With less than a year to go until the biggest change to data legislation in a generation comes into full effect, marketers are still struggling to wrap their heads around the ramifications.
According to a recent poll from the Direct Marketing Association, only 54% of marketing businesses are confident that they will be compliant by the deadline. Nearly a quarter of all UK businesses have halted their preparation for GDPR because of Brexit, according to Crown Records Management (CRM). And nearly half (44%) believe that GDPR will not apply to UK firms after Britain leaves the EU.
Other businesses have come to terms with the importance of GDPR, but are struggling to map this intricate piece of legislation onto their business model.
Rather than getting into the finer detail of the Act, we thought we’d cover some of the overarching principles of GDPR and how they apply to most marketing efforts.
Consent equals proof
Gaining consent for marketing activity is something you should already have built into your marketing practices. The longstanding Data Protection Act (DPA) already outlines the principle of consent. GDPR expands on the concept with clear guidelines.
GDPR states that consent must be: a freely given, ‘clear affirmative act’. This means no more pre-ticked boxes on forms. You must ensure that the information you provided allows the data subject to be fully informed. And where consent is given, you must ensure that it can be easily withdrawn.
The Information Commissioner’s Office has published guidelines specific to consent, which can be found here.
It’s important to understand that consent protects not just the subject (your customer), but the controller (your company). Consent is the clearest form of proof and proof is at the heart of GDPR; as you will see throughout this blog.
GDPR relies on accountability in order to function. Personal data must be accounted for and handled correctly, from the cradle to the grave; and if it isn’t, it should be possible to pinpoint precisely what went wrong.
It’s therefore vital that you document your data processes thoroughly if you are to be GDPR compliant. Again, this comes back to the notion of proof. It is not enough to know that personal data is secure or that informed consent has been acquired. You need to be able to prove it through rigorous documentation and record keeping.
Again, there are residual benefits to ensuring accountability. Stepping up your game in terms of documenting processes, not only keeps you on the right side of GDPR, it can also help you understand exactly how you are using, storing and protecting personal data.
Many businesses don’t realise just how frail their processes are until they until they are put under a microscope.
Transparency is another of the founding principles behind GDPR. That’s right; one of the most complex pieces of legislation ever created demands that you strive for simplicity and transparency. Don’t worry, the irony is not lost on us either.
Gone are the days when businesses could hide their data collection policies on page 14 of a cryptic privacy document. You must explain clearly and concisely, who you are, what you intend to do with personal data collected and the rights of the subject to control that data. If data is to be used for more than one purpose, then they must be listed individually and consent given for each one.
A note on legitimate interests
Just like with the DPA, GDPR states that there are certain circumstances in which an organisation or third party can claim they have a legitimate interest in processing data without consent. This has become something of a grey area for the marketing community.
Recital 47 of the GDPR states that:
“Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”
And it goes on to say:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This statement has lured many in the DM and AdTech communities into a false sense of security. Article 6 (f) of the GDPR includes one important caveat…
“except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”
In other words, a business that intends to use personal data must balance its legitimate interest against both the rights and the interests of the data subject, regardless of whether or not those interests are legitimate. In practice, it could be a very difficult to prove that your legitimate interests outweigh the interests of the data subject.
The ICO has admitted that there is still confusion surrounding legitimate interest and is planning to produce additional guidance on the matter later in the year.
"The use of legitimate interests is a significant issue in its own right, and not only when it comes to their relationship with consent,” Elizabeth Denham, the Information Commissioner, recently wrote in a letter. “The legitimate interests condition will be dealt with in separate guidance later in the run-up to GDPR implementation."
Consent, accountability and transparency are three of the core principles behind GDPR; and the notion of proof is the glue that holds them together. If your organisation can’t demonstrate that robust data protection is at the heart of all policies and practices, you’re leaving yourself open to enforcement action.
Get it right, and you will begin to feel the residual benefits almost immediately.