Data is the new gold of the online world its value increases daily but never reduces in price or fluctuates like the gold market. To the large tech companies like FaceBook, Google. Twitter, Instagram the consumer data is categorised as a product, and one that their profits are built on.
For online users and consumers, personal data acts as currency – sharing your data such as your email address affords you access to numerous services and content. For marketers, data is key to running successful campaigns; it helps marketing professionals recognise site visitors, target the right people with the right content and much more. And, crucially, it’s the marketing professionals responsibility to use and store the data they are given responsibly.
It’s not a mystery therefore that 73% of people agree that in the internet age, you have to provide personal information in order to buy things. – DMA
However, the legislation around data use has changed – introduced on 25th May 2018 the General Data Protection Regulation (GDPR) and was enforced across the twenty eight member states of the EU. But what did this actually mean? How has it impacted the way marketers and consumers alike – treat data? And what do organisations do to comply with the GDPR.
GDPR legislation around data privacy and protection was adopted in April 2016 – and was enforced into law on 25th May 2018, building on the 1995 data protection directive and modernising data regulation to reflect how businesses use and collect data today.
Answering Your GDPR Questions
What data has been affected by GDPR?
As defined by the EU, ‘personal data’ includes any information that can be used to directly or indirectly identify an individual (or ‘data subject’). This means that everything from an email address, to a name, IP address, photo and more are included.
What areas will GDPR legislation cover?
6 top-level areas that GDPR covers are:
- Right to access: Under GDPR, data controllers (companies that hold personal data) must be able to provide (for free) a copy of an individual’s data if requested. Individuals may find out what personal data of theirs is being processed, where and why.
- Right to erasure: The ‘right to be forgotten’ allows individuals to request that a data controller deletes their personal data; preventing them and related third parties from accessing or processing their information.
- Data portability: Under GDPR, individuals will be able to request access to their data ‘in an electronic format’, which they can transfer to another data controller (such as when switching service providers).
- Data breach notification: This means customers and data controllers must be notified of data breaches (leaks, hacks, or lost data – such as information on a lost USB stick) within 72 hours.
- Privacy by design: Data compliance and data protection must now be considered from the start when designing new systems. Organisational and technical processes must be considered to ensure personal data is secure and that only data that is ‘absolutely necessary for the completion of duties’ is held.
- Data protection officers: Public companies, or companies whose main activities involve data processing and monitoring will now need to appoint a data protection officer rather than notifying local Data Protection Authorities of their activities.
What impact has it had for non-EU marketers?
GDPR legislation became mandatory across the EU from 25th May 2018.
In fact, as GDPR has affected all companies that handle EU citizen’s data, regardless of where that company is, marketers worldwide need to comply to the GDPR if they manage any EU data.
What ways has this impacted B2B digital marketing/sales?
A few of the (many!) things that marketers should consider includes:
One of the most impacted areas to note is that ‘implied consent’ is no longer an option for B2C (personal) data.
There is an exception called the ‘soft opt-in’. This means that consent is not required if you are sending marketing message about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:
- You give them the opportunity to opt-out when you receive their contact information; and
- You give them the opportunity to opt-out when you send them subsequent messages.
This processing is not based on consent, but rather the legitimate interests processing condition and can only be relied upon by the organisation that collected the contact details, not third parties.
Under GDPR, consent must be explicit. Companies must be able to provide proof that an individual elected to opt-in to communications and didn’t just fall onto the list by default – such as checking an unchecked ‘opt-in’ box on a form. ‘Double opt-in’ would also be best practice; where opt-in is followed up with a ‘click to confirm’ email.
However, for corporate or business data, ‘implied consent’ means marketers are able to email someone, so long as that person had the option to opt-out of emails at the time of purchase (or conversion – such as for form completions).
Unless you’re confident your database does not contain any personal data e.g. email, phone number, our recommendation is that you remain as compliant as possible.
Marketing with ‘Legitimate interest’
So, opt-in is compulsory for B2C data. However, there are considered to be two perspectives on GDPR opt-in. The first is consent, where a business must gather opt-ins from every B2C contact (as above). This is considered best practice as it guarantees compliance.
