Out of all business activities, GDPR legislation affects marketing processes quite significantly. Let’s look at how to keep your marketing team compliant.
Compliance with the upcoming GDPR legislation is a concern for a lot of companies, and it’s likely to have a massive impact on various business processes.
However, the field of marketing is potentially amongst the hardest hit by these new rules, so let’s investigate how to get your marketing department up to speed.
A Brief Intro to GDPR
GDPR or the “General Data Protection Regulation” is a new EU regulation which puts into law certain rights that all EU citizens (including British citizens) will have over their identifiable data, and the obligations of companies that hold it.
Though it was initiated on the 27th April 2016, a 2-year grace period was permitted to allow businesses to prepare for the changes. Therefore, the regulation comes into force on the 25th May 2018.
It aims to simplify and clarify citizens’ rights over their data. Businesses who deal with the personal information of EU citizens need to ensure compliance by the 25th May 2018, or potentially face a fine of up to €20 million, or 4% of their annual turnover (whichever figure is greater).
Before we start, it’s well worth making yourself aware of the ICO’s guide on the matter, and our previous blog post (here) giving a general overview of the new legislation. Other recommended reading is available at the end of this article.
Individuals’ Right to Consent
This is a big one for marketers. Growing your contact lists (such as email subscribers) represents an important part of modern marketing, but GDPR affects the ways in which businesses can collect and store personal information. Consent to receiving marketing materials or sales phone calls – or in fact to any use of personal data – needs to be offered by each individual willingly and freely. When you ask people to share their details with you, you need to make it absolutely crystal clear what you plan to do with that data. Everything you do with people’s data requires their explicit consent under the new law.
GDPR rules also specify that you can’t opt people in to any use of their data without their consent or knowledge – marketing materials included. For example, if someone has recently purchased from you, you can’t just assume they want to hear from you and add their email address to your mailing list without asking them.
When you state what you intend to do with people’s data, it needs to be explained clearly and never buried in confusing language. You also need to keep an auditable trail of consent, so you can prove that active, knowing permission has been given by each individual, that they’ve agreed to specific activities, and that you are only carrying out activities that permission has been granted for. Otherwise, you may be vulnerable to someone claiming you’ve breached GDPR rules – and that €20m fine is no joke!
If you’re currently using people’s data in a way that you haven’t obtained explicit consent for, stop immediately. Take stock of what you do with personal data, and seek informed and willing permission from those people before GDPR comes into force. If people decline or don’t respond, cease all non-consensual activity involving that data unless they choose to opt in.
How to Comply
- Ensure that any opportunity you provide for people to share contact details with you offers crystal clear information about with what your intentions are with that data.
- Never use pre-ticked boxes, soft opt-ins, or implied consent to grow your list. People need to provide active consent in order for their data to be used.
- Seek proper, informed permission from your existing marketing lists to continue direct marketing activities.
- Make sure that everyone on your marketing lists has an auditable trail of consent, proving they’ve given permission to your use of their data.
Rights to Objection and to Erasure
As well as a right to give informed consent, citizens also have a right to retract that consent at any point. They also have a right to object to certain uses of their data that they disagree with, which might involve receiving marketing materials but can stretch to other activities such as when companies share people’s details with a third party. In the case of retracted consent or an objection to data use, the person’s wishes need to be acted on immediately. There is also a “right to restrict processing” which may also apply to marketers and is well worth being aware of.
Also part of the GDPR legislation is the “right to erasure”, which means that you should be able to delete all of an individual’s personally identifiable data should they request it, provided there’s no “compelling reason” for you to continue storing/processing that data.
How to Comply
- Previously granted consent needs to be easily retractable by the individual, and any objections to specific data uses need to be acted upon immediately; your computerised systems will need to accommodate this.
- Your current data handling practices may need to change to allow for objections and deletion requests.
- Ensure that you can delete identifiable data about a person completely and auditably.
- Make sure that you can ringfence the data belonging to those who object to certain activities, so it can’t be used for that purpose, even in error.
Access, Rectification, and Staying Informed
Individuals will now have the right to ask about and remain informed of how companies use and process their data, and ensure that data held about them is accurate. If someone finds out that a company holds incorrect data on them, they have a right to contact the company and have them make any necessary corrections immediately.
EU citizens will also have a “right to access”, which means that they have a right to request a digital copy of any data held about them; companies will have to provide this within a month of receiving the request. People that you hold identifiable information about will now have the right to ask about what information you hold about them, why you hold it, how long you’ve had it, how long you intend to hold it, and what you intend to do with it.
How to Comply
- Your systems need to be able to make correcting data easy and auditable
- You may need to amend your data storage systems so you can easily export a digital copy of an individual person’s data quickly and easily should they exercise their right to access.
- Your systems also need to record when each person opted in, what activities they agreed to in doing so, and what you intend to do with their data should someone exercise their right to be informed.
But Don’t Forget the Rest!
Though matters of consent, erasure, restriction, and deletion will probably rank highest on a marketer’s day-to-day agenda, don’t forget that there are also other crucial rules to abide by that aren’t just matters for the marketing team. GDPR also provides crucial legislation surrounding data breach handling, protections for children, and appointing in-house data protection officers. Also bear in mind that GDPR doesn’t just refer to data about consumers and prospects – it refers to all individuals. That includes the data that a company holds about its employees.
Make sure your whole team is informed of their new responsibilities to those you hold data about, that they’re trained thoroughly on all aspects of GDPR, and are dedicated to keeping your company compliant.
For an overall view of what you need to do to comply with the new GDPR rules, check out the following links:
Overview of the GDPR from the Information Commissioner’s Office (ICO)
What is GDPR? from the University of Roskilde, Denmark
GDPR: 12 Steps to Take Now from the ICO
Getting Ready for the GDPR Checklist from the ICO
Previous FIVE CRM blog posts about GDPR:
DISCLAIMER: This blog post is provided only as a guide to GDPR legislation and should not be considered legal advice. Quality Systems Solutions Ltd advise you to seek your own appropriate legal counsel.