Unless you’ve been living on the International Space Station these last few months, GDPR will definitely be somewhere on your radar. Actually, even if you have been on the ISS, you can’t have missed the mass of information about it.
But as a marketer, how much do you need to know?
Over the last couple of years, much of the hype has been focused around the IT requirements of GDPR, due to heightened concerns about data security and unauthorised access to personal data by hackers. In this regard GDPR sets out to enforce best practice in securing data using tools such as encryption and complex passwords.
However, as marketers have woken up to the implications of GDPR in their day-to-day roles, they’re realising that it’s also very much about whether they can use the data held by their organisations for marketing purposes, to help them achieve their objectives.
And there are some worrying questions.
Before we get on to those and how to deal with them, let’s run through a summary of the key points of GDPR.
What is GDPR?
In the UK, the Information Commissioner’s Office (ICO) is the body responsible for policing GDPR (General Data Protection Regulation). Its purpose is to modernise, unify and strengthen data protection and privacy protection laws for individuals across the EU.
It will come into full effect on 25 May 2018 and will replace the 1995 Data Protection Directive, Privacy Electronic Communication Regulation (PECR) and the Telephone Preference Service (TPS).
Why is GDPR happening?
The Data Protection Directive, PECR and TPS are all outdated and unfit for purpose, because they were introduced decades ago, long before the evolution of many of the technologies now used by organisations to capture, store and manage personal data.
Additionally, as the EU expanded, the old regulations became impossible to manage, implement and enforce effectively across multiple countries.
When does GDPR come into force?
Regardless of when Brexit rules come into play, GDPR will be set in stone as UK law on 25th May 2018… however, the final details are still evolving on an almost daily basis.
So, it’s vital you keep on top of the latest information.
What steps must marketers take?
At the time of writing, there are still a lot of grey areas which are subject to multiple interpretations.
Even the legal experts we speak to are unwilling to commit to black and white answers on a number of points.
The result can be unnerving and confusing, but the core facts are known and must be prepared for. So what follows is intended as a helpful guide only. Our advice is to consult your own legal counsel on the facts as they apply to your organisation.
1. Don’t panic
It is easy to underestimate the importance of GDPR – yet at the same time it’s important to remember that much of what is contained in the regulation is common sense. It’s about doing what is right and fair, and indeed much of the regulation is about turning into law what many organisations have already adopted as best practice.
2. Ensure data is held securely
The first issue for marketers is also an IT issue. Personal data held in any form must be stored securely. If personal data is lost or stolen, organisations could face a fine of up to the greater of 20m Euros or 4% of the total worldwide annual turnover. Compare this to the current maximum sanction of £500,000 and there’s a clear emphasis on keeping data secure. What’s more, organisations now have a legal duty to disclose a data loss or breach to the ICO.
3. Define personal data
Personal data is defined as anything pertaining to an individual, whether in a business or personal context. So yes, a business email address is considered ‘personal’. GDPR affects all organisations that hold personal data, from big brands to SMEs, charities and the civil service.
4. Cleanse your existing personal data
What obsolete information do you hold that you can delete? For the purposes of GDPR, data collected in the recent past (say the last 2 – 3 years) and which you have consent to use can legitimately be considered ‘current’. Any other data that you don’t have permission to use should be deleted.
5. Map your data
If your marketing team, department or manager keeps target, prospect, customer or any other personal data in files, spreadsheets, drives, CRM systems – anywhere, either electronic or paper – then the way you store, manage and use that data is affected. Ensure you know who has access to what, the format it is stored in and that it is stored securely? Also document your legal reason to hold the information.
6. Review and update your processes and policies
7. Review and document “consent”
In most cases, GDPR requires organisations to have “consent” from individuals to the use of their personal data. Whereas previously the onus has been on contacts ‘opting-out’ of receiving marketing communications, onus is now reversed and proof of ‘opt-in’ consent is required. For example, a website contact form tick-box must not be pre-ticked.
If you’re responsible for marketing for your organisation, you should:
- Review the personal data you hold and identify whether you have consent for marketing. If you’ve already segmented your data properly this shouldn’t be an onerous task.
- Reconnect with individuals whose personal details you currently hold, and encourage them to ‘opt-in’ to receiving future communications from you.
- Maintain a written statement that describes how personal data on clients, leads and contacts is stored, secured and used. It should include at minimum a clear record of:
- What contacts have consented to
- The date and method of consent
- What information was provided to the person consenting, including how their details will be used.
It’s important to note that verbal consent alone is not sufficient.
8. Establish your definitions of “legitimate interest”
The question on every marketer’s mind is about whether the data they currently hold will be usable once GDPR kicks in, or whether the new rules will effectively render it useless.
We have been asked by numerous organisations about whether in a post-GDPR world they will still be able to use their CRM database contacts for direct marketing, out of fear that they won’t be legally entitled to contact their own customers.
The answer, rather unhelpfully, is that ‘it depends’.
Current ICO guidance allows for direct marketing in cases of “legitimate interest”. To determine whether the organisation does indeed have a legitimate interest in using its CRM data for marketing largely depends on whether the target individual has a legitimate in receiving it.
To arrive at the answer, organisations are advised to conduct what’s known as a ‘balancing test’; in other words, to weigh up their business interest in using the data against the rights and interests of the individual. Ask yourself a few questions:
- Is the contact a current customer? If “yes”, then you can probably reasonably contact them for business reasons. If not, and the contact is perhaps someone you sent a proposal to 5 years ago, the interest is less legitimate.
- Why are we contacting the individual? Is it a sales approach to ‘upsell’ a service or an important product communication requiring action, such as a faulty component or expiry of a support agreement?
- What is the source of the contact data? If you collected the data via your website because someone signed up to a newsletter, you may have consent to re-contact the person. If you picked up a business card at a conference, probably not.
On this last point, it’s common for data to be purchased from 3rd party organisations. If you have sourced data from a ‘data broker’ or ‘data provider’, you are advised to check with that provider that the data complies with the requirements of GDPR.
9. Identify who is responsible for what
GDPR identifies a “data controller” as the person who controls the data you collect and determines what happens to that data. The “data processor” is anyone (with the exception of an employee of the data controller) who processes personal data on behalf of the data controller.
10. Establish a data breach process
You MUST notify the ICO of a data breach if it is “likely to risk the freedoms and rights of individuals”. If this is unaddressed it could have a significant detrimental effect including discrimination, social disadvantage, financial loss, reputational damage and loss of confidentiality.
If made public, the breach could also adversely affect your brand name, resulting in potentially catastrophic effects for your business.
The breach must be reported within 72 hours of your organisation being aware of it. GDPR doesn’t expect you to investigate the breach fully within this time and allows you to supply information in stages. The ICO will require you to confirm the following details:
- What has happened
- The likely consequences and risks
- Who will be affected
- What process you have in place to rectify this
It’s at this point that you’ll need to show that you took your duty of care to safeguard the data in your possession properly. If shown not to be the case, consequences are likely to follow.
Do you want help with implementing GDPR-compliant marketing practices? Talk to C4B Media on 01763 877110.
You may also find the following resources useful: