You should now understand the importance of consent under the GDPR. This time we will focus on processing personal data for the purpose of legitimate interests and direct marketing.
It is important to understand that it is not just the GDPR that impacts on your approach to marketing communications. There are higher standards you should adhere to set by the e-Privacy directive (PECR in the UK). These are also currently being reviewed by the European Commission.
You now know that you cannot assume consent based on ‘inactivity’ and that a pre-ticked box is officially a no-no in the marketing world. Accept it, embrace it and map out your game plan. Your potential clients and customers must give consent to their data being used for you to contact them directly. This also includes those on your marketing list whose consent was not collected in a GDPR-compliant manner.
Plan to contact individuals, who were previously added to marketing lists in a non-GDPR compliant manner, with a view to obtaining consent. If you don’t receive it, you can no longer market to those individuals.
Everyone now has the right to be forgotten.
Yes, everyone! *Unless your data is being processed in relation to legal processes laid out in Article 17 of the GDPR.
It is necessary to prepare how individuals can control in what way their data is collected and used. This includes how they can access and remove that data. They will not always be required to provide a reason.
You will need to be specific about what you are going to do with an individual’s data. If part of your business model is passing on data to third parties for marketing, you must explicitly name those companies and your intentions when requesting their consent.* Look at your vendors to ensure that the appropriate legal language for data security and privacy is in place within your contracts. This is a requirement if you are transferring data to those vendors to process, even if they are not viewing it or sharing it. You cannot refuse service to a consumer if they withhold consent for their data being processed.
Don’t collect data for unnecessary reasons e.g asking someone for their name, date of birth and eye colour when all you wish to do is send them a regular newsletter.
There will be times when you don’t need to ask for consent to collect and process personal information.
There are other legal justifications for processing personal data, one being the right of a company to do business. It is not yet clear when a marketer can use this as justification but it is worth keeping in mind. You may be faced with the choice of consent vs. legitimate interests – if you ask for consent first and it is refused, it is unlikely you can then claim a legitimate interest.
Example of a legitimate interest – processing an ecommerce order
When a consumer wishes to purchase an item online, they will generally need to provide basic contact and payment information, in order for the controller to process and fulfil that order. This is considered a legitimate interest and therefore does not require consent.
If the controller wished to process that data further, for example by passing it to third parties, or creating an account for the user – or sign them up to marketing, then those actions will require consent.
It is worthwhile to note that if you use a third party, such as a payment portal or delivery company, that the consumer details will be passed to fulfil their order, you can state this in your privacy terms.
Previously, it has been common practice to use information collected from one campaign and transposing that data for other further uses. You can no longer do this under the GDPR. If you have previously collated your database in this manner, you need to ensure that you can demonstrate consent was given for further marketing communications. If not, then the advice above still stands.
You also need to be aware that there has been leaked text from the new e-privacy directive which will make the parameters marketers work within even tighter. The current distinctions between a corporate subscriber and an individual one are no longer retained and there are big changes on the horizon with regards to voice calls. Generally considered more of a nuisance, voice calls will be required to have a specific prefix, in order for recipients to identify them as a marketing call. These two elements combined are likely to make it difficult for businesses in the future who rely on these distinctions and modes. It is worth thinking about these in advance too.
It is likely that the introduction of the GDPR will cause you some temporary headaches but it will only be temporary so long as you are compliant by the 25th May 2018.
It is good practice to think about the quality of the data you collect and how you process it. A new age of responsibility and accountability is on the horizon, it is always worthwhile being ahead of the game. Yes, it is frustrating but ultimately it will help you foster a better relationship with your customers.
Our advice on the matter is to:
- Educate your team on what the GDPR is;
- Understand fundamentally what changes you need to make to how you operate;
- Assess what impact it has on your strategy and the resources it will take to be fully compliant;
- Assess what system changes you need to make;
- Implement those changes in a sensible structured manner before 28th May 2018.
Speak to your website provider about implementing a preference centre (this provides prospects and customers a choice as to the information and content they receive and the ability for them to unsubscribe at any time), online subscription management (you can use an existing preference centre or host a separate subscription page within your marketing automation environment) and automated consent recording. It may cost you a little money upfront to do this but it will ensure peace of mind once the GDPR comes into play on 28th May 2018.
PREVIOUS: Consent under the GDPR