The new General Data Protection Regulation (GDPR) was passed in May 2016 and will be enforceable May 2018. It legislates how you manage, protect and administer marketing data. Here are some answers to key questions…
(On Friday 24 June 2016 the UK voted to leave the EU. See my post on the DMA website for more information, 3 reasons I’m still implementing my GDPR plan)
1. Does the GDPR apply to my company?
Almost certainly Yes. The size of your organisation is irrelevant, you must comply with the new law no matter how many people you employ. It also affects organisations outside of the EU. If your data includes EU citizens then the GDPR applies to you.
2. Does the law apply after Brexit?
Yes. The government have incorporated the GDPR into UK law.
3. Does this affect my customers and prospects?
The new rules regarding the security of data affect both existing customers and prospects. If you use automated decision-making (e.g. an algorithm to rank customers) then you need explicit consent from both customers and prospects.
However, the need for consent (opt-in) to send marketing messages applies broadly to prospects only – but if a customer has purchased a product from one division of your company, do not assume you have consent to send them marketing from another division of your firm.
You can use ‘legitimate consent’ to contact prospects, but more on that later.
4. What happens if I don’t comply with the new law?
In the UK you will be investigated by the Information Commissioner’s Office (ICO), and if you are found to be in serious breach of the new law you could be fined up to €20 million or 4% of global turnover.
It’s a fact the ICO are increasing their staff numbers in preparation for the GDPR, so don’t assume they don’t have the resources. During 2015/16, they issued £2.5m worth of fines.List of organisations fined by the ICO April 2015 – April 2016
FEP Heatcare Ltd, 17 March 2016, fined £180,000
David Lammy MP, 10 March 2016, fined £5,000
Prodial Ltd, 29 February 2016, fined £350,000
Direct Security Marketing Ltd, 17 February 2016, fined £70,000
MyIML, 17 February 2016, fined £80,000
Telegraph Media Group, 21 December 2015, fined £30,000
Telecom Protection Service Ltd, 25 November 2015, fined £80,000
Nuisance Call Blocker Ltd, 25 November 2015, fined £90,000
UKMS Money Solutions Ltd, 23 November 2015, fined £80,000
Oxygen Ltd, 10 November 2015, fined £120,000
The Crown Prosecution Service, 04 November 2015, fined £200,000
Help Direct UK Ltd, 27 October 2015, fined £200,000
Pharmacy2U Ltd, 20 October 2015, fined £130,000
Home Energy & Lifestyle Management Ltd (HELM), 30 September 2015, fined £200,000
Cold Call Elimination Ltd, 16 September 2015, fined £75,000
The Money Shop, 06 August 2015, fined £180,000
South Wales Police, 18 May 2015, fined £160,000
Direct Assist Ltd, 01 April 2015, fined £80,000
5. Does the GDPR apply to B2B marketing?
You bet. The GDPR makes no distinction between B2C personal data and B2B personal data. It’s all personal. However, GDPR is linked to another new law called the ePrivacy Regulation (ePR).
ePR will define whether a work email address, work direct dial number, and other work-related electronic communication requires consent.
At the time of writing the ePR has not been finalised.
6. OK, so how do I ensure my marketing is legal?
The GDPR changes marketing consent from a broadly opt-out system to a broadly opt-in rule. The chart below explains how each of the main channels is affected.
At the moment it seems that email and text messaging will require opt-in from prospects (both B2C and B2B). Opt-in consent needs to be unambiguous for most data, and explicit for sensitive data*. Basically, your prospects need to be clear what they are agreeing to receive from your marketing department.
Consent cannot be implied by inaction but must be the result of a positive action by individuals. Soft opt-in may apply in some circumstances. You can use soft opt-in if all the following apply…
- they are an existing customer
- the messages are marketing similar products or services to the ones they have already bought; and
- they were given a simple opportunity to refuse marketing (unsubscribe) when their details were collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.
It is likely that ePR will keep direct mail and telemarketing an opt-out system – but you must check the person is not listed on the MPS or TPS lists.
As outlined in Question 3 above, do not assume consent. John Lewis Plc assumed they had consent because a customer gave soft opt-in for marketing messages from their sister company Waitrose. They were wrong. The details of the County Court Judgement are at John Lewis Plc vs Mansfield.
7. What about B2B telemarketing?
Although B2B telemarketing is marked as opt-out, you will still need to check the telephone numbers in your CRM against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) registers. However, if someone consents to your telemarketing you can call them regardless of whether they are on the TPS or CTPS lists.
Don’t make the mistake of thinking that TPS is just for consumers and therefore does not apply to B2B telemarketing – sole traders and partnerships are on the TPS list, as well as the personal mobile phone numbers of many executives.
8. I’ve heard about the ‘Right to be Forgotten’, what is it?
The Right to be Forgotten (or Right to Erasure) enables individuals to request the erasure of their data from your CRM in certain circumstances. This right already exists in relation to search engines and there are many cases that involve Google (just search ‘Google Right to be Forgotten’).
Under the GDPR you do not have to erase the personal information if you need it for accounting, tax or other regulatory purposes.
You also need to consider whether data should be erased or simply added to your in-house suppression file. If you delete it entirely you run the risk of inadvertently sending individuals further marketing in the future; the very thing they were seeking to prevent.
9. What is ‘profiling’ and what do I need to do about it?
The GDPR defines profiling as “automated processing on personal data” – I prefer to call it automated decision-making. It’s the use of an algorithm for analysing customer or prospect data.
For example, profiling could assess the likelihood for an individual to purchase a certain product, to behave in a certain way, or to be at a certain location.
The GDPR states you must have explicit consent from prospects to perform automated decision-making. However, they cannot opt-out if profiling is necessary for a contract between them and your organisation.
The Regulation clearly identifies on-line credit scoring and e-recruitment assessments without human intervention as having a legal effect or significantly affecting individuals – so tread carefully.
10. What is legitimate interest?
If you are unable to get consent from a prospective customer you may be able to use ‘legitimate interest’ as a justification to contact them. But tread carefully.
Before you contact them you must perform a Legitimate Interest Assessment. This is a test which balances your desire to contact them with their desire for privacy. You should keep a copy of the results of your Assessment to show prospects, customers or the ICO.
But should the ICO decide you have not proved you have a Legitimate Interest you could lose contact with all those individuals. Getting unambiguous consent is my preferred route. Permission marketing rules!
This post is part of a series about the General Data Protection Regulation; the full list of posts include ‘How Brexit impacts marketing data in the UK‘ | ‘3 tips: Steal my GDPR plan‘ | ‘The GDPR became law yesterday… and nobody cared‘ | ‘Get ready for Data Protection ambulance chasers‘ | ‘10 Must-know facts about the new EU data law‘ | ‘Want prospects to opt-in? Call them‘ | ‘You don’t need ‘opt-in’ to store a switchboard number‘ | ‘What can these guys teach you about opt-in marketing?‘ | ‘How content marketing will change after 2018‘ | ‘Winning Edge: Counter a direct threat‘