GDPR (General Data Protection Regulation) will be enforced from May 2018. What does this mean? What impact will it have on marketers?
What is GDPR? Why Do Marketers Need To Be Aware?
Data forms the foundation of the online world.
For web users and consumers, personal data acts as currency - sharing it gives access to numerous services and content. For marketers, data is key to running successful campaigns; it helps us recognise site visitors, target the right people with the right content and much more. And, crucially, it’s our responsibility to use and store the data we’re given responsibly.
73% of people agree that in the internet age, you have to provide personal information in order to buy things. - DMA
However, the legislation around data use is changing - from 25th May 2018 the General Data Protection Regulation (GDPR) will be enforced across the EU. But what does this actually mean? How will it impact the way we all - marketers and consumers alike - consider data? And what can organisations do now to prepare for next year’s changes?
GDPR legislation around data privacy and protection was adopted in April 2016 - and will officially be enforced from the 25th May 2018, building on the 1995 data protection directive and modernising data regulation to reflect how businesses use and collect data today.
Essentially, GDPR is about standardising (currently mixed) EU data directives, to provide best practice regulations on data handling and compliance. Designed to strengthen individual’s rights and create better transparency and control, it will ensure web users are aware of (and can control) the personal data they share with companies.
Answering Your GDPR Questions
What data will be affected by GDPR?
As defined by the EU, ‘personal data’ includes any information that can be used to directly or indirectly identify an individual (or ‘data subject’). This means that everything from an email address, to a name, IP address photo and more are included.
What areas will GDPR legislation cover?
6 top-level areas that GDPR covers are:
Right to access: Under GDPR, data controllers (companies that hold personal data) must be able to provide (for free) a copy of an individual’s data if requested. Individuals may find out what personal data of theirs is being processed, where and why.
Right to erasure: The ‘right to be forgotten’ allows individuals to request that a data controller deletes their personal data; preventing them and related third parties from accessing or processing their information.
Data portability: Under GDPR, individuals will be able to request access to their data ‘in an electronic format’, which they can transfer to another data controller (such as when switching service providers).
Data breach notification: This means customers and data controllers must be notified of data breaches (leaks, hacks, or lost data - such as information on a lost USB stick) within 72 hours.
Privacy by design: Data compliance and data protection must now be considered from the start when designing new systems. Organisational and technical processes must be considered to ensure personal data is secure and that only data that is ‘absolutely necessary for the completion of duties’ is held.
Data protection officers: Public companies, or companies whose main activities involve data processing and monitoring will now need to appoint a data protection officer rather than notifying local Data Protection Authorities of their activities.
Does this affect non-EU marketers? What impact will Brexit have on GDPR?
GDPR legislation will be mandatory across the EU from 25th May 2018. Of course, once Brexit has been finalised, the UK will no longer be a part of the European Union - however, this does not mean that UK marketers can ignore GDPR.
In fact, as GDPR will affect any company that handles EU citizen’s data, regardless of where that company is, marketers worldwide will need to prepare for GDPR if they manage any EU data.
The GDPR will apply in the UK from 25th May 2018. The government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR. - ico.org.uk
In what ways will this impact B2B digital marketing/sales?
A few of the (many!) things that marketers should consider includes:
One of the most impactful areas to note is that ‘implied consent’ or ‘soft opt-in’ will no longer be an option. Currently (pre GDPR), ‘implied consent’ means marketers are able to email someone, so long as that person had the option to opt-out of emails at the time of purchase (or conversion - such as for form completions). Yet, under GDPR consent must be explicit. Companies must be able to provide proof that an individual elected to opt-in to communications and didn't just fall onto the list by default - such as checking an unchecked ‘opt-in’ box on a form. ‘Double opt-in’ would also be best practice; where opt-in is followed up with a ‘click to confirm’ email.
Marketing with ‘Legitimate interest’
So, opt-in is compulsory. However, there are considered to be two perspectives on GDPR opt-in. The first is consent, where a business must gather opt-ins from every contact (as above). This is considered best practice as it guarantees compliance. The second perspective is legitimate interest, where, as quoted from the DMA, “If a business decides to use the legitimate interest precedent for their direct marketing, then it will be able to send email marketing on an unsubscribe/opt-out basis”. Note that this isn’t a route to ‘get around’ GDPR. All other aspects of GDPR must be met, and if challenged, proving ‘legitimate interest’ (read: relevant and appropriate) may be harder to do legally.
