Data is at the heart of marketing campaigns. Organisations need people’s information to target their products and analyse how best to do this. This is why marketers ask for personal details when customers use their services or download their products. Data is so important that marketers run promotional campaigns and competitions with the specific aim of gaining more personal information.
The EU General Data Protection Regulation (GDPR), which takes effect on 25 May 2018, will shift the rules of collecting personal data. It puts the consumer in charge of their data, emphasising the importance of data protection, enforcing stricter data privacy rules and strengthening consent requirements.
Many marketers aren’t prepared for the Regulation. A survey by the Direct Marketing Association found that only 54% of respondents expected to be compliant with the GDPR by the time it takes effect.
To help achieve compliance with the GDPR, here are some of the most important things marketers need to consider.
Review existing processes
Although the GDPR introduces new requirements and strengthens existing ones, its concepts and principles are much the same as current data protection laws. If you comply with current laws, you will have a starting point to build from.
To help start your compliance programme, compare the Regulation’s requirements with your current measures. Areas of significant change include subject access rights, data breach notifications and the need for qualified staff.
Handling personal data
The Regulation emphasises that organisations should not process or retain extraneous personal data. This means that data should only be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose.
The Bunker claims that “this completely changes the way [marketers] think about handling data” because it’s common practice to amass as much data as possible and repurpose it for needs as they arise. For example, an organisation that gains people’s email addresses after they’ve entered a contest will often send a follow-up email advertising its products.
Under the GDPR, marketers would need to re-establish consent (or another lawful basis) to use an individual’s email address or any other personal data for another purpose.
The good news is that the Regulation states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” However, marketers always need to balance their own rights against consumers’, and the Regulation makes it clear that individuals should be protected as much as possible. The Regulation adds: “Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her.”
As Marketing Week writes, “personal data will probably only be a legitimate interest if it’s absolutely necessary to do it and consumers expect to be contacted, having given over their details.” Jason Cromack, executive director of MyLife Digital, says that charities are a good example of when this would be appropriate. “[E]ven though you might only talk to them once every six years it doesn’t mean you don’t support them”.
Make sure your staff are prepared
Although you probably have a team preparing your organisation for the GDPR, everyone in your organisation who handles personal data also needs to know their obligations. It only takes one employee mishandling personal data for your organisation to be in breach of the Regulation and facing enforcement action.
Staff awareness training should be an essential component of your GDPR compliance framework. Our GDPR Staff Awareness E-learning Course provides an introduction to the GDPR, outlines the six principles for collecting and processing personal data and gives advice on how to apply these principles.