25th May 2018 heralds the introduction of the General Data Protection Regulation (GDPR) into British law. This EU regulation is designed to change the way that we treat data and to simplify data protection for EU citizens. It applies to any data that belongs to EU citizens – even if it’s being processed outside of the EU – so its effects are far reaching. Every organisation in the UK that collects and processes the data of EU citizens (i.e. pretty much every marketer) needs to be ready for the implementation of the GDPR this year. And if you’re not? Well, the GDPR has introduced more stringent penalties too – the worst of which is a fine of €20 million or 4% of global annual turnover, a jaw dropping amount.
Who is likely to be affected by the GDPR?
Everyone . It’s just not worth avoiding making changes to the way that your business handles data because all the indications are that the Information Commissioner’s Office (ICO) is going to be fairly enthusiastic about enforcing the new power that the GDPR delivers to it. Some examples of the ways that those in the marketing industry might feel the impact of the GDPR include:
- Anyone involved in email marketing – new systems are required for email contact as a result of the GDPR
- Those using marketing automation systems – automated emails that go to people who have opted out of receiving them could be troublesome
- PR teams – the GDPR requires consent to send out press releases, for example
What are the key parts of the GDPR for marketers?
If you’ve spent the last couple of years sending out marketing communications to anyone you can get contact details for then you need to make some immediate changes. The GDPR introduces a much tougher context for consent. From May onwards it will need to be “freely given, specific, informed, and unambiguous.” It also needs to be given via an affirmative action. That means that pre-ticked consent boxes are no longer an option for anyone. You also won’t be able to infer consent from inactivity. In short, it’s now going to be crucial to be able to show that someone has agreed that their data can be collected and used – and exactly when they agreed to it.
2. The Right To Be Forgotten
As the GDPR has been designed to give EU citizens more control over their data it confers a right for an individual to have all the data your business might hold on them deleted. That doesn’t mean keeping the data in a database and marking it as “do not contact,” it means carrying out a full deletion. Consent can be withdrawn by individuals at any time and they are also able to make requests (called a “Subject Access Request”) to see what data your business holds on them.
3. The legal basis for collecting data – and how long it is held
Many businesses have fallen into the trap of just collecting data as widely as possible – all the data. Sometimes there’s no real reason for this and it may just sit in a database unused for a long period of time for no good reason. With the GDPR it’s now necessary to have a good reason to collect data in the first place – and to delete it if that reason no longer applies. So, data housekeeping is now much more of a priority and should be integrated into internal data protection and management processes. Gone are the days when you could just hoard data too – it’s important to dispose of the data you no longer need as soon as that’s the case.
4. What about direct mail?
According to the ICO charities FAQs about the GDPR “you won’t need consent for postal marketing.” So, it looks as though direct mail will be one marketing method that doesn’t have to conform to the GDPR’s complex rules on consent. The ICO goes on to say “you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.” So, if you’re looking for ways to maximise your marketing reach this year then print could be a GDPR friendly solution – this is something that we at Aquatint can help with. Contact a member of the team to find out more.
This guide doesn’t not constitute legal advice on the GDPR and should not be relied upon as such. If you require legal advice you will need to speak to a legal advisor about your specific situation.