GDPR (General Data Protection Regulation) will be enforced from May 2018. What does this mean? What impact will it have on marketers?
Data forms the foundation of the online world.
For web users and consumers, personal data acts as currency - sharing it gives access to numerous services and content. For marketers, data is key to running successful campaigns; it helps us recognise site visitors, target the right people with the right content and much more. And, crucially, it’s our responsibility to use and store the data we’re given responsibly.
73% of people agree that in the internet age, you have to provide personal information in order to buy things. - DMA
However, the legislation around data use is changing - from 25th May 2018 the General Data Protection Regulation (GDPR) will be enforced across the EU. But what does this actually mean? How will it impact the way we all - marketers and consumers alike - consider data? And what can organisations do now to prepare for next year’s changes?
GDPR legislation around data privacy and protection was adopted in April 2016 - and will officially be enforced from 25th May 2018, building on the 1995 data protection directive and modernising data regulation to reflect how businesses use and collect data today.
Essentially, GDPR is about standardising (currently mixed) EU data directives, to provide best practice regulations on data handling and compliance. Designed to strengthen individual’s rights and create better transparency and control, it will ensure web users are aware of (and can control) the personal data they share with companies.
As defined by the EU, ‘personal data’ includes any information that can be used to directly or indirectly identify an individual (or ‘data subject’). This means that everything from an email address, to a name, IP address, photo and more are included.
6 top-level areas that GDPR covers are:
GDPR legislation will be mandatory across the EU from 25th May 2018. Of course, once Brexit has been finalised, the UK will no longer be a part of the European Union - however, this does not mean that UK marketers can ignore GDPR.
In fact, as GDPR will affect any company that handles EU citizen’s data, regardless of where that company is, marketers worldwide will need to prepare for GDPR if they manage any EU data.
The GDPR will apply in the UK from 25th May 2018. The government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR. - ico.org.uk
A few of the (many!) things that marketers should consider includes:
One of the most impactful areas to note is that ‘implied consent’ or ‘soft opt-in’ will no longer be an option for B2C (personal) data. Under GDPR, consent must be explicit. Companies must be able to provide proof that an individual elected to opt-in to communications and didn't just fall onto the list by default - such as checking an unchecked ‘opt-in’ box on a form. ‘Double opt-in’ would also be best practice; where opt-in is followed up with a ‘click to confirm’ email.
However, for corporate or business data, 'implied consent’ means marketers are able to email someone, so long as that person had the option to opt-out of emails at the time of purchase (or conversion - such as for form completions).
Unless you're confident your database does not contain any personal data e.g. email, phone number, our recommendation is that you remain as compliant as possible.
So, opt-in is compulsory for B2C data. However, there are considered to be two perspectives on GDPR opt-in. The first is consent, where a business must gather opt-ins from every B2C contact (as above). This is considered best practice as it guarantees compliance. The second perspective is legitimate interest, where, as quoted from the DMA, “If a business decides to use the legitimate interest precedent for their direct marketing, then it will be able to send email marketing on an unsubscribe/opt-out basis”. Note that this isn’t a route to ‘get around’ GDPR. All other aspects of GDPR must be met, and if challenged, proving ‘legitimate interest’ (read: relevant and appropriate) may be harder to do legally.
As consent guidance under the GDPR becomes more strenuous, we predict that there will be a move towards legitimate interests as an alternative legal basis to process people’s data. This involves balancing legitimate business data use against an individual’s privacy to see which side is “heavier”...`the pursuit of this legitimate business interest is in the interests of the “wider community” as it allows it to receive less waste, more relevant marketing as well as free content. - Acxiom UK
With opt-in becoming a mandatory requirement, marketers must ensure any on-site forms (current and future) are made compliant. Compliance of course extends beyond the option to opt-in - forms must be deployed and hosted in a way that complies with GDPR.
For many marketers, third party tools and marketing technology providers (i.e. marketing automation platforms, CRMs etc) form much of their data ecosystem. In this case, it’s important that marketers check that their tech suppliers are ready and prepared for GDPR compliance, with measures in place to store and process, and integrate data appropriately. Before the May 2018 deadline, it’s wise for marketers to:
Considering events, opt-in consent requirements mean marketers will no longer be able to add event attendee lists to a campaign - you would need to show evidence for opt-in, such as an opt-in from your stand, or a follow-up email post-event.
Under the ‘right to be forgotten’, as everybody has the right to opt-out, this may affect the way you manage your CRM; for example you would no longer be able to mark someone as ‘do not contact’ - personal details would have to be deleted. It’s also worth checking tech stack integrations to ensure that when requested, data can be removed from all related databases and platforms.
In situations like new contact data record creation, or where contacts provided by a third party are being added or integrated into a database, opt-in compliance is again imperative. Managing and handling this across multiple areas (importing contacts from a spreadsheet, adding a contact from a business card, integrating Sales Navigator contacts with your CRM) may be the most complex part of compliance here.
The penalties for non-compliance with GDPR are set to be significant and could be up to €20 million, or 4% of an organisation’s annual turnover - whichever is greater.
With less than a year to go until GDPR is mandatory, what must organisations (who process personal data) do to prepare and transition
As an inbound marketing agency, our advice is always to be as transparent as possible with consumer data to build more relevant, valued relationships with your customers and consumers.
Marketing shouldn’t be pushy or mysterious for consumers. If a consumer understands why they’re opting into your messaging - and can see the value they’ll gain, that’s a true, trustful relationship to have and should be the default. GDPR should help to contribute to that; ensuring data protection, trust and proven value through best practice and transparency.
Disclaimer: This blog post should not be used as a complete guide to EU data privacy nor as legal advice for your company to use in complying with EU data privacy laws like the GDPR. This post is for informative purposed only - you should not rely on it as legal advice or recommendation of any particular legal understanding.