Editor's Note: GDPR is a policy that currently applies to businesses within the U.K, and to businesses with customers within the U.K. It went into effect on the 25th of May.
As a Data Protection Officer, one of the most common questions I am asked by our customers and at networking events is, what are the impacts of GDPR on Marketing?
Historically, the way we have obtained consent to personal information within digital and direct marketing has often been a grey area. The Data Protection Act 1998 was predicated around the Data Protection Directive (DPD), established well over 21 years ago. It could not have possibly predicted, or have catered for, the digital age where big data has become big business.
How has data been collected in the past?
The premise of organisations getting as much data as they can, then figuring out how to process, profile and analyse that data in order to get as much value out of it has been marketing best practice for some time. Marketers have also invented clever ways to obtain personal information, such as trade-shows where badges are scanned and information stored. They might tempt prospects with a competition to win the latest gadget and all that is required is a business card. One often sees companies posting interesting white papers online, but requiring details to obtain a copy. These techniques have been around for years and all help marketers analyse and profile information so that they can identify you or your organisation’s interests, so that they can target you for future products and services or campaigns.
This is not to say it has been open season for marketers under the DPD. Recently, there have been a number of cases where Marketing companies have fallen foul of the legislation and the Information Commissioner’s Office (ICO) have imposed fines. For instance, one organisation in the U.K was fined £140,000 ($186,255) for sending 4.4 million spam texts. Another organisation making nuisance phone calls was fined £80,000 ($106,431). However, fines under the DPA are not effective or dissuasive as the ICO can only fine up to £500,000 ($665,200) as a maximum. This is now all about to change under the GDPR.
What changes does the GDPR impose?
GDPR sets out six principles in the regulation. These form the rules on how data is to be treated (Article 5). These principles ensure that the processing of data is done lawfully and fairly, is collected for explicit legitimate purposes whilst making sure the data is adequate, accurate, and retained for only as long as necessary. The data must also be processed in a manner that maintains the integrity and confidentiality of the personal data.
The Information Commissioner (ICO) is currently defining guidance for organisations on how to apply with GDPR - see the current guidance for marketers on GDPR.
What does the GDPR mean for marketers?
Where marketing is concerned, this completely changes the way we think about handling data. Direct marketers will need to demonstrate how their organisation meets the lawful conditions. If an organization cannot prove how they have obtained consent, the likelihood is that they will be fined. Marketers must align themselves with the GDPR principles.
The collection of data needs to be relevant for the purpose. This means if you run a campaign or competition, you can only use the information for that purpose. Creating another purpose to use that information will need further consent from the data subject. This is, in some ways, bad news for marketing; a common practice has been to grow databases using these methods. In terms of marketing databases these will need to be cleansed and reviewed to ensure your organisation can identify if consent has been granted lawfully and fairly, whether it is being used for explicit and legitimate purposes, what data has been collected, and the accuracy of that information.
Consent must be given and not assumed
Consent plays a very big part in digital and direct marketing as the Data Controller and processor has to adhere to a clear set of boundaries which are demonstrated in the following text taken from the regulation
"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (the General Data Protection Regulation).
If we analyze the regulation with reference to consent there are definitely some clear guidelines that outline the dos and don’ts of gaining consent.
Dos and Dont's of Consent
- You must be able to demonstrate how the data subject has consented to the processing which means marketing must record how and who gave consent.
- The data subject must be able to withdraw consent at any time (the right to object) and it shall be as easy to withdraw consent as to give it. This must be demonstrated by policy and process how to withdraw consent.
- Consent should cover all processing activities carried out for the same purposes.
- If processing for multiple purposes consent should be given for all of those purposes.
- Consent should not be considered freely given if the data subject has no genuine or free choice.
- Silent consent, pre-ticked boxes or inactivity should not constitute consent.
The rule of thumb is that consent must be given and not assumed. Already I am seeing corporations update their websites and changing the language they use to clarify the purpose of collecting the data and what it is going to be used for. Then there is a physical action such as having an opt-in box so they can record how the data subject gave consent. In the past the purposes of using personal data would have been written in lengthy legal and corporate jargon. However, in GDPR the purpose has to be unambiguous, clear and simple. If it is not then it will not be accepted.
I have used the term "personal data" a lot within my blog. To clarify, "personal data" is name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. If we focus on online identifiers, we can see that IP addresses, cookies, mobile IPs and even search engines will fall into scope of GDPR.
GDPR is a big shake-up in data protection
A lot of companies are terming GDPR as the biggest shake up in data protection in 20 years. The very nature of digital marketing is monitoring behavior by tracking individuals online to create profiles, in particular to analyse or predict aspects concerning the natural persons personal preferences, interests, reliability, behavior, location or movements. Territorial scope (article 3) specifically applies to the monitoring of behavior.
For a lot of Marketers there is a significant possibility that they will need to reassess all of their databases and best practices to ensure they meet with the regulation. My advice to customers and marketers is to follow the principles outlined in GDPR and ensure you can prove how you have gained consent to the information you hold. Have a corporate fairness processing notice in place that the data subject can review to ensure there is no doubt as to how data is processed. These steps will help align your business to GDPR. I appreciate this is a simple statement but I assume for some organisations there is a lot of work to do. However, the regulation has ensured its sanctions are now effective or dissuasive and failure to comply can result in fines of 20 million euros or 4% of your global turnover whichever is higher.
The deadline for compliance with GDPR is the 25 May 2018. Marketing is only one area of your business that needs aligned to the regulation. The extent of work required to develop policy and process as well as to ensure you have the right I.T infrastructure in place to protect data flows throughout your organisation needs careful consideration. My advice is to start the process as soon as possible to avoid being caught out.