From your list of potential customers through to buyer behaviour intel, data is pretty much the most valuable resource held by any marketing department. It’s a very good reason why all marketers need to get to grips with the General Data Protection Regulation (GDPR), which ushers in a brand new framework for data protection law across the EU – including the UK.
GDPR is marketing’s business
Headline changes for marketers include a strengthening of the rights of individual data subjects, as well as a shake-up of the rules on how personal data can be used for marketing purposes.
And above all, it’s about trust and transparency – red hot topics of late in light of the Facebook/Cambridge Analytica episode. The GDPR requires companies to stop regarding personal data simply as an asset to be mined or exploited and seeks to create the type of environment where individuals are confident that their data isn’t going to be misused.
But that being said, (and although it might not always seem like it!) the intention behind GDPR wasn’t to make marketers’ jobs more difficult. Here’s our rundown of the areas of most concern to your marketing department and tips on how to stay on the right side of the law.
Personal data: what are you dealing with?
As a marketer, your success is measured on your ability to build relationships with new and existing customers. Direct marketing communications, tweaks to your ads and website based on buyer behaviour, personalised offers: these are all part and parcel of the job – and in each case, you are “processing” personal data to reach your desired goal.
Contrary to some of the scaremongering you may have come across, the GDPR shouldn’t (and doesn’t) put an end to these activities. But data protection compliance involves making sure that ‘business as usual’ for your marketing department doesn’t conflict with the data rights of your customers. The GDPR makes this more of a priority than ever – not least because of a new penalty regime, which you can read about here.
As a starting point, you need to establish the following:
- What personal data do you process, where does it reside – and what is its purpose?
- Are those processes “lawful”?
- Are you using, storing and safeguarding that data in a way that’s appropriate?
An organisation-wide data mapping project should help you answer these questions. Our guide to data mapping provides further pointers on this.
Lawful processing part 1: new rules on consent
If you are familiar with the old Data Protection Act (DPA), you’ll already be aware that when a consumer hands over their contact data, this shouldn’t be seen as a green light to bombard them with marketing communications.
The GDPR introduces stricter rules surrounding consent, including the need for separate permissions for different data processing activities and simple mechanisms for customers to withdraw that consent if desired.
The upshot? If you are still relying on catch-all, pre-selected tick boxes for email campaigns and other initiatives, your existing processes may require significant reworking. Check out our guide to consent for further info on this.
Lawful processing part 2: legitimate interest
You need to have a lawful basis for each and every personal data processing activity you conduct. There are six possible grounds to rely on – and you can read up further on them here.
For many of the activities you are involved in, (e.g. sending newsletters or conducting a seasonal promotional campaign) consent will be the most appropriate ground to rely on. In other areas though, relying on consent can be problematic. For instance, one of the rules surrounding consent stipulates that it ought to be capable of being withdrawn at any point. But let’s say you rely heavily on data concerning their past buying behaviour to deliver personalised offerings to customers. If large numbers of customers were to refuse to allow their data to be used to facilitate this – or if they were to remove their consent for this later on, your entire business model could be at risk.
Likewise, there’s a potential problem with consent when it comes to suppressions. Let’s say a customer opts out of receiving marketing material from you. You remove them from your active messaging list. But in order to ensure that no further marketing messages are sent to this individual in the future, you recognise the need to retain skeleton data on them (a kind of ‘no-go’ list). If they don’t give their consent to this very basic processing activity, you can’t include them on this list.
For these types of situations, the grounds of “legitimate interest” is a much more suitable and appropriate grounds for lawful processing data than that of “consent”. To rely on this basis, you have to show that it’s “necessary and proportionate” to achieve a fair and legitimate business objective. You have to balance the “legitimate interest” against individuals’ rights and freedoms. If, on balance, you believe that you are able to rely on “legitimate interest” you still have to make it clear to data subjects how you plan to use that data and why you need it.
But be careful – marketers shouldn’t view “legitimate interest” as a kind of catch-all, legal basis for those areas of processing where relying on consent is going to be difficult! Relying on “legitimate interest” is likely to be much more difficult than obtaining the level of consent required under the GDPR.
Your GDPR to-do list
For marketers, the following areas require particular attention:
- Data collection and usage. Check that you have all necessary opt-ins for all marketing-related data processing activities.
- Record keeping. Accountability is a cornerstone of GDPR. In areas such as consent and establishing lawful grounds for processing, you have to be able to show proof that you are in compliance.
- Disclosure. Who do you share data with – and for what purposes? Let’s say you have an outside agency running your email campaign. Our guide to the difference between data controllers and processors should be especially useful reading.
- Retrieval and erasure. Under GDPR, individuals have enhanced rights to access their data – and to have it erased in certain circumstances. It’s important to have set processes in place to be ready to action such requests.
To discover how The Privacy Compliance can help your marketing department and all areas of your organisation get GDPR compliance right, check out our free demo – or get in touch for a chat.