Posted on: February 23, 2018
Few businesses won’t have heard of the General Data Protection Regulations (GDPR). It is certainly the hot topic online, in the press and at business events. The challenge for many though is understanding the Regulations in the context of their business.
The Regulations, which come into force on 25 May 2018, focus on the use of personal data. They seek to give people greater control over the use of their data, give them the right to move or delete their data and, basically, establish personal data protection as a basic human right of EU-based individuals.
The Regulations have implications for a number of different business operations including HR, IT, Sales, Customer Service and Marketing. In this article we look specifically at the implications of GDPR on Marketing. The points we’ve given don’t constitute as legal advice and you should also familiarise yourself with the excellent guidance from the Information Commissioner’s Office (ICO)
Being clear what constitutes Personal Data
“ Personal data is any information relating to a living, identified or identifiable natural person ”
This could be a person’s name, any information used to identify them (such as an ID number), location data, online identifiers or other factors specific to that person’s identify. So a person’s contact details are definitely included as is digital information such as IP addresses.
1. Understanding what Personal Data you hold and where
As a starting point, it is important to fully understand what personal data your organisation holds. From a marketing perspective this is likely to include information on current customers, past customers, prospective customers, contacts/referrers etc.
With the GDPR you will need to demonstrate you are processing data according to its standards. This includes having consent from the individual to use the data for all the purposes you want to use it (more on that in a moment). You are also obliged to tell individuals if data is to be shared with a third party.
It’s worth stressing that, as well as knowing what personal data you hold, your organisation needs to be clear where it’s held. Is it on the company’s server, in the cloud, on a laptop, USB stick, on a variety of these etc? The GDPR expects you to be clear on the data’s exact location and demonstrate that you have robust data security measures in place to prevent breaches.
And as this is an EU-focused piece of legislation there are implications if your Data is stored outside of that territory. If you use Cloud-based systems – CRM, Email Marketing, Website platforms etc, check you know where your Data Server is located in the world. As a starting point, work with your IT specialists to get the clarification you need.
2. Getting consent ahead of May 2018
You will need to be able to demonstrate you have consent from people to use their personal data. That consent needs to be in line with the GDPR’s criteria – in short, it must be “freely given, specific, informed and unambiguous”.
This means you will no longer be able to pull together lists of contacts and send them marketing communications without their consent. It also means that simply giving people the right to unsubscribe doesn’t give you the permission to contact them.
Going forward people need to actively opt-in to receive your communications. In doing so they need to be able to tick relevant boxes themselves (you can’t pre-tick and ask them to deselect any they’re not interested in).
So be prepared to specify the different marketing communications you plan to send to them (and get their consent for each one). Remember to ensure the opt-in and verification communications are clear and unambiguous.
Then you must record the consent you receive to demonstrate you know the source of every data record that you hold, where it came from and that the consent was “freely given, specific, informed and unambiguous”. Check any CRM or marketing automation software you use supports rather than hinders your GDPR-compliance.
For existing data you hold… it’s likely you will need to seek fresh GDPR-compliant consent to have the permission to keep marketing to those contacts. Use the opportunity to clean what mailing lists you have so they include only those who genuinely want to engage with you. The sooner you can do this the better – you may want to reach out a couple of times before May in order to check your communication has been seen. Don’t keep bombarding people though.
For new contact data… it’s time to review and update the processes you use to capture details so they are GDPR-friendly from a consent perspective. Think about any forms on your website, e-newsletter sign-ups, enquiry handling procedures, sales terms and conditions.
3. Updating your Privacy and Cookie Notice
It’s likely that your privacy and cookie policies will also need to be reviewed updated in line with the GDPR criteria. The ICO has lots of helpful guidance here as well as examples of good and bad privacy notices. At the core of your privacy notice should be a clear communication to people:
- Who you are
- What you are going to do with their information (all the different ways you will use their information)
- Who it will be shared with
4. Secure protection of data
Failure to comply with the GDPR can result in fines of up to 4% of global annual revenue or 20million Euros – whichever is greater. Misuse of personal data and/or a data breach will be taken very seriously. So, working with your IT specialists, you need to make sure your systems are resilient, that devices where data is accessible are secure wherever they are used. Don’t forget to bear in mind the security of data that’s accessible through remote working.
You should also review your current crisis management plan (or establish one) to reflect a data misuse or security breach. In doing so, bear in mind the tight timeframes GDPR imposes, for example
“The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.”
The GDPR rightly wants to meet the demands of the digital world we now live in – where an ever growing volume of data is processed. It does mean that business systems and approaches need to adapt to be more transparent, fair and accountable in the way they handle personal data.
The good news is that going forward, should experience less wastage with their marketing efforts. Communicating with those who genuinely want to hear from them will make marketing tactics more effective, more efficient and more responsible. It should help to strengthen an organisation’s relationship even more with customers, contacts and followers.
As we mentioned right at the start, the GDPR touches on multiple aspects of a business – not just marketing. To prepare effectively, businesses are wise to create a task-force which reflects the different disciplines who store and process personal data throughout the organisation. Adopting a joined-up approach (ideally led by the business’ Data Protection Controller) will help to achieve compliance by May 25th.
It’s also worth stressing that the GDPR’s application to UK legislation continues to take shape. You can keep up with the latest developments via the ICO’s ‘what’s new’ section.