There are plenty of myths being circulated about GDPR. For an SME director some of this looks incredibly frightening. Here we try to offer a sensible, reasonable approach to the new legislation by considering 5 basic questions. We are not lawyers, so this blog isn’t intended to be legal advice, but instead is a starting place for a small business owner to get the basic principles right in practice for their future marketing. There are other strands of GDPR around HR and employee data, and there are some steps that could involve tightening up your IT and data security systems. These are not covered in this blog.
The General Data Protection Regulation comes into effect on 25th May and it applies to any business that deals with customers or prospective customers anywhere in the EU. There are large fines threatened for companies that don’t comply with the new rules. Whatever the outcome of Brexit, this legislation will apply to UK businesses.
It was intended to put an end to marketing abuse of personal data, for example by unscrupulous companies that bombard people with unwanted telephone calls, emails and text messages or those companies that disregard the existing protection offered by, for example, the Telephone Preference Service.
Companies that sell B2B are not outside the scope of the legislation. There is a lot of confusion about what actually constitutes personal data but, at the moment, the legislation defines a business email with an identifiable individual as personal data. For example, firstname.lastname@example.org isn’t personal data but email@example.com is classed as personal data. Other personal data could include a business that works from an office at their home address or a business owner that uses their mobile phone number as a business contact number.
Some GDPR compliance issues will take time to implement, so if you haven’t already started on this, now is the time to get to work.
Marketing Week magazine* asked two experts in the field for their views on what marketers should be prioritising right now, to stand the best chance of being compliant by the deadline.
1. Have you done a data audit?
First, you need to document all the data your business holds, how it’s obtained and what your business uses it for.
“The first thing that we would recommend would be to examine your data flows,” says John Mitchison, director of policy and compliance at the Direct Marketing Association. “This kind of data audit is often a bit of an eye-opener to organisations because there are always third parties, legacy systems or bits of data whizzing around that not everybody knows about.”
This is also key for Steffan Aquarone, trainer at Marketing Week’s sister brand Econsultancy, who runs training sessions explaining the fundamentals of the new law. He says: “I would look at all those different touchpoints where you are gathering personally identifiable information and map them out in a flow diagram. Even IP addresses are identifiable data, so it’s basically anywhere a customer is identifiable to you.”
Once this map is drawn out, companies need to decide which data processing activities they intend to carry out, and which legal basis they will use to justify them. For most marketing, there are two relevant legal bases specified by GDPR – consent and legitimate interests – and whichever you choose, you need to document and be able to justify your reasons for processing data on a customer-by-customer basis.
The decision of which legal basis to use is fundamental. Once you have made it, it is highly unlikely it can be changed, and Mitchison even suggests that “if you have been using consent up until now, you are going to have to continue going down that route”.
2. Is consent the right course?
“Everyone thinks about GDPR as being about consent and processing,” says Aquarone, but in his opinion there are two priorities in this area, should you choose it as your basis for using consumers’ data. “The specific places you should be thinking about are the consent on your website upon loading and the consent on any forms, including those paper documents that people fill in in the real world.”
Ensuring these are compliant now – in advance of GDPR coming into force – will mean any new user data acquired in the next three months should be compliant with the regulation.
GDPR requires that the consent given for data processing – including for marketing purposes – be “freely given, specific, informed and unambiguous”. This means many companies will have to be more detailed in their explanations of what they plan to do with personal data and that consent must be signalled by a clear, affirmative action (rather than simply not opting out or relying on a tick box option). In practice that will mean deleting data that has been bought as a list from another organisation, as proper consent will not have been obtained for your particular company to contact people on these lists.
According to Mitchison: “If your consent is of a good quality and a high standard – if what you have been collecting over time fulfils the requirements of GDPR – then that’s fine. You can pretty much continue doing what you are doing. If it doesn’t, you may have to go through a refresh process to bring that data up to the right standard.”
However, Aquarone believes there is no need to contact everyone in a database and request new consent. “I would not bother doing reconsenting at all – of anything, anywhere. I would bin a certain category of data that you know is a bit iffy,” he says, referring particularly to third-party lists of unknown origin.
Beyond that, if your recent data is compliant, you can then take a view on whether previously collected data has adequate permissions attached. If not, there could be value and justification in recontacting older customers to ask if they are willing for their data still to be used.
3. What are your ‘legitimate interests’?
Consent may not always be the best legal basis for data processing; indeed Mitchison goes so far as to say “legitimate interests should be your first choice, and only if you decide you can’t really use legitimate interests should you move to consent”. Essentially, this is a business’s right to carry out commercial activities such as direct marketing.
The requirements of using this legal basis are that you have a relationship with the consumer, and that they would reasonably expect you to carry out the specific kinds of data processing you are employing. “That doesn’t necessarily mean they’re a customer – they might just have an account on your website or entered into negotiations,” says Mitchison.
However, legitimate interests are not a “get out of jail free card”, Mitchison adds. Businesses must perform a balancing test, weighing their rights with those of the consumer, and legitimate interests can be relied upon only if you haven’t already asked consumers for consent. The data processing also has to be necessary – in other words, you can’t achieve the same result in a less intrusive way.
Aquarone warns: “I would be cautious about this because it’s not good for people to think ‘why am I getting this [piece of marketing]?’ That’s always worth avoiding.”
4. How sensitive is your consumer profiling?
For most SME’s customer profiles (or marketing segments) are not very complicated. “If you’re doing something straightforward like segmenting your file based on the consumer’s age, what they have bought in the past or where they live in the country, that’s fine – you can explain that very simply.” Says Mitchison.
Aquarone’s more specific suggestion is that, “if the number of buckets of customers you’re segmenting is equal to or less than the number of different product permutations you offer, then you don’t need to worry too much” about getting consent.
However, Mitchison warns: “If you were doing something much more intrusive – maybe you’re going out to third parties and getting additional data about the income of the household or the car they drive – while you may have a very good reason for collecting that data, it might be more difficult to pass the balancing test to be able to do that under legitimate interests. If you’re doing particularly sensitive profiling, you might have to ask for consent.”
As a general rule, if you ask consumers for consent to profile them, you have to be specific about what you are going to do and allow them to opt out at any time. Aquarone says: “Now we really need to be able to go into much more detail about each customer and say what they have consented to and what they haven’t, both in terms of data collection and data processing, and then allow them to change it at that level of detail.”
“It’s almost a paradox,” Mitchison points out. “You have got to tell people everything, and you’ve got to make it really easy.”
This principle of consumer empowerment underlies all of GDPR. Businesses that adapt and offer consumers real choice around their data stand a good chance of being seen favourably – both by consumers and the Information Commissioner’s Office or ICO.
Companies are still uncertain about how the regulator will interpret GDPR, but those that take the proactive steps outlined above and – most importantly – can demonstrate their justifications for doing so, should avoid nasty surprises. Keep a written record of the decisions you make as business and make sure you inform everyone in your company about any new processes that they need to follow around data and any new security measures they should follow when dealing with data in IT systems.
Here at Aardvark Marketing, we’re busy right now helping our customers understand and prepare for GDPR as part of our normal service. If you’d like a confidential discussion about how we could help your business, please contact us
The Information Commissioner’s Office’s guide to GDPR can be found here.
*Article published in Marketing Week, March 2018 by Michael Barnett