The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and its implications for marketing are significant and far-reaching.
A key objective of GDPR is to help put an end to the practice by unscrupulous companies of exploiting personal data for marketing purposes. In short, it puts the power over personal data back in the hands of the individual.
The legislation will have a significant impact on the way marketers approach their work and how they obtain, store, manage or process the personal data of EU citizens.
GDPR mandates that consent must be ‘freely given, specific, informed, and unambiguous’, and articulated by a ‘clear affirmative action’. This means that you can’t assume consent based on ‘inactivity’, and you are not permitted to have a pre-ticked box or an opt-out box as consent for use of personal data.
In practice, this means that clients or customers need to physically confirm that they want to be contacted by opting in to receive communications and they need to be informed about their right to withdraw consent.
Impact on existing databases
A question that frequently arises with GDPR is whether a marketer needs to get fresh consents from individuals on existing databases.
There may be several instances where you may not need to request consents from your existing database. If a marketing person can demonstrate a lawful ground to process the data – such as contractual, a legal obligation, vital interests, public interest or legitimate interests (refer to Article 6.1 of the Regulation) – then they can exercise non-consent based permission to process the data.
However, in most cases marketing communications will not conform to the guidelines of lawful data processing so explicit consent will be required from your existing database as well as any new data. Remember, when in doubt, request consent.
The introduction of GDPR gives an individual more control over how their data is collected and used. As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.
Practically speaking, this can be as straightforward as including an unsubscribe link within all email marketing communications and providing a link that allows users to manage their email preferences. Marketers should regularly check that the unsubscribe function is working properly.
Subject Access Requests (SAR)
The rules for dealing with subject access requests will change under GDPR. Two main changes are that the timescale to deal with a request will reduce from the current 40 days to within a month, and people can request additional information than they currently can, such as an organisation’s data retention periods. Marketers should review and update procedures on how to handle such requests.
Once data is collected, your organisation needs to ensure it is stored in a secure manner to protect personal data against unauthorised access, processing and accidental loss, disclosure, access, destruction, or alteration.
When an organisation is collecting data from an individual they must remember that, under GDPR, they are only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection (refer to Article 5.1(c) ‘Data Minimisation’). Data collected by the organisation which is deemed unnecessary or excessive will constitute a breach of GDPR.
Always keep in mind that as an overall principle you are not allowed to use personal data received in any way that would be incompatible with the intended purpose for which it was collected. Practically speaking, this will necessitate better housekeeping on the parts of marketers – and less collecting data for unnecessary, or frivolous reasons.
Also, if you plan to transfer or share the data with another company, you will need to ensure you have consent from the person to do so.
Although GDPR does not provide guidelines on retention periods in general it does outline that personal data may be kept for as long as is necessary to fulfil the intended purpose of collection. So in order to comply with the new regulation, each organisation needs to establish, document and implement retention periods which outlines how long they will retain that individual’s data for and the business justification for holding on to the data for that specified period.
If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organisation.
It is important that communication is made straight away with any such third party vendors that process personal data on your behalf to ensure their compliance, or plans for compliance with the regulation. And also to ensure they will cooperate with you on receipt of a SAR.