GDPR Learning Center

What steps should brands consider to become GDPR ready?

We suggest these 5 steps to get started with GDPR-readiness. 

1. Inventory your digital properties, including mobile apps and websites, to assess which cookies, tags, or other data are necessary.

2. Map your consumer’s journey and tell your privacy story through meaningful notices and choices.

3. Develop a consent management strategy with an eye towards the consumer experience.

4. Determine how you will authenticate user identity to address data subject requests.

5. Identify and capitalize on existing processes to help respond to data subject requests.

My business is headquartered outside of Europe, does GDPR apply to us?

Potentially. If you market products or services to individuals in the EU and you collect personal data, then GDPR may impact your business. GDPR is not only applicable to companies based in Europe. GDPR could apply to any company, even those located outside of Europe, if it offers goods and services or markets to individuals in the EU.

What is the role of Adobe as a data processor?

As a data processor, Adobe provides software and services to an enterprise, like yours, for the personal data you ask us to process and store. We only process personal data in accordance with your company’s instructions as set out in your agreement with us. If your consumers’ data is in an Adobe solution and you need our assistance with any individual consumer requests, we will partner with you through processes, products, services, and tools to help you respond.

Do marketers need to get all new consents for their marketing database?

GDPR changes how brands obtain consent and may require some consents to be refreshed or updated. For instance, if a brand’s current consent practices meet or exceed the obligations outlined by GDPR then no changes to consent may be needed. However, if a brand’s consent practices fall short of the enhanced obligations, then those consents should be reevaluated and modernized.

What is my role as a data controller?

As the data controller, you determine the personal data that Adobe processes and stores on your behalf. If you use Adobe Cloud solutions, we may process personal data for you depending on the products and solutions you use and the information you choose to send to your Adobe account or service. As a data controller, you will provide privacy notices to individuals who engage with your brands detailing how you collect and use information, and obtain consents, if needed. If at some point during the consumer lifecycle those individuals want to know what data you maintain about them or decide they want to discontinue their relationship with you, you will need to have mechanisms in place to respond to those requests.

How should data controllers think about consent when it comes to user engagement?

The consent management space (e.g., tools, standards, best practices) is evolving, and is an area to watch. To minimize impact on user engagement, controllers should work with vendors in this space and with their counsel, and follow emerging EU laws and guidance on consent and cookies. Thinking about “experiential privacy” by using an on-brand, contextually relevant, cookie-notice experience that sets out the value proposition of your data collection activities is a good strategy.

Does GDPR dictate that data must stay in Europe?

No. GDPR requires that the privacy protections afforded to European data flow with it wherever is transferred or accessed. Visit the Adobe Privacy center to learn more about how Adobe addresses data transfers when you use Adobe Cloud Solutions.

Do marketers need consent for everything?

Marketers don’t necessarily need consent for everything and this will depend on the nature of the data collection practices. There is some scope to rely on other bases for processing, like legitimate interest, for certain marketing activities. Companies should work with their counsel to explore the best approach to support their marketing initiatives.