What Businesses Need To Know About GDPR For Digital Marketing

GDPR comes into effect on 25 May 2018. According to Marketing Week  only 54% of business will be ready. Although this is set to cause many challenges for businesses and marketing, but this will also help re-build trust between brands and finally being able to get their message through all the white noise of the email inbox.  Something that data below shows is clearly needed. 

Background

Majority of people see disclosing information as becoming more and more of daily life and generally don’t mind disclosing information.  However the largest survey ever conducted regarding citizen’s behaviours and attitudes concerning identity management, data protection and privacy, the Special Eurobarometer 359 report, revealed some interesting facts.

1. 70% of Europeans are concerned that companies may use personal information for a purpose other than that for which it was collected without informing them (e.g. for direct marketing or targeted online advertising).;

2. Nearly 75% of Europeans say their approval should be required in all cases before any kind of personal information is collected and processed.

3. Overall, around half of Europeans are concerned about their behaviour being recorded via:

• Payment cards: location and spending (Eu 50% | UK 54%)
• Mobile phone or mobile Internet: call content and geolocation (Eu 50% | UK 48%)
• Internet: browsing, downloading files, accessing content online (Eu & UK 40%)
• Private space: restaurants, bars, clubs, or offices (Eu & UK 40%)
• Public space: streets, subways, airports (Eu 33% | UK 36%)
• Store or loyalty cards: preferences, consumption and patterns (Eu 40% | UK 36%)

The Symantec State of Privacy Report, (2015) showed similar results to this on the topic of consumers and trust in retailers to keep their data completely secure.

 

So what’s the big deal about GDPR?

Up to  4% of your annual turnover, if you don’t get it right!

1. Currently, all organisations in the UK that collect, process or store personal information must comply with the Data Protection Act 1998 (DPA), or face fines of up to £500,000 in the event of a data breach.
2. The DPA will soon be superseded by the EU General Data Protection Regulation (GDPR), which prescribes considerably greater penalties – up to 4% of annual global turnover or €20 million!

Now I have your attention let’s get to the nitty-gritty!

 

How does GDPR affect digital marketing for businesses?

Consent! Simply put it’s all about what individuals who provided you with their data consented to.

Consent means offering people genuine choice and control over how you use their data. Source ICO

There’s nothing new about basic concept of consent. The definition and role is still similar to the DPA. However, the GDPR builds on the DPA standard of consent in several areas, setting a higher standard and containing much more detail.

 

 

How does this affect me?

When it comes to hotel marketing, multinationals like Hilton and IHG, large brands and organisations, user details may be shared across the group for various reasons, customer service, accounting, segmentation, profiling, omnichannel marketing, etc. Marketers will now need to ensure they are adhering to the legal guidelines for the processing of individuals personal data.
The processes for gaining consent must meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn.

These are explained as follows:

Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.

Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).

Granular: give granular options to consent separately to different types of processing wherever appropriate.

Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.

Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place

Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.

 

So when can I send marketing emails?

Businesses and organisations can process personal data on a lawful basis for one of six different reasons. The criteria that matters the most – to marketers – is the basis of legitimate interests.

If you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit) unless this is outweighed by harm to the individual’s rights and interests.

and

The processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interests

This is the main basis on which marketers are allowed to send marketing emails and SMS texts.

Other criteria are:

• A contract with the individual
• Compliance with a legal obligation
• Vital interests
• A public task

 

Can I avoid this by not sending marketing emails until post-Brexit?

UK companies the process personal data about citizens in EU countries will need to comply with the GDPR, regardless of if the UK retains the GDPR post-Brexit. If your activities are limited to the UK. It’s expected that post-Brexit the UK government will implement an equivalent or alternative legal mechanisms.

GDPR presents a higher standard for data processing than that currently in place via the DPA. Therefore, it’s expected that the ICO will see this as an effective privacy standard, and a suitable baseline for which UK business can seek opportunities for continued access to the EU digital market.

 

What about my purchased email marketing lists?

Firstly, when it comes to email marketing best practice, it’s best not use purchased lists. These do more damage than good. There are reasons reputable email marketing software providers prohibit third-party lists; purchased or rented lists, and lists scraped from third-party sources.

1. Any valuable email addresses will not be available for sale
2. People may have opted-in to receive emails from the list purchasing company but not specifically your company
3. These emails addresses have poor overall performance: they damage your email deliverability and IP reputation, higher bounce rate, higher complaint rates
4. The people on that list have been emailed more often than desired (spammed) by hundreds of other people who may have bought the same lists
5. Can leave you in a legal hotspot for non-compliance

Our recommendation is to start working on getting as many as possible opted-in now. You can contact subscribers from purchased lists now but the quality of these lists will drop more tremendously once GDPR comes into effect and it’s likely you won’t be able to email these subscribers anymore.

 

What about emails collected at exhibitions, events and shows?

You need to be able to show a statement of the acquired consent, time, date and exhibition. Business cards collected in such scenarios is not an invitation to be marketed to and is not considered as “provable consent”.

 

What about my existing signup list(s)?

The new standard for GDPR is not explicit to new subscribers from when the law comes into effect. Marketers will need to make sure existing subscribers have given sufficient consent. This will result in a lot of brands and organisations emailing customer to confirm granular opted-in consent before the date.

J.D. Wetherspoons recently deleted it’s entire email database, estimated to be in excess of 656,723 subscribers. It’s not clear why, but with what’s at stake surrounding GDPR, it’s suspected the risk of being fined for failing to meet the standard was not worth taking.

 

If your database contains subscribers who haven’t consented according to the GDPR’s standards, or you can’t provide sufficient proof of consent, you may not be able to email those subscribers anymore.

 

What you need to do NOW?

The biggest change is what needs to be done for consent mechanisms: need clear and granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent. This way consent is dynamic, grows organically and actively managed.
There’s no simple solution as every organisation is different.  These are our 5 tips on what to do.

1. Sit down with the relevant teams: IT, marketing, customer service and sales.
2. Map the current processes for data collection, consent management, privacy policies, data sharing for marketing communications
3. Map source, storage and data flows, data usage across current marketing channels,
4. Check compliance of any relevant suppliers
5. Identify and update the required consent mechanisms
6. Start working on getting existing customers to opt-in

Please note that the blog represents personal views of best-practice and doesn’t constitute legal advice.

If you need help implementing GDPR mechanisms, or other digital marketing tasks, we’re only a phone call away!

Watch out for our next blog, when we’ll be looking at GDPR best-practice for privacy notices and user experiences for acquiring consent. Follow us on Twitter and LinkedIn.