GDPR: The New Headache in Marketing!

We’ve all heard of GDPR and the impacts if companies fail to comply - fines of up to €20 million or 4% of your global turnover!

Many of us use mass marketing (a.k.a junk) mail on a daily basis to get our products out there in the form of targeted campaigns, in the hope that we can get real people to part with their cash.

We all need to generate new business and have bills to pay, right? Whether in the form of white mail, email, SMS, calls, social media marketing or even the annoying people knocking on your door to sell you the next best broadband package.

So how does GDPR change the current marketing practices and what does that mean for your business?

With the new GDPR (General Data Protection Regulation) coming into force on 25th May 2018, current working practices across organisations will need to change – no kidding, GDPR is s culture change and impacts the whole business - not just IT! Let’s start with marketing…

Do you have consent? Do you rely on Soft Opt-In or Hard Opt-In?

GDPR states: that consent must be ‘freely given, specific, informed, and unambiguous’, and articulated by a ‘clear affirmative action’.

• Can we still rely on a pre ticked box?

It is unlikely that marketers will get away with this post May next year, as consent is actively sought from data subjects.

• So let’s get them to tick a box, we just assume that they want marketing from our company and request that they tick a box if they DON’T want to be contacted, so by default it’s assumed they want to hear about our products – easy!! With the added bonus that we don’t lose the majority of our leads!

Again, this is legally very dodgy ground. I would assume it is a high risk and the approach would need to be implemented with a whole set of mitigating actions, including up-to-date marketing lists with focus on suppressions, etc.

GDPR clearly states that pre-ticked boxes and any assumptions that consent is given will be insufficient.

It should also be as easy to Opt-Out as it is to opt-in of marketing for data subject. In GDPR speak “the right to be forgotten.

In practice, this will be to ensure that an “unsubscribe” option is readily available, allowing subjects to request marketing to be stopped at any time they choose.

• What about 3rd Party marketing, who is responsible?

In the event you sell or pass data onto a third party for the purposes of marketing, YOU as a data controller are still responsible for ensuring that the 3rd party (or data processor) adheres to the GDPR regulation.

When obtaining the consent, third parties should be named individually.

• What about my “legitimate interests” when processing that data – does that not count for anything?!

• The GDPR allows other legal justifications for processing personal data, such as “legitimate interests” (the right of a company to do business).

Unfortunately it is unclear on how marketing may use this justification at this point in time.

Finally, in accordance with GDPR you will have to legally justify the processing of the personal data you collect.

Simply meaning that you will only collect data that is required for the purpose you will be processing it for, any “nice to have” information that is not actually required must not be collected.

Bringing it all together: Focus on the main areas for marketing, namely;

1. Gain Active Consent

2. Ensure you can execute any “right to be forgotten” requests.

3. Be transparent and only collect data that is required.

Use GDPR as an opportunity to build better, legally compliant and more targeted marketing campaigns!

Look out for blogs on how GDPR affects other business units (HR, Operations, IT and others).