Many businesses hear ‘GDPR’ and think of a brewing storm.
Warnings issued. Existing structures reinforced…
Still. Despite all the preparation, there remains an air of restlessness.
That’s because clarification is often lacking. Questions like ‘what does this really mean?’ or ‘does this apply to me?’ are often left unanswered.
So, we’ve decided to help you clear the air on a list of cloudy topics.
Most businesses are keenly aware that stepping out of line can incur fines of up to €20,000,000 or 4% of annual turnover.
While its disciplinarian reputation precedes the GDPR, it doesn’t mean that you should despair. Exercising adequate caution and being able to demonstrate that all appropriate steps had been taken should put your business in pole position.
That said, getting ahead of the curve will require a pro-active approach. Consulting data security experts and integrating cutting-edge technology will most likely be necessary investments.
The GDPR also requires that all processing activities and details of consent are thoroughly documented. The documentation requirement applies retroactively too. Which means that you need to have a lawful basis to hold the personal data that you had collected pre-GDPR. If you cannot demonstrate auditable proof of consent, then those datasets need to be either destroyed or fully anonymised.
Businesses have already adopted a diverse array of tactics. Weatherspoons, for example, hit the ejection seat by deleting its entire email database. They reasoned that running promotional material on their social media platforms is both simpler and eliminates the risk of committing unintended infractions.
Other companies aren’t comfortable with such a scorch-the-earth method. So, how about asking for retroactive consent instead? Unfortunately, this has its pitfalls too.
Honda, for instance, tried to do right by its customers and sent out nearly 300,000 emails to retroactively ask for consent. Yet, having no demonstrable proof of consent for storing those addresses, the company was found in breach of the current national law, and the ICO levied a fine of £13,000.
It is clear that the EU’s data protection authority will check under everyone’s fingernails for unverifiable personal data. In order to avoid any potential issues, your best bet is to carry out a data protection impact assessment (DPIA), or some other form of risk assessment. If you make sure to do proper house cleaning before the end of May, you should be fine.
To get you started, we highly recommend checking out the ICO’s12-step guide.
The GDPR requires that “consent shall be presented… in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
In addition, the GDPR says that,
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her…
In other words, you need to be buttoned up about your communication strategy. Not a problem, right?
Well, hold on to your hat just now, because there’s actually more.
The GDPR requires that you explain to your customers why and how you intend to use their data. On top of that, you need to give them the option to withdraw at any point.
You also need to provide the identity and contact information of the controller, the contact details of the data protection officer (if applicable), the purposes of the processing, the reference to the appropriate security measures that had been implemented by a third party in case data transfers take place…. and on it goes.
Providing all that information in a clear and plain language are contradictory requirements. As you try to balance these expectations against one another, it quickly becomes clear that obtaining consent is the new litmus test for ingenuity.
But you don’t have to go it alone. Customer experience and content professionals can help you determine and clearly articulate the purposes of your data collection. They can also help you define your target audience and align your goals with the best strategy to connect with them.
As the world’s first end-to-end content, activation and customer experience consultancy, we think that content should be purposefully, intentionally, strategically aligned with the customer journey.
We believe that the creative focus on ‘what matters to customers’ must be what matters to you.
In other words, customer content creates content customers. But this is not just our line of thinking. This approach to content customers is exactly what underlies the GDPR’s strict requirements.
Based on decades of experience and our forward-thinking approach, we consider bespoke content strategies to be our strong suit. And sharing that expertise with you is where we truly thrive.
If you’d like to know more, drop us a line. We’d love to sit down with you for a coffee and hash out your future GDPR-compliant consent strategy.
By now, many digital marketers can recite the following paragraph by heart:
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
This, in fact, is the GDPR’s ‘The right to object’ article. It tells you that when someone withdraws their consent from receiving promotional material, you must honour that request.
If you wonder, like we did, how marketers reacted to this when word first got out, just read the title of this 2015 article. Published in the Journal of Direct, Data and Digital Marketing Practice, the title reads, “What should UK and US marketers do to prepare for the biggest threat to business continuity for a decade?”
Don’t be spooked though. Sure, some marketers worry about a dire online advertising dystopia. However, this thinking fails to recognize two important factors. First, more rigour will inevitably lead to databases that are better organised. It follows that better data leads to better insights. So, your customer database may shrink, but your conversion rates are likely to rise.
Second, the number of customers who will not consent, or who will choose to withdraw their consent, may be vastly overestimated. The same way millions of people didn’t mind receiving grocery coupons in their physical mailbox, many people like and will continue to like receiving promotional material in their digital inbox.
If you request consent in a clear, transparent and honest language, and if you are clear about the purposes for which you collect data, then acquiring consent shouldn’t be as much of a headache as many marketers make it out to be.
‘Legitimate interest’ is one of the six lawful bases for collecting and processing personal data. In addition, Recital 47 of the GDPR states that,
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Many people have read Recital 47 and concluded that once a “relevant and appropriate relationship between the data subject and the controller” has been established, they should be home free. But the conclusion that no consent is necessary to send out marketing material does not hold water. And this is why.
The GDPR doesn’t exist in a vacuum.
There is another law that complements the EU’s data protection law. It is called the ePrivacy Directive and it regulates the privacy rights of individuals in electronic communication, including email, SMS, telephone, etc.
The UK adopted its own version of the EU’s ePrivacy Directive of 2002. The UK national law is called the Privacy and Electronic Communications Regulations (PECR).
When it comes to direct marketing, the current ePrivacy Directive takes precedence over the Data Protection Directive. In other words, the ePrivacy Directive’s remit is broader (see guide here).
This means that dictated by the higher standards of the ePrivacy law, you cannot send marketing messages to customers without having obtained their consent first.
The EU’s Data Protection Directive is being replaced by the GDPR. At the same time, the ePrivacy Directive will be replaced the ePrivacy Regulation. After these regulatory updates, the two laws will continue to work hand in glove. Together they will render the soft opt-in method of consent (i.e. pre-ticked boxes) unlawful.
In fact, Recital 32 of the GDPR downright states that,
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Since the new laws (GDPR and ePrivacy Regulation) will be regulations and not directives, EU member states won’t have to transpose them into national laws for them to apply. This means that come May 25, customers will have to actively opt in if they wish to concede their personal data and receive marketing material.
Now, let’s revisit the opening line of this section. At the beginning we said that,
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Knowing what we know about the ePrivacy law, this statement is now endowed with a very different meaning. The line should actually read something like this:
‘After you have already obtained your customers’ consent to send them direct marketing material as per the ePrivacy law, the GDPR allows you to legally process the personal data of your customers (again) in order to send them direct marketing material.’
In essence, saying that direct marketing is a legitimate interest is a superfluous statement – not a loophole. Which quickly brings us back to the crux of the GDPR. If you wish to toe the line and send direct marketing material to your customers, you will need to obtain their explicit consent.
We truly hope that you’ve found this three-part series helpful.
If you feel like continuing the conversation, and if you need help hashing out your content and consent strategy, get in touch with us. We’re always open to a chat and some coffee.
