On May 25th the General Data Protection Regulation (GDPR) comes into legal force and effect. The regulation replaces the Data Protection Directive (1995) and is set to have far-reaching impacts on individuals and organisations in all sectors globally.
One principal aim of GDPR is to increase protection for individuals’ personal data. What is personal data?
The Information Commissioner’s Office (ICO) defines it as “Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a range of personal identifiers including name, identification number, location data or online identifier.”
Guidance from institutions including the UK’s ICO identifies three areas GDPR will impact digital marketing: consent, data access and data processing.
GDPR’s impact on obtaining consent
Under GDPR, methods digital marketers use to obtain consent will be held to a much higher standard. Changes include:
- Active opt-in – Consent will require a positive opt-in through clear affirmative action. Pre-ticked boxes, for example, will no longer be compliant
- Granular – Individuals should get as much detail as possible on what their data will be processed for. Best practice will be to let individuals withdraw consent for each distinct processing activity. Blanket consent will not be compliant
- Unbundling – Consent requests must be separated from terms and conditions
- Not a pre-condition of service – Consent should not be a precondition of signing up to a service unless necessary such as a newspaper subscription
- Named – It should be clear to the individual who will be processing their data including any third-parties
These changes don’t just apply to consent received after May 25th. Any marketing campaign using personal data procured in the past will need to meet them too.
GDPR consent statement examples
If you are interested in examples of consent forms, I recommend reading Ben Davis’ article GDPR: 10 examples of best practice UX for obtaining marketing consent.
Consent within communications
Most of the discussion around consent and GDPR focuses on email marketing, but it’s relevant to other channels too.
Take social media. Any marketer using a tool such as Facebook Custom Audiences will need separate consent from the individual for their email address to be used for promoted social media posts.
GDPR’s impact on data access
Under GDPR, it will be easier for individuals to withdraw their consent for data processing. In practice this means:
“Telling people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.” – ICO
Under GDPR individuals have a right to access any data you hold on them too. This includes when, how and to what they consented, plus the data you hold.
These changes make the customer relationship management (CRM) platforms digital marketers use crucial. The data these platforms hold will be central to undertaking Privacy Impact Assessments (PIAs) – something large organisations will be expected to undertake under GDPR.
GDPR’s impact on data processing
The final area GDPR is set to impact digital marketing is data processing. Digital marketers will only be able to process the data they really need, requiring legal justification for why the personal data they’ve collected is being processed.
In a blog post on the topic, Steve MacDonald explains why this isn’t as bad as it sounds. Steven recommends that marketers “need to focus on the data you need, and stop asking for the ‘nice to haves’.”
Indeed, 42% of B2B marketers believe that a lack of quality data is the biggest barrier to lead generation. Focusing on the data that really matters should be beneficial for both digital marketers and individuals.
Penalties for non-compliance
Digital marketers cannot afford to ignore GDPR, as the regulation includes heavy punishments. With fines of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
In advance of GDPR the ICO, the UK authority charged with implementing and policing the regulation has already shown a willingness to punish those who break rules.
In March 2017, it fined Honda and Flybe a combined total of £83,000 for sending emails to individuals without the appropriate consent, breaching Privacy and Electronic Communication Regulations (PECR).
In conclusion, it’s easy for marketers to feel overwhelmed by GDPR and this isn’t helped by exaggerated statements made within media outlets.
A personal favourite being The Sun’s headline “Builders, cleaners and gardeners could face huge fines just for sending an EMAIL to drum up business thanks to draconian EU laws on data protection.”
The reality is that most of the requirements GDPR details are already marketing best practice. Any organisation that wants to be customer-focused should see these changes as an opportunity to build even better customer relationships. Built on transparency and trust.