Glossary Data Protection & Privacy

What is ‘automated decision-making’ and ‘profiling’?

The GDPR contains specific provisions designed to curb so-called automated individual decision-making (decision-making based on automated means without human intervention) and profiling (automated personal data processing with a view to evaluating certain aspects of an individual). For marketing campaigns these are actions based on target audiences, segments, target groups or specific profiles. 

Automated decision-making and profiling require absolute transparency, (almost always) explicit consent, and the right to oppose the automatically taken decision or the profiling.   

What is a data breach?

A data breach is any breach of the security of personal data. It doesn’t matter whether the breach was accidental or intentional, whether the cause is internal or external, whether there is malicious intent or the breach involves major, minor or no consequences or risks. 

So the concept of a data breach is very broad and not only comprises hackings and data leaks but also emails with confidential data that are sent to the wrong recipient, former employees who still possess personal data, password carelessness, cryptolockers, employees exceeding their authority, loss of a laptop containing personal data on a train, etc.

GDPR stipulates an obligation for the data controller (and not for the processor!) to notify the Data Protection Authority within 72 hours of discovery of the data breach. If risks for the individuals are unlikely there is no need to report this. Also, in some cases it is compulsory to notify the data subject(s).  This is the case when the incident is likely to result in serious risk for the data subject(s).

What is 'Data classification'?

Any form of dividing up data assets into categories. Within the GDPR and data security framework, classification is used primarily in order to indicate whether data are indeed personal data and/or data in one of the categories of article 9 (the so-called "sensitive" personal data). For security we know e.g. the confidentiality classification of ISO 27001 which indicates, with its 3-5 classes, the extent to which documents or data may be shared outside the organisation. For example: public data, internal data, confidential data.

What is a 'Data lakehouse'?

A data storage place that combines the best aspects of data warehouses and data lakes into a single solution for data management. In a data lakehouse the data are (amongst other things) provided with a semantic layer which ensures that you can properly interpret the data.

What is a ‘data processing agreement’?

GDPR goes one step further to ensure appropriate security.  The regulation obliges you to first investigate all external processors (email marketing partner, direct mail partner, online marketing partner, hosting partner, heatmapping tools, analytics tools, cloud-based CRM tools, lead generation tools, ...) who process personal data on your behalf. Working with them implies they offer sufficient guarantees in terms of data security. Based on article 28 GDPR these guarantees must be included in a so-called Data Processing Agreement (DPA).  Working with a processor who doesn’t offer adequate guarantees or without a signed data processing agreement can give rise to extremely high fines.

What is 'Data quality'?

The criterion for how suitable data are to serve their specific purpose. Properties of data quality include e.g. accuracy, completeness, consistency, validity and uniqueness.

What is ‘data security’?

Cyber attacks are constantly making headlines these days. Cryptolocker attacks capture most of those headlines but under the radar companies just as often fall prey to pure hacking and data theft. Cyber criminals also notice that their online activities yield results: the profits from crime are huge while the odds of being caught are minimal. Also, the days when internal staff were digital illiterates are long gone. In conflict situations they know all too well how to exploit the digital vulnerabilities of their employer. In other words, cyber risks are ever-present and often come from unexpected quarters.

However, guaranteeing data security is one of the cornerstones of the GDPR.  Article 5, I., f, article 24 and article 28, 3, e state that the GDPR oblige both the data controller and any processor to take “all appropriate technical and organisational measures” to ensure “appropriate security”, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technology.  Cyber security and the GDPR are inextricably linked.

This is without doubt one of the vaguest provisions of the GDPR.  What are “appropriate technical and organisational measures” and what exactly is “appropriate security”? For a better understanding we must return to the accountability we described earlier.  Any business or department must perform a risk analysis for their internal operation. Based on a ‘risk-based approach’ you must subsequently eliminate the greatest risks first, taking into account the risk but also the technical, financial and organisational possibilities.  It is important in this regard to properly document everything. That documentation shows that for every identified risk, you do everything in your power to choose the most ‘appropriate’ solution in light of the context.

So what are those risks and the appropriate technical and organisational measures in a marketing or webshop department? Here are a few classics to illustrate. However, the list is not exhaustive and depends on your specific situation. 