As consent guidance under the GDPR becomes more strenuous, we predict that there will be a move towards legitimate interests as an alternative legal basis to process people’s data. This involves balancing legitimate business data use against an individual’s privacy to see which side is “heavier”...`the pursuit of this legitimate business interest is in the interests of the “wider community” as it allows it to receive less waste, more relevant marketing as well as free content. - Acxiom UK
Data capture fields and forms
With opt-in becoming a mandatory requirement, marketers must ensure any on-site forms (current and future) are made compliant. Compliance of course extends beyond the option to opt-in - forms must be deployed and hosted in a way that complies with GDPR.
Third party compliance
For many marketers, third party tools and marketing technology providers (i.e. marketing automation platforms, CRMs etc) form much of their data ecosystem. In this case, it’s important that marketers check that their tech suppliers are ready and prepared for GDPR compliance, with measures in place to store and process, and integrate data appropriately. Before the May 2018 deadline, it’s wise for marketers to:
Ask suppliers to detail how they will store/process data to ensure GDPR compliancy.
Ensure there is a point of contact from each side, plus a process in place to manage any data breaches. Both sides must be able to respond quickly to manage, react and respond in compliance with ‘Data breach notification’ legislation.
Make sure to only collect data that that is necessary, or falls under a ‘legitimate interest’.
Be sure it’s possible to delete data should you stop using a service, and that you can download your own data when requested.
Considering events, opt-in consent requirements mean marketers will no longer be able to add event attendee lists to a campaign - you would need to show evidence for opt-in, such as an opt-in from your stand, or a follow-up email post-event.
Under the ‘right to be forgotten’, as everybody has the right to opt-out, this may affect the way you manage your CRM; for example you would no longer be able to mark someone as ‘do not contact’ - personal details would have to be deleted. It’s also worth checking tech stack integrations to ensure that when requested, data can be removed from all related databases and platforms.
In situations like new contact data record creation, or where contacts provided by a third party are being added or integrated into a database, opt-in compliance is again imperative. Managing and handling this across multiple areas (importing contacts from a spreadsheet, adding a contact from a business card, integrating Sales Navigator contacts with your CRM) may be the most complex part of compliance here.
What are the penalties for non-compliance?
The penalties for non-compliance with GDPR are set to be significant and could be up to €20 million, or 4% of an organisation’s annual turnover - whichever is greater.
Tips to prepare for GDPR
With less than a year to go until GDPR is mandatory, what must organisations (who process personal data) do to prepare and transition
Raise internal awareness. Make sure that key stakeholders and decision makers in your organisation are aware of the upcoming changes, deadlines and implications of GDPR.
Audit and document your data. Know what personal data your organisation holds/processes, identify where it came from and who you share it with.
Review privacy communications. Review current privacy notices and set plans for any required changes.
Account for individual’s rights. Make sure you have procedures in place that address all the rights that individuals have, from how you would delete personal data to providing data electronically if requested.
Identify your legal basis for processing personal data. Review the types of data processing you conduct, identify your legal basis for doing so - and document it.
Subject access requests. Update your procedures and identify how you will handle requests in future.
Put contingency plans in place. You need to be prepared to detect, manage and report on and investigate any personal data breaches.
Consider how you obtain consent. How do you currently obtain and record consent? Do you need to amend any processes?
Consider age verification as well as consent. Systems must be established to verify individual’s ages and to gain parental/guardian’s consent for data processing where children are concerned.
Assign a Data Protection Officer. Companies who process vast quantities of personal data, or process large scale ‘special categories’ of data (sensitive data, such as race or religion) must designate a DPO to take responsibilities for data protection compliance.
Consider international implications. If you’re part of an international organisation, determine which data protection supervisory authority you fall under.
Data Protection Impact Assessments. Make sure your organisation is familiar with ICO guidance on Privacy Impact Assessments and plan how to implement them.
Ultimately GDPR is About More Relevant Marketing and Greater Transparency
As an inbound marketing agency, our advice is always to be as transparent as possible with consumer data to build more relevant, valued relationships with your customers and consumers.
Marketing shouldn’t be pushy or mysterious for consumers. If a consumer understands why they’re opting into your messaging - and can see the value they’ll gain, that’s a true, trustful relationship to have and should be the default. GDPR should help to contribute to that; ensuring data protection, trust and proven value through best practice and transparency.
Disclaimer: This blog post should not be used as a complete guide to EU data privacy nor as legal advice for your company to use in complying with EU data privacy laws like the GDPR. This post is for informative purposed only - you should not rely on it as legal advice or recommendation of any particular legal understanding.