The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and its implications for the world of marketing could be profound. Failure to comply with GDPR could result in fines of up to €20 million or 4% of global annual turnover, whichever is greater. If that figure scares you – that’s the intention.
The scope of the GDPR is far-reaching, which only serves to further confuse and intimidate many in the industry. YouGov recently surveyed 225 marketers and found that only 13% believed that GDPR was a significant cause for concern, with 31% admitting they did not know whether their business had taken steps to ensure compliance.
So here it is; a blow-by-blow blog on how to ensure that you (and your clients) can remain on the right side of the law.
There are many that assume that Brexit will save them from GDPR. Let’s put that red herring to bed now. GDPR affects any organisation that collects and processes the data of EU citizens. If the UK wishes to be deemed by the EU as a safe place to harbour personal data pertaining to EU citizens, the UK will have no choice but to implement the core principles of the GDPR. The British government is apparently considering something akin to GDPR-lite, for UK-based organisations that only deal with UK-based citizens; but for right now, anyone handling personal data in Britain is subject to the full weight of the act.
This is the biggie. GDPR mandates that consent be obtained to gather personal data and must be ‘freely given, specific, informed, and unambiguous’, and articulated with ‘clear affirmative action’. That means no more pre-ticked boxes. Silence or inactivity does not imply consent. Prospects and customers must wholeheartedly agree that their data can be collected and it must then only be used for the manner intended.
For example, you might have ‘gated’ content (i.e. that requires a form fill to download) on your website. You capture email addresses in return for informative white papers. Nothing unusual there. But unless you have stated ‘clearly and unambiguously’ what exactly the email address will be used for, you do not have permission to send the customer any marketing emails at all; and if you do – well, you’ve just gone and broken the law. Even if they clearly and unambiguously agree, you can’t then use the same email address for a different purpose a year later.
The key here is to ensure you are capturing the right information from the word go. Rather than just grabbing data with a one liner about future marketing correspondence, consider segmenting all of your operations with clear opt-in options for each.
Just as importantly, you need to be able to prove that consent was given. Think about the implications of this for second. Your sales guy attends a conference and gets a bunch of business cards to follow up as leads. You would need to somehow document that interaction, say by scanning the cards. Without express permission, those leads could not be communicated with, other than to discuss the original reason they handed their card over. But now you’ve lost the opportunity to seek said permission because you can’t send them an email!
A case from 2016 highlights this Catch 22 situation. Honda Motor Europe Ltd sent 289,790 emails asking individuals, “would you like to hear from Honda?”. The emails were sent in good faith to addresses for which they had no opt-in/opt-out information. The ICO fined them £13,000.
Steve Eckersley, ICO Head of Enforcement, said at the time “[Honda Motor Europe Ltd] sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.”
To ensure that you have a proper paper trail for consent, consider digitising how you capture personal data. Use a tablet, for example, with very clear opt-ins for all of your marketing activity.
Also consider implementing double opt-in where possible. So, for example, your prospect opts-in using an iPad at a conference. They are then sent a confirmation email that they must respond to. These may seem like extreme measures, but this is the world we are living in now.
The right to erasure has received quite a bit of coverage in the media. The right builds on the ‘right to be forgotten’, which was recognised by the European Court of Justice in its 2014 ruling on Google Spain v. AEPD and Mario Costeja González.
The Court ruled that Google had to remove links to webpages that appeared when searching the claimant’s name.
The right to erasure gives individuals the ability request that their data be deleted. You must be able to comply with this request:
• When the individual withdraws consent
• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data was unlawfully processed
For most marketing teams, withdrawal of consent is going to be the most common occurrence. It is important to ensure that you have the proper tools and records in place to ensure that these individuals are completely removed from your systems.
One constant throughout the 200+ pages of GDPR legislation is that the burden of proof lies with the company processing the data. You must be able to demonstrate compliance to both the individuals in question and the Information Commissioners Office, should they ever come knocking.
If you practice good housekeeping to begin with, this shouldn’t cause you any real concern. If your marketing database is poorly maintained, it’s time to get your house in order. You will need to maintain a record of all categories of data processing activities, details of any data transfers to third parties and a general description of security measures that you have in place to protect private data.
GDPR may seem a bit draconian in nature; and it’s hard to justify its complexity. But it is what it is, and with a bit of preparation, there is nothing to fear. In fact, it should be treated as an opportunity.
Any B2B or B2C marketer worth his or her salt will tell you that quality is more in important than quantity. Would you rather have a thousand visitors to your site spending one pound or 10 visitors spending one thousand pounds? Would you rather have thousands of followers on Twitter and zero engagement, or hundreds of followers that actively participate in conversation? The same principle can be applied to data. Gone are the days of scraping as much personal data as possible and hoping that something sticks along the way. Use GDPR as an opportunity to focus your marketing efforts. You, your company and your customers will be better off in the long run.
