The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and its implications for marketing are significant and far-reaching.
A key objective of GDPR is to help put an end to the practice by unscrupulous companies of exploiting personal data for marketing purposes. In short, it puts the power over personal data back in the hands of the individual.
The legislation will have a significant impact on the way marketers approach their work and how they obtain, store, manage or process the personal data of EU citizens.
The four critical areas that GDPR will affect marketing are:
GDPR mandates that consent must be ‘freely given, specific, informed, and unambiguous’, and articulated by a ‘clear affirmative action’. This means that you can’t assume consent based on ‘inactivity’, and you are not permitted to have a pre-ticked box or an opt-out box as consent for use of personal data.
In practice, this means that clients or customers need to physically confirm that they want to be contacted by opting in to receive communications and they need to be informed about their right to withdraw consent.
Impact on existing databases
A question that frequently arises with GDPR is whether a marketer needs to get fresh consents from individuals on existing databases.
There may be several instances where you may not need to request consents from your existing database. If a marketing person can demonstrate a lawful ground to process the data – such as contractual, a legal obligation, vital interests, public interest or legitimate interests (refer to Article 6.1 of the Regulation) – then they can exercise non-consent based permission to process the data.
However, in most cases marketing communications will not conform to the guidelines of lawful data processing so explicit consent will be required from your existing database as well as any new data. Remember, when in doubt, request consent.
The introduction of GDPR gives an individual more control over how their data is collected and used. As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.
Practically speaking, this can be as straightforward as including an unsubscribe link within all email marketing communications and providing a link that allows users to manage their email preferences. Marketers should regularly check that the unsubscribe function is working properly.
Subject Access Requests (SAR)
The rules for dealing with subject access requests will change under GDPR. Two main changes are that the timescale to deal with a request will reduce from the current 40 days to within a month, and people can request additional information than they currently can, such as an organisation’s data retention periods. Marketers should review and update procedures on how to handle such requests.
Once data is collected, your organisation needs to ensure it is stored in a secure manner to protect personal data against unauthorised access, processing and accidental loss, disclosure, access, destruction, or alteration.
When an organisation is collecting data from an individual they must remember that, under GDPR, they are only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection (refer to Article 5.1(c) ‘Data Minimisation’). Data collected by the organisation which is deemed unnecessary or excessive will constitute a breach of GDPR.
Always keep in mind that as an overall principle you are not allowed to use personal data received in any way that would be incompatible with the intended purpose for which it was collected. Practically speaking, this will necessitate better housekeeping on the parts of marketers – and less collecting data for unnecessary, or frivolous reasons.
Also, if you plan to transfer or share the data with another company, you will need to ensure you have consent from the person to do so.
Although GDPR does not provide guidelines on retention periods in general it does outline that personal data may be kept for as long as is necessary to fulfil the intended purpose of collection. So in order to comply with the new regulation, each organisation needs to establish, document and implement retention periods which outlines how long they will retain that individual’s data for and the business justification for holding on to the data for that specified period.
If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organisation.
It is important that communication is made straight away with any such third party vendors that process personal data on your behalf to ensure their compliance, or plans for compliance with the regulation. And also to ensure they will cooperate with you on receipt of a SAR.
Opportunities for marketers
GDPR will likely cause temporary difficulties for marketers. However, it can also present a number of opportunities:
Instead of a simple yes or no option when asking customers about data, you can now provide them with a range of options so that you can find out what they’re interested in. Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive which will result in far greater engagement.
GDPR requires an organisation to have strong control and tracking of the data it collects. Utilising a single platform, like a CRM system, will help you keep track of all your permissions data and ensure you’re GDPR compliant.
The advantage of having a single platform is that it gives greater opportunity to learn more about your customers, which in turn helps with segmenting your database. Greater segmentation of your database enables you to focus your communications based around specific interests your customers have, rather than sending out more generic communications.
If asked most people would have a fear that their personal data could be used for unscrupulous purposes. By being transparent about how an individual’s data is being treated and by demonstrating that it will be used respectfully, and held securely it will strengthen both trust and engagement with your customers.
Simone Kennedy, who works on our risk consulting team, recently penned this article for the Hotel and Catering magazine on the subject.
- 10 Practical steps to get compliant with GDPR
- The impact of GDPR on the hotel sector
- Five key changes introduced by GDPR
To find out how we can help you with your data protection requirements contact a member of our Data Protection team.