytical data, for instance. This also goes for ‘anonymous’ user profiles. However, when someone creates an account, for instance, the profile can retroactively be linked to that particular person.  So caution is in order and a thorough investigation is necessary before you conclude that you only process anonymous data.

What is the meaning of ‘accountability’?

The GDPR contains surprisingly few absolute prohibitions.  A great deal is left to the discretion of the data controller. This is based on the so-called accountability.  Anyone whishing to collect or process personal data must be able to show at any given time that the collection is proportionate and justifiable. This means that anyone wishing to use personal data is responsible for investigating whether this can be done in compliance with the GDPR rules. You are also responsible for proving that you effectively researched your compliance with those rules in advance. Failing to do so and acting without consultation may result in substantial fines.

In other words, accountability obliges you to 

• research beforehand whether you are in compliance with the GDPR
• always be able to prove that you verified the impact and conditions of every processing operation

For marketing and webshops this means that you must reflect in advance on the impact of every new action, loyalty card, website or webshop, new tools or apps, purchase or hire of data, ... and that it is best to properly document that prior reflection in meeting reports, internal advice or even in formal impact assessments.  The new heatmapping tool you have been using for a while turns out to be as leaky as a sieve and permanently forwards data to third-party companies? This will have legal consequences unless you can show that you tried to correctly assess the risks in advance and ensure safe and accurate processing.

What is ‘automated decision-making’ and ‘profiling’?

The GDPR contains specific provisions designed to curb so-called automated individual decision-making (decision-making based on automated means without human intervention) and profiling (automated personal data processing with a view to evaluating certain aspects of an individual). For marketing campaigns these are actions based on target audiences, segments, target groups or specific profiles. 

Automated decision-making and profiling require absolute transparency, (almost always) explicit consent, and the right to oppose the automatically taken decision or the profiling.   

What is a Customer Data Platform (CDP)?

A Customer Data Platform contains applications that have as their primary functionality the creation of a single customer view by linking data from different sources to a unique person.

What is a data breach?

A data breach is any leak of the security of personal data. It doesn’t matter whether the breach was accidental or intentional, whether the cause is internal or external, whether there is malicious intent or the breach involves major, minor or no consequences or risks. 

So the concept of a data breach is very broad and not only comprises hackings and data leaks but also emails with confidential data that are sent to the wrong recipient, former employees who still possess personal data, password carelessness, cryptolockers, employees exceeding their authority, loss of a laptop containing personal data on a train, etc.

GDPR stipulates an obligation for the data controller (and not for the processor!) to notify the Data Protection Authority within 72 hours of discovery of the data breach. If risks for the individuals are unlikely there is no need to report this. Also, in some cases it is compulsory to notify the data subject(s).  This is the case when the incident is likely to result in serious risk for the data subject(s).

What is a 'Data catalogue'?

A storage place for so-called “metadata”. Metadata are information about data. It offers essential details and context that describe different aspects of data, such as the content, structure, source, classification and significance. Metadata help users to effectively understand, manage and use data. This leads to a better organisation, easier retrieval and analysis of data. Metadata play a crucial role in data management and data governance processes.

What is 'Data classification'?

Any form of dividing up data assets into categories. Within the GDPR and data security framework, classification is used primarily in order to indicate whether data are indeed personal data and/or data in one of the categories of article 9 (the so-called "sensitive" personal data). For security we know e.g. the confidentiality classification of ISO 27001 which indicates, with its 3-5 classes, the extent to which documents or data may be shared outside the organisation. For example: public data, internal data, confidential data.

What is a 'Data lake'?

A data storage place for all your structured and unstructured data. You can store your data just as they are, without first having to structure them. You can perform different types of analyses, from dashboards and visualisations to data science, real-time analyses and machine learning in order to make better decisions.

What is a 'Data lakehouse'?

A data storage place that combines the best aspects of data warehouses and data lakes into a single solution for data management. In a data lakehouse the data are (amongst other things) provided with a semantic layer which ensures that you can properly interpret the data.

What is ‘data minimisation’?

Article 5, I., c of the GDPR stipulates that data controllers must limit the collection of personal information to what is “adequate, relevant and necessary in relation to the purposes for which it is processed”.  

In practical terms for your organisation: you can only collect personal data insofar as it is truly necessary to achieve the proposed goal. The GDPR starts from a ‘less is more’ principle. This is often very different from the approach of big data and detailed profiling, whether or not based on AI. In this approach every snippet of information can be relevant in the future.

