Laws surrounding data privacy and customer consent are changing in just over a year – get it wrong, and you will pay hefty fines. Time to test your permission statements and check your strategy is flawless.
Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules – not just for governments, but for private companies.
– Bill Gates
Back in 2013, Bill Gates may have been referring to balancing surveillance and security in light of the Snowden leaks, but his words aptly reflect the subsequent aims of the European Union to harmonise data protection law across member states, providing enhanced privacy rights for individuals.
This desire has led to the EU General Data Protection Regulation, due to be enforced on 25 May 2018. The GDPR ushers in a swathe of new rules and its scope is broad – affecting anyone who processes EU citizens’ data, whether they are situated within the EU or not. Whatever your sector, you need to be prepared for the Regulation – the fines for breaches are substantial.
What does the GDPR mean for marketers?
Consent
Under the Regulation, organisations must process personal information under one of six legal bases (GDPR Article 6.1). One of these conditions, which marketers have traditionally relied on, is consent. Under the GDPR, consent must be ‘unambiguous’ and collected by a ‘clear and affirmative action’.
The bolstered definition of consent and transparency requirements mean privacy notices need to be reviewed and the business impact of ‘opt-in’ should be assessed. I believe those who look to optimise the wording of permission statements and test them have an increased chance of reaping the benefits.
Significantly, in the UK regulator’s recently published draft guidance on consent, there is a stark warning for those who share data with third parties and/or who buy in third party lists. Many believed it would be sufficient to provide sectors with whom the data might be shared, but the ICO is clearly indicating there will be a requirement for ‘named’ consent. I suspect this will be challenged during the ICO’s consultation on the draft, but if it remains unchanged it will undoubtedly present difficulties when collecting third party consent.
Legitimate Interests
If you can’t provide individuals with a genuine choice, so consent is not a viable option, you may wish to consider relying on legitimate interests (GDPR Article 6.1(f), an avenue that may prove popular specifically for postal marketing communications. However, I would caution that legitimate interests shouldn’t be seen as a ‘soft’ option. You will need to demonstrate that you have balanced your interests with the privacy of your customers, taking into consideration the relationship you have with them and whether the proposed activity would be within their reasonable expectations. You will also need to inform customers you are using this condition (i.e. via your privacy policy) and it is not an easy thing to explain! You will also need to uphold their right to object to processing under these grounds.
Database Impacts
GDPR will challenge current database structures. As well as proof of consent for direct marketing and channel preference, multiple further fields may be needed. For example: consent for profiling; processing under legitimate interests; explicit consent for sensitive data processing; and – where relevant – parental consent. Combine this with the requirement to store direct marketing opt-outs, objections to processing under legitimate interests and profiling, and there’s quite a technical hurdle