Personal data is at the heart of marketing campaigns. Organisations need people’s information to advertise their products and analyse their campaigns’ success, and they go to great lengths to collect and process this data.
But on 25 May 2018, the EU General Data Protection Regulation (GDPR) takes effect, enforcing stricter data privacy rules and enhancing individuals’ rights and freedoms concerning their personal data. This will lead to wholesale changes to the way marketers operate. With only a few months until the Regulation is applied, organisations should be in the final stages of their compliance process. However, if you’re not ready, the most important things you need to consider are described here.
When it comes to email marketing, consent has been an ambiguous topic for a long time, but the GDPR is introducing strict rules. Consent must be given using a “clear, affirmative action”, which nullifies opt-out consent, such as pre-ticked boxes, and must meet a number of other requirements.
However, consent is only one of six lawful grounds for processing personal data, and it’s generally the least preferable option. Marketing departments might be able to justify legitimate interests (see below), and should always do so whenever possible.
Marketers also need to be aware that consent can only be considered valid for a set length of time. Someone consenting to data collection at some point in the past doesn’t necessarily mean they are still happy to have their data collected. Therefore, marketers should ask individuals to ‘re-consent’ on a regular basis – typically every two years.
Handling personal data
The Regulation states that organisations should only collect data for a specific purpose, use it only for that purpose and keep it only for as long as required for that purpose.
This will be a major adjustment for many marketers, as it’s been common practice to amass as much data as possible and repurpose it for needs as they arise. For example, an organisation might get a person’s email address after they’ve entered a contest, and then use that email address to send follow-up emails about unrelated products and services.
Under the GDPR, marketers would need to re-establish consent (or another lawful basis) to use an individual’s personal data for a different purpose.
The good news is that the Regulation states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” However, marketers always need to balance their own rights against the consumers’, and the GDPR makes clear that individuals should be protected as much as possible.
The Regulation adds: “Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her.”
So, when can you claim legitimate interest? Marketing Week advises: “[P]ersonal data for direct marketing will probably only be a legitimate interest if it’s absolutely necessary to do it and consumers expect to be contacted, having given over their details.”
Make sure data is accessible
Individuals’ personal data and records of their consent must be accessible in case they need to be reviewed or erased. If a customer exercises their right to access, right to be forgotten or right to object, the organisation must be able to get hold of their information promptly.
Make sure data is secure
Companies that store personal data have a duty to make sure it’s kept accurate and secure. Not only is this an obligation to customers, it is, as Software Advisory Service writes, “good business practice, as nowadays consumers are very safety conscious about who stores their information. You will gain more business if you can assuage these fears.”
It adds: “You can do this by educating customers about how you are treating your data. Because of this transparency, you should be able to build a sense of trust with shoppers.”
For more advice on preparing for the Regulation, read EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this guide provides an essential introduction to the Regulation and organisations’ compliance obligations for handling data.
You might also be interested in our free green paper: EU General Data Protection Regulation – A Compliance Guide.