• Sharing your password for the Mailchimp or Google Analytics account with everyone in the team
• Keeping those passwords in a file on the company network or on a post-it at the office
• Using your own devices or home networks when accessing online accounts such as Mailchimp, Hubspot or CMS systems, or more in general when processing personal data belonging to the company without taking appropriate safety measures (antivirus, firewall, VPN double authentication, ...)
• The use of Adtech tools without first investigating the GDPR compliance and safety guarantees these tools can offer. Typical points of concern include offering a data processing agreement, data localisation inside or outside the EEA, data protection by design and default, ...
• The use of self-chosen tools or so-called shadow IT by employees without the knowledge of management and/or IT, and without prior risk analysis
• Calling on external partners (email marketing partner, direct mail partner, online marketing partner, ...) without prior guarantees of GDPR compliance in the shape of a data processing agreement

What are ‘legal grounds’ and what are the legal grounds of the GDPR?

Under the GDPR personal data processing is in principle prohibited, except when you as data controller can invoke one of six exhaustively listed legal grounds. In the course of this guide we will get back to the legal grounds and the specific challenges involved in every one. 

These are the six possible legal grounds:

• Processing based on the prior, freely given, informed and explicit consent of the data subject
• Personal data processing that is absolutely necessary for the performance (or preparation) of a contract with the data subject e.g. the delivery address for an online purchase
• Processing that is necessary for compliance with a legal obligation or permission e.g. in the context of accounting or social law obligations
• Personal data processing necessary for the protection of the data subject’s vital interests e.g. by the emergency services in the ER of a hospital
• Processing (by a government) that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Personal data processing motivated by legitimate interests of the data controller or a third party.

Incidentally, for specially protected or sensitive data even stricter conditions and additional legal grounds apply.  In principle, this type of personal data can only be processed with the freely given, prior, informed and explicit consent of the data subject.

What is a ‘personal data controller’ and what is a ‘processor’?

The data controller determines for what purpose and how personal data is processed. If your company or organisation decides this itself, then it is a data controller. Examples include the optimisation of the browsing experience on a website or offering personalised advertising. The means of processing are about two things: the technical modalities, such as the use of cookies, and how the data is processed. For instance: which data is processed, who has data access or when is data deleted.

As the term itself indicates, a processor processes personal data for and on behalf of the data controller. The processor is usually an external partner, service provider or subcontractor and is therefore not a part of the organisation. Examples of processors include an archiving service for e-filing, a cloud service provider for data storage or an external IT service provider.  Important: cloud solutions and online tool for analytics, SEA, e-mail marketing and newsletters usually process personal data and are therefore a ‘processor of personal data’ according to the GDPR.

What is ‘personal data processing’?

In this context the term ‘processing’ refers to every use of personal data. The GDPR lists ‘the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data’.  This processing is done either by the personal data controller, or on his or her behalf by a processor designated by him or her.

What is ‘retention period limitation’?

Article 5, I., e states that data must be processed “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed”.  

In other words, personal data must not be kept indefinitely. The term for this is restricted and depends on the purpose for which the data is collected or processed in the first place.  When that purpose is achieved you must either delete the data or definitively anonymise it.  

The difficulty is that the GDPR itself doesn’t establish any specific retention periods. The basic principle of accountability obliges you before every processing activity to examine and document (in the data register or the register of processing activities) how long a specific set of personal data remains relevant. In short: the retention period varies from one case to the next. 

What is ‘sensitive’ or ‘specially protected’ data?

The GDPR considers certain personal data as ‘specially protected’ due to their sensitive nature. This data is exhaustively listed in articles 9 & 10 and their processing is subject to even stricter conditions. Examples include data revealing race or ethnic origin, political opinions, religious or philosophical beliefs or union membership, and the processing of genetic data, biometric data with a view to the unique identification of a person or health data, or data regarding someone’s sexual behaviour or orientation and also criminal data.  

If you want to process this type of data it is best to obtain individual advice. In any case, due to the concise nature of this chapter it is not possible to discuss the processing of this sensitive data in detail.  Specially protected data sometimes crops up in unexpected places.  Indeed, data on lifestyle, sporting performance or nutritional preferences may also turn out to be sensitive information.