The principle of data minimisation requires a fair amount of discipline from those wishing to use data. With every data collection you must ask yourself whether certain information is indeed relevant and necessary.  If it isn’t you simply can’t store it, not even if the data subject is prepared to share it. This clearly goes against the trend of collecting ever growing volumes of (big) data. It is a trend that assumes that everything that isn’t useful yet may become relevant in the future.

What is a ‘data processing agreement’?

GDPR goes one step further to ensure appropriate security.  The regulation obliges you to first investigate all external processors (email marketing partner, direct mail partner, online marketing partner, hosting partner, heatmapping tools, analytics tools, cloud-based CRM tools, lead generation tools, ...) who process personal data on your behalf. Working with them implies they offer sufficient guarantees in terms of data security. Based on article 28 GDPR these guarantees must be included in a so-called Data Processing Agreement (DPA).  Working with a processor who doesn’t offer adequate guarantees or without a signed data processing agreement can give rise to extremely high fines.

What is a ‘Data Protection Officer’ (DPO)?

A DPO is a person (or more and more often a team) that is appointed inside or outside the firm and that monitors compliance with data protection rules within your organisation. The DPO is also the internal and external contact for complaints by individuals and questions to the Data Protection Authority. 

Both data controllers and processors are obliged to appoint a DPO in the following cases:

• the data is processed by a government agency or body
• their core activities consist of processing activities which, due to their nature, scope and/or purpose, require frequent and systematic checks of the individuals on a large scale
• their core activities consist of large-scale processing of special categories of personal data or personal data relating to criminal convictions and offenses
• they process personal data on behalf of the federal government (this obligation doesn’t result from the GDPR as such, but from the Belgian framework law that embeds the GDPR in Belgian law)

In other situations appointing a DPO is often useful but not mandatory.  Exercising the role of DPO correctly comes with its fair share of questions and challenges, which we will discuss in detail later. 

What is 'Data quality'?

The criterion for how suitable data are to serve their specific purpose. Properties of data quality include e.g. accuracy, completeness, consistency, validity and uniqueness.

What is a ‘data register’ or record of ‘processing activities’?

The data register is an overview that both the data controller and the processor must create. It gives a full and detailed overview of all processing activities within the company. For each of these processing activities you must list the information required by the GDPR. This includes the details of which data is processed, what the legal grounds are for this, the origin of the data and where it is kept, with whom the data is shared, how long it is kept, etc. 

The register is therefore a kind of mandatory account of how you handle personal data. It must be kept up-to-date: the Data Protection Authority can demand access at any time. There are a number of exceptions to this mandatory register yet they hardly ever apply.

What is ‘data security’?

Cyber attacks are constantly making headlines these days. Cryptolocker attacks capture most of those headlines but under the radar companies just as often fall prey to pure hacking and data theft. Cyber criminals also notice that their online activities yield results: the profits from crime are huge while the odds of being caught are minimal. Also, the days when internal staff were digital illiterates are long gone. In conflict situations they know all too well how to exploit the digital vulnerabilities of their employer. In other words, cyber risks are ever-present and often come from unexpected quarters.

However, guaranteeing data security is one of the cornerstones of the GDPR.  Article 5, I., f, article 24 and article 28, 3, e state that the GDPR oblige both the data controller and any processor to take “all appropriate technical and organisational measures” to ensure “appropriate security”, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technology.  Cyber security and the GDPR are inextricably linked.

This is without doubt one of the vaguest provisions of the GDPR.  What are “appropriate technical and organisational measures” and what exactly is “appropriate security”? For a better understanding we must return to the accountability we described earlier.  Any business or department must perform a risk analysis for their internal operation. Based on a ‘risk-based approach’ you must subsequently eliminate the greatest risks first, taking into account the risk but also the technical, financial and organisational possibilities.  It is important in this regard to properly document everything. That documentation shows that for every identified risk, you do everything in your power to choose the most ‘appropriate’ solution in light of the context.

So what are those risks and the appropriate technical and organisational measures in a marketing or webshop department? Here are a few classics to illustrate. However, the list is not exhaustive and depends on your specific situation. 

