Acquia & GDPR Compliance

GDPR Frequently Asked Questions

What is GDPR?

The General Data Protection Regulation (“GDPR”) is a data protection regulation that the European Union issued in order to replace the European Data Protection Directive of 1995. The GDPR directly applies to all member states of the European Union from 25 May 2018 forward. The GDPR applies to organizations both inside and outside the European Union that are processing the personal data of data subjects who are in the European Union (“EU”).

Who does GDPR affect? 

The GDPR applies to organizations located within the EU as well as organizations located outside of the EU that do business with, offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.

What does GDPR protect?

GDPR is focused on the protection of the personal data of individuals in the European Union. Under the GDPR, Personal Data is defined broadly in Article 4 (1) as follows:

“[A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Some examples of personal data include, but are not limited to: name, personalized e-mail address, mailing address, phone number, dynamic and static IP addresses etc.

• What are the principles of GDPR as it pertains to personal data?
• There are six principles to be mindful of in regards to personal data:
• Should be processed lawfully, fairly and in a transparent way.
• Should be collected for specified, explicit and legitimate purpose.
• Should be kept up to date.
• Should be limited to what is necessary.
• Should not allow identification of people for longer than necessary.
• Should be processed in a way that ensures appropriate security.

The GDPR strengthens the rights of individuals in the EU under the currently existing data protection regulations, as well as giving new rights.

How does the GDPR affect data collection?

The definition of personal data in the GDPR (see FAQ3 above) has been expanded to include any single identifying point for a natural person (e.g. the inclusion of dynamic and static IP addresses, job titles etc.). The effect to data collection is that the collection must be purposeful, with clear intent of use, transparent as well as secure, and legitimate. At any time, users must be aware that their data is being gathered, and known what it’s being used for and why. Users must also have the ability to choose to opt-out of one, some, or all forms of data collections and methods of use (even if previously decided to opt-in) and have the right to request that one, some, or all types of personal data, methods of collection, or intention of use be deleted. So long as this is made clear to users, and the users have accepted the terms of use, companies may continue to collect data as needed for use in marketing.

How does the GDPR affect marketing personalization?

GDPR doesn’t prevent personalization, but as mentioned above, it does change the way marketers collect personal data. Marketers who are informed about GDPR will understand that as long as the gathering and use of personal data is justified for legitimate business purposes and secured (via least privileged access, access control management, encrypted, pseudonymized, etc.), companies may continue to gather personal data from users for marketing efforts. GDPR allows for personalization based on cookies, and the customer needs to comply with applicable requirements such as transparency of cookies, user consent etc. Acquia’s personalization solutions provide tools for our customers to configure data collection properly, such as the ability to: set cookie duration; set visitor to do not track; anonymize profile; hash any identifier.

Read more: Marketing Personalization in the Age of GDPR