The new General Data Protection Regulation (GDPR) was passed in May 2016 and will be enforceable May 2018. It legislates how you manage, protect and administer marketing data. Here are some answers to key questions…
(On Friday 24 June 2016 the UK voted to leave the EU. See my post on the DMA website for more information, 3 reasons I’m still implementing my GDPR plan)
1. Does the GDPR apply to my company?
Almost certainly Yes. The size of your organisation is irrelevant, you must comply with the new law no matter how many people you employ. It also affects organisations outside of the EU. If your data includes EU citizens then the GDPR applies to you.
2. Does the law apply after Brexit?
Yes. The government have incorporated the GDPR into UK law.
3. What’s the difference between the GDPR and ePrivacy law?
GDPR covers the storage (and processing) of customer or prospect data. The new ePrivacy law (which replace the Privacy & Electronic Communication Regulation) determines whether you can contact customers or prospects by email, telephone, text or other electronic marketing channels.
4. Does this affect my customers and prospects?
The new rules regarding the security of data affect both existing customers and prospects. If you use automated decision-making (e.g. an algorithm to rank customers) then you need explicit consent from both customers and prospects.
However, the need for consent (opt-in) to process data applies broadly to prospects only – but if a customer has purchased a product from one division of your company, do not assume you have consent to process their data on behalf of another division of your firm (soft opt-in).
You can use ‘legitimate interest’ to process prospect data, but more on that later.
5. What happens if I don’t comply with the new law?
In the UK you will be investigated by the Information Commissioner’s Office (ICO), and if you are found to be in serious breach of the new law you could be fined up to €20 million or 4% of global turnover.
It’s a fact the ICO are increasing their staff numbers in preparation for the GDPR, so don’t assume they will not have the resources. During 2015/16, they issued £2.5m worth of fines.List of organisations fined by the ICO April 2015 – April 2016
FEP Heatcare Ltd, 17 March 2016, fined £180,000
David Lammy MP, 10 March 2016, fined £5,000
Prodial Ltd, 29 February 2016, fined £350,000
Direct Security Marketing Ltd, 17 February 2016, fined £70,000
MyIML, 17 February 2016, fined £80,000
Telegraph Media Group, 21 December 2015, fined £30,000
Telecom Protection Service Ltd, 25 November 2015, fined £80,000
Nuisance Call Blocker Ltd, 25 November 2015, fined £90,000
UKMS Money Solutions Ltd, 23 November 2015, fined £80,000
Oxygen Ltd, 10 November 2015, fined £120,000
The Crown Prosecution Service, 04 November 2015, fined £200,000
Help Direct UK Ltd, 27 October 2015, fined £200,000
Pharmacy2U Ltd, 20 October 2015, fined £130,000
Home Energy & Lifestyle Management Ltd (HELM), 30 September 2015, fined £200,000
Cold Call Elimination Ltd, 16 September 2015, fined £75,000
The Money Shop, 06 August 2015, fined £180,000
South Wales Police, 18 May 2015, fined £160,000
Direct Assist Ltd, 01 April 2015, fined £80,000
6. Does the GDPR apply to B2B marketing?
You bet. The GDPR makes no distinction between B2C personal data and B2B personal data. It’s all personal. However, GDPR is linked to another new law called the ePrivacy Regulation (ePR).
ePR will define whether a work email address, work direct dial number, and other work-related electronic communication requires consent.
At the time of writing the ePR has not been finalised.
7. OK, so how do I ensure my marketing is legal?
The GDPR changes marketing permission from a broadly opt-out system to a broadly opt-in rule.
Opt-in consent needs to be unambiguous for most data, and explicit for sensitive data*. Basically, your prospects need to be clear that you will store and process their data and why you are doing it.
Consent cannot be implied by inaction but must be the result of a positive action by individuals. Soft opt-in may apply in some circumstances. You can use soft opt-in if all the following apply…
- they are an existing customer
- the messages are marketing similar products or services to the ones they have already bought; and
- they were given a simple opportunity to refuse marketing (unsubscribe) when their details were collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.
As outlined in Question 3 above, do not assume consent. John Lewis Plc assumed they had consent because a customer gave soft opt-in for marketing messages from their sister company Waitrose. They were wrong. The details of the County Court Judgement are at John Lewis Plc vs Mansfield.
8. I’ve heard about the ‘Right to be Forgotten’, what is it?
The Right to be Forgotten (or Right to Erasure) enables individuals to request the erasure of their data from your CRM in certain circumstances. This right already exists in relation to search engines and there are many cases that involve Google (just search ‘Google Right to be Forgotten’).
Under the GDPR you do not have to erase the personal information if you need it for accounting, tax or other regulatory purposes.
You also need to consider whether data should be erased entirely or if some data should be added to your in-house suppression file. If you delete it entirely you run the risk of inadvertently adding the individual back into your database; the very thing they were seeking to prevent.
9. What is ‘profiling’ and what do I need to do about it?
The GDPR defines profiling as “automated processing on personal data” – I prefer to call it automated decision-making. It’s the use of an algorithm for analysing customer or prospect data and taking action as a result.
For example, profiling could assess the likelihood for an individual to purchase a certain product, to behave in a certain way, or to be at a certain location.
The GDPR states you must have explicit consent from prospects to perform automated decision-making. However, they cannot opt-out if profiling is necessary for a contract between them and your organisation.
The Regulation clearly identifies on-line credit scoring and e-recruitment assessments without human intervention as having a legal effect or significantly affecting individuals – so tread carefully if you are in the finance or recruitment sectors.
10. What is legitimate interest?
If you are unable to get consent from a prospective customer you may be able to use ‘legitimate interest’. Legitimate interest means you can store and process a prospect’s data without them ticking a box or giving permission verbally. But tread carefully.
Before you store prospect data you must perform a Legitimate Interest Assessment. This is a test which balances your desire to process their data with their desire for privacy. You should keep a copy of the results of your Assessment as evidence you have made a balanced decision.
But should the ICO decide you have not proved your Legitimate Interest you could lose contact with all those prospects. Getting unambiguous consent is my preferred route. Permission marketing rules!
This post is part of a series about the General Data Protection Regulation; the full list of posts include ‘How Brexit impacts marketing data in the UK‘ | ‘3 tips: Steal my GDPR plan‘ | ‘The GDPR became law yesterday… and nobody cared‘ | ‘Get ready for Data Protection ambulance chasers‘ | ‘10 Must-know facts about the new EU data law‘ | ‘Want prospects to opt-in? Call them‘ | ‘You don’t need ‘opt-in’ to store a switchboard number‘ | ‘What can these guys teach you about opt-in marketing?‘ | ‘How content marketing will change after 2018‘ | ‘Winning Edge: Counter a direct threat‘