The second perspective is legitimate interest, where, as quoted from the DMA, “If a business decides to use the legitimate interest precedent for their direct marketing, then it will be able to send email marketing on an unsubscribe/opt-out basis”. Note that this isn’t a route to ‘get around’ GDPR. All other aspects of GDPR must be met, and if challenged, proving ‘legitimate interest’ (read: relevant and appropriate) may be harder to do legally. A Legitimate Interest assessment needs to be completed and documented and stored for audit purposes.
As consent guidance under the GDPR becomes more strenuous, we predict that there will be a move towards legitimate interests as an alternative legal basis to process people’s data. This involves balancing legitimate business data use against an individual’s privacy to see which side is “heavier”…`the pursuit of this legitimate business interest is in the interests of the “wider community” as it allows it to receive less waste, more relevant marketing as well as free content. – Acxiom UK
Data capture fields and forms
With opt-in becoming a mandatory requirement, marketers must ensure any on-site forms (current and future) are made compliant. Compliance of course extends beyond the option to opt-in – forms must be deployed and hosted in a way that complies with GDPR.
Third party compliance
For many marketers, third party tools and marketing technology providers (i.e. marketing automation platforms, CRMs etc) form much of their data ecosystem. In this case, it’s important that marketers check that their marketing partners/ vendors are compliant and due diligence has been performed as part of the contracted services provided.
Ask suppliers to detail how they will store/process data to ensure GDPR compliance.
- Ensure there is a point of contact from each side, plus a process in place to manage any data breaches. Both sides must be able to respond quickly to manage, react and respond in compliance with ‘Data breach notification’ legislation.
- Make sure to only collect data that that is necessary, or falls under a ‘legitimate interest’.
- Be sure it’s possible to delete data should you stop using a service, and that you can download your own data when requested.
Considering events, opt-in consent requirements mean marketers will no longer be able to add event attendee lists to a campaign – you would need to show evidence for opt-in, such as an opt-in from your stand, or a follow-up email post-event.
Under the ‘right to be forgotten’, as everybody has the right to opt-out, this may affect the way you manage your CRM; for example you would no longer be able to mark someone as ‘do not contact’ – personal details would have to be deleted. It’s also worth checking tech stack integrations to ensure that when requested, data can be removed from all related databases and platforms.
In situations like new contact data record creation, or where contacts provided by a third party are being added or integrated into a database, opt-in compliance is again imperative. Managing and handling this across multiple areas (importing contacts from a spreadsheet, adding a contact from a business card, integrating Sales Navigator contacts with your CRM) may be the most complex part of compliance here.
What are the penalties for non-compliance?
The penalties for non-compliance with GDPR are set to be significant and could be up to €20 million, or 4% of an organisation’s annual turnover – whichever is greater.
Tips For Compliance for GDPR
- Raise internal awareness. Make sure that key stakeholders and decision makers in your organisation are aware of the implications of the GDPR.
- Audit and document your data. Know what personal data your organisation holds/processes, why,where and where it is processed identify where it came from and who you share it with.
- Account for individual’s rights. Make sure you have procedures in place that address all the rights that individuals have, from how you would delete personal data to providing data electronically if requested.
- Identify your legal basis for processing personal data. Review the types of data processing you conduct, identify your legal basis for doing so – and document it.
- Subject access requests. Update your procedures and identify how you will handle requests in future.
- Put contingency plans in place. You need to be prepared to detect, manage and report on and investigate any personal data breaches.
- Consider how you obtain consent. How do you currently obtain and record consent? Do you need to amend any processes?
- Consider age verification as well as consent. Systems must be established to verify individual’s ages and to gain parental/guardian consent for data processing where children are concerned.
- Assign a Data Protection Officer. Companies who process vast quantities of personal data, or process large scale ‘special categories’ of data (sensitive data, such as race or religion) must designate a DPO to take responsibilities for data protection compliance.
- Consider international implications. If you’re part of an international organisation, determine which data protection supervisory authority you fall under.
- Data Protection Impact Assessments. Make sure your organisation is familiar with ICO guidance on Privacy Impact Assessments and plan how to implement them.
Ultimately GDPR is About More Relevant Marketing and Greater Transparency
Our advice to Inbound marketing agencies, has always been to be as transparent as possible with consumer data to build more relevant, valued relationships with your customers and consumers.
Marketing shouldn’t be pushy or mysterious for consumers. If a consumer understands why they’re opting into your messaging – and can see the value they’ll gain, that’s a true, trustful relationship to have and should be the default.