• Sharing your password for the Mailchimp or Google Analytics account with everyone in the team
• Keeping those passwords in a file on the company network or on a post-it at the office
• Using your own devices or home networks when accessing online accounts such as Mailchimp, Hubspot or CMS systems, or more in general when processing personal data belonging to the company without taking appropriate safety measures (antivirus, firewall, VPN double authentication, ...)
• The use of Adtech tools without first investigating the GDPR compliance and safety guarantees these tools can offer. Typical points of concern include offering a data processing agreement, data localisation inside or outside the EEA, data protection by design and default, ...
• The use of self-chosen tools or so-called shadow IT by employees without the knowledge of management and/or IT, and without prior risk analysis
• Calling on external partners (email marketing partner, direct mail partner, online marketing partner, ...) without prior guarantees of GDPR compliance in the shape of a data processing agreement

What is a 'Data warehouse'? 

A data storage place, designed to make possible and support business intelligence (BI) activities, in particular analyses. Data warehouses are intended to conduct queries and analyses and often contain large quantities of historical data.

What are ‘legal grounds’ and what are the legal grounds of the GDPR?

Under the GDPR personal data processing is in principle prohibited, except when you as data controller can invoke one of six exhaustively listed legal grounds. In the course of this guide we will get back to the legal grounds and the specific challenges involved in every one. 

These are the six possible legal grounds:

• Processing based on the prior, freely given, informed and explicit consent of the data subject
• Personal data processing that is absolutely necessary for the performance (or preparation) of a contract with the data subject e.g. the delivery address for an online purchase
• Processing that is necessary for compliance with a legal obligation or permission e.g. in the context of accounting or social law obligations
• Personal data processing necessary for the protection of the data subject’s vital interests e.g. by the emergency services in the ER of a hospital
• Processing (by a government) that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Personal data processing motivated by legitimate interests of the data controller or a third party.

Incidentally, for specially protected or sensitive data even stricter conditions and additional legal grounds apply.  In principle, this type of personal data can only be processed with the freely given, prior, informed and explicit consent of the data subject.

What is ‘personal data’ and what is ‘processing’?

Marketers and lawyers sometimes give a different interpretation to the term ‘personal data’ and have a different understanding of when they should be processed. This is particularly the case with ‘indirect’ data.  You often hear things like: “I set up our analytics account anonymously so it doesn’t process personal data”. From a marketer’s point of view this is correct.  He or she doesn’t ‘know’ who is behind an analytics identifier and cannot directly link the analytical data to an actual person.

What do the regulations say? An item of personal data is every snippet of information that can be used to identify a person directly or indirectly, now or in the future, alone or with the help of others. In this context ‘identify’ doesn’t necessarily mean you can put a name to someone - also known as name and address details (‘NAW’) -  but it does imply that person can be isolated from the group and recognised as an individual. This means that information about someone that was processed ‘without a name’ must nevertheless be regarded as personal data. For your marketing, sales and webshop this can be profile information (analytics identifiers and all related data), browsing or purchase behaviour, results of heat mapping or A/B tests when it is linked to an identifier.  Even IP addresses, MAC addresses, fingerprints or customer profiles in e.g. Server Side Tracking solutions are usually personal data.

What is a ‘personal data controller’ and what is a ‘processor’?

The data controller determines for what purpose and how personal data is processed. If your company or organisation decides this itself, then it is a data controller. Examples include the optimisation of the browsing experience on a website or offering personalised advertising. The means of processing are about two things: the technical modalities, such as the use of cookies, and how the data is processed. For instance: which data is processed, who has data access or when is data deleted.

As the term itself indicates, a processor processes personal data for and on behalf of the data controller. The processor is usually an external partner, service provider or subcontractor and is therefore not a part of the organisation. Examples of processors include an archiving service for e-filing, a cloud service provider for data storage or an external IT service provider.  Important: cloud solutions and online tool for analytics, SEA, e-mail marketing and newsletters usually process personal data and are therefore a ‘processor of personal data’ according to the GDPR.

What is ‘privacy by design’ and ‘privacy by default’?

‘Privacy by design’ and ‘privacy by default’ oblige data controllers to respect the privacy of personal data to the maximum extent in new software, new apps, new tools, new websites, … This means that the webshop/website must guarantee technical safety (SSL, encrypted transmission, etc.). It also means that the collection of personal data via the website must be GDPR-compliant (proportionality, purpose limitation, minimisation, etc.). This is primarily reflected in mandatory account creation, the use of cookies and data fields in application forms. Doing all this correctly will require a prior data protection impact assessment (DPIA).

What is ‘personal data processing’?

