The new General Data Protection Regulation (GDPR) was passed in May 2016 and will be enforceable May 2018. It legislates how you manage, protect and administer marketing data. Here are some answers to key questions…
(On Friday 24 June 2016 the UK voted to leave the EU. See my post on the DMA website for more information, 3 reasons I’m still implementing my GDPR plan)
1. Does the GDPR apply to my company?
Almost certainly Yes. The size of your organisation is irrelevant, you must comply with the new law no matter how many people you employ. It also affects organisations outside of the EU. If your data includes EU citizens then the GDPR applies to you.
2. What if the UK leaves the EU?
We’re talking BREXIT. So if the UK voted to leave the EU it would still need some form of trading relationship with our continental cousins. Guess what? Data protection would be a big part of that relationship, and remember the GDPR applies to organisations outside of the EU. In reality, BREXIT or not, you need to get to grips with the GDPR.
3. Does this affect my customers and prospects?
The new rules regarding the security of data affect both existing customers and prospects. The way in which you process data (e.g. automated decision making) also affects both customers and prospects.
However, the need for consent (opt-in) to send marketing messages applies broadly to prospects only – but if a customer has purchased a product from one division of your company, do not assume you have consent to send them marketing from another division of your firm.
4. What happens if I don’t comply with the new law?
In the UK you will be investigated by the Information Commissioner’s Office (ICO), and if you are found to be in serious breach of the new law you could be fined up to €20 million or 4% of global turnover.
It’s a fact the ICO is increasing its staff numbers in preparation for the GDPR, so don’t assume they have not got the resources. In the last 12 months, they have issued £2.5m worth of fines, see below.List of organisations fined by the ICO April 2015 – April 2016
FEP Heatcare Ltd, 17 March 2016, fined £180,000
David Lammy MP, 10 March 2016, fined £5,000
Prodial Ltd, 29 February 2016, fined £350,000
Direct Security Marketing Ltd, 17 February 2016, fined £70,000
MyIML, 17 February 2016, fined £80,000
Telegraph Media Group, 21 December 2015, fined £30,000
Telecom Protection Service Ltd, 25 November 2015, fined £80,000
Nuisance Call Blocker Ltd, 25 November 2015, fined £90,000
UKMS Money Solutions Ltd, 23 November 2015, fined £80,000
Oxygen Ltd, 10 November 2015, fined £120,000
The Crown Prosecution Service, 04 November 2015, fined £200,000
Help Direct UK Ltd, 27 October 2015, fined £200,000
Pharmacy2U Ltd, 20 October 2015, fined £130,000
Home Energy & Lifestyle Management Ltd (HELM), 30 September 2015, fined £200,000
Cold Call Elimination Ltd, 16 September 2015, fined £75,000
The Money Shop, 06 August 2015, fined £180,000
South Wales Police, 18 May 2015, fined £160,000
Direct Assist Ltd, 01 April 2015, fined £80,000
5. Does the GDPR apply to B2B marketing?
You bet. The GDPR makes no distinction between B2C personal data and B2B personal data. It’s all personal. So that would include work email address, work direct dial number, a person’s name, job title and workplace postal address.
6. OK, so how do I ensure my marketing is legal?
The GDPR changes marketing consent from a broadly opt-out system to a broadly opt-in rule. The chart below explains how each of the main channels is affected. You need to consider the ‘legitimate interest’ option, and that is why telemarketing and direct mail are marked as ‘opt-out’. More about legitimate interest in a future blog post.
Marketing consent (opt-in) needs to be unambiguous. Basically, your prospects need to be clear what they are agreeing to receive from your marketing department.
Consent cannot be implied by inaction, but must be the result of a positive action by individuals. Soft opt-in may apply in some circumstances, but it’s better to be safe than sorry.
As outlined in Question 3 above, do not assume consent. John Lewis Plc assumed they had consent because a customer gave soft opt-in for marketing messages from their sister company Waitrose. They were wrong. The details of the County Court Judgement are at John Lewis Plc vs Mansfield.
7. What about B2B telemarketing?
Although B2B telemarketing is marked as opt-out, you will still need to check the telephone numbers in your CRM against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) registers. However, if someone consents to your telemarketing you can call them regardless of whether they are on the TPS or CTPS lists.
Don’t make the mistake of thinking that TPS is just for consumers and therefore does not apply to B2B telemarketing – sole traders and partnerships are on the TPS list, as well as the personal mobile phone numbers of many executives.
8. I’ve heard about the ‘Right to be Forgotten’, what is it?
The Right to be Forgotten (or Right to Erasure) enables individuals to request the erasure of their data from your CRM in certain circumstances. This right already exists in relation to search engines and there are many cases that involve Google (just search ‘Google Right to be Forgotten’).
Under the GDPR you do not have to erase the personal information if you need it for accounting, tax or other regulatory purposes.
You also need to consider whether data should be erased or simply added to your in-house suppression file. If you delete it entirely you run the risk of inadvertently sending individuals further marketing in the future; the very thing they were seeking to prevent.
9. What is ‘profiling’ and what do I need to do about it?
The GDPR defines profiling as “automated processing on personal data” – I prefer to call it automated decision making. It’s the use of an algorithm for analysis of customer or prospect data.
For example, profiling could assess the likelihood for an individual to purchase a certain product, to behave in a certain way, or to be at a certain location.
The GDPR gives individuals the right to opt-out from profiling for direct marketing purposes. However, they cannot opt-out if profiling is necessary for a contract between them and your organisation.
The Regulation clearly identifies on-line credit scoring and e-recruitment assessments without human intervention as having a legal effect or significantly affecting individuals – so tread carefully.
10. Do I need to appoint a Data Protection Officer?
If your core activity involves “regular and systematic monitoring of data subjects on a large scale” then you need a Data Protection Officer (DPO). But given that most modern organisations hold tonnes of data on prospects and customers that probably applies to every UK firm. Note it has nothing to do with how many people you employ.
You can appoint a member of staff as your DPO or an external consultant. The DPO should have “expert knowledge of data protection law and practices” and is responsible for GDPR compliance, advising the organisation of its obligations and be the contact point for enquiries from the ICO or requests from individuals.
This post is part of a series about the General Data Protection Regulation; the full list of posts include ‘How Brexit impacts marketing data in the UK‘ | ‘3 tips: Steal my GDPR plan‘ | ‘The GDPR became law yesterday… and nobody cared‘ | ‘Get ready for Data Protection ambulance chasers‘ | ‘10 Must-know facts about the new EU data law‘ | ‘Want prospects to opt-in? Call them‘ | ‘You don’t need ‘opt-in’ to store a switchboard number‘ | ‘What can these guys teach you about opt-in marketing?‘ | ‘How content marketing will change after 2018‘ | ‘Winning Edge: Counter a direct threat‘