In this context the term ‘processing’ refers to every use of personal data. The GDPR lists ‘the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data’.  This processing is done either by the personal data controller, or on his or her behalf by a processor designated by him or her.

What is ‘purpose limitation’?

Purpose limitation is the basic principle that deserves the most attention.  Article 5, I., b of the GDPR states that data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.

What does this mean? For all processing activity you must specify a clear purpose beforehand (“why are we processing this data?”). The collection and processing of this data must only be used for this specific purpose.^[1] Moreover, as a company you must make those purposes known to the persons whose personal data you are collecting. After all, this is part of your transparency obligation.  We will get back to the exceptions later but for now remember that the data in question must not be ‘reused’ for other purposes.  

Let’s take a closer look at the principle of purpose limitation. A classic example is the organisation of an online competition on your own action page or possibly via social media. Entrants must answer questions and leave their personal details to stand a chance of winning a nice prize. The main reason the entrants are leaving their name and email address is to make it possible to contact them if they should win the prize. That is the initial purpose for which they shared their contact information and basically this is also the only reason (or purpose) for which their data can be used. 

But for a marketer pleasing customers is obviously not the only reason for organising such an online competition.  The underlying reason is usually database enrichment: you want to be able to add new contacts to your database or supplement existing contacts with additional information.  Nevertheless, you can’t simply add the entrants’ data to your marketing database  as this is not the goal for which the entrants shared their data with you.  If you wish to add the entrants’ data to your marketing database then this is a second, unrelated purpose. Later in this guide you will see that a separate legal ground is required for this. In all likelihood this will be a form of consent or an opt-in.  

What is ‘retention period limitation’?

Article 5, I., e states that data must be processed “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed”.  

In other words, personal data must not be kept indefinitely. The term for this is restricted and depends on the purpose for which the data is collected or processed in the first place.  When that purpose is achieved you must either delete the data or definitively anonymise it.  

The difficulty is that the GDPR itself doesn’t establish any specific retention periods. The basic principle of accountability obliges you before every processing activity to examine and document (in the data register or the register of processing activities) how long a specific set of personal data remains relevant. In short: the retention period varies from one case to the next. 

What are the ‘rights of the data subject’?

GDPR grants a wide range of rights to the person whose data is being processed (‘data subject’). These are nearly absolute and there are very few - and very limited - exceptions to those rights.

For instance, every data subject has the right to access his or her personal data, to receive a copy, the right to rectify errors or have incomplete personal data completed, the right to withdraw consent at any given time or to oppose any further processing on grounds other than consent or even to have his or her data erased, together with several other, less common rights.

If you receive a request from a data subject who wishes to exercise his or her rights, you have an obligation as a data controller to react ‘as soon as possible’, and in any case within 30 days following receipt of the request. If you need additional information to process the request (e.g. proof of identity) then this term starts once you have received that extra information. In very specific and exceptional cases the deadline for reply can be extended by a maximum of two additional months.

What is ‘sensitive’ or ‘specially protected’ data?

The GDPR considers certain personal data as ‘specially protected’ due to their sensitive nature. This data is exhaustively listed in articles 9 & 10 and their processing is subject to even stricter conditions. Examples include data revealing race or ethnic origin, political opinions, religious or philosophical beliefs or union membership, and the processing of genetic data, biometric data with a view to the unique identification of a person or health data, or data regarding someone’s sexual behaviour or orientation and also criminal data.  

If you want to process this type of data it is best to obtain individual advice. In any case, due to the concise nature of this chapter it is not possible to discuss the processing of this sensitive data in detail.  Specially protected data sometimes crops up in unexpected places.  Indeed, data on lifestyle, sporting performance or nutritional preferences may also turn out to be sensitive information.

What is ‘transparency’?

Transparency is the first prerequisite for trust. Being transparent about who you are as an organisation, what you stand for and how you approach the privacy of your customers and followers is the cornerstone of any long-term relationship. Transparency has its rewards but it is also one of the basic obligations in data protection regulations.  If you want to process personal data you must provide maximum transparency for the person in question.

What transparency entails exactly is outlined further in this guide. At the heart is a detailed privacy policy in which, among others,

• you explain exactly who you are, 
• which data you collect, 
• for what purpose it will be used, 
• exactly with whom this data will be shared, 
• whether some of the recipients live outside the EU (plus Iceland, Liechtenstein and Norway), 
• the period during which you retain and use the data (data retention period), 
• the rights the regulation gives the data subject vis-à-vis his or her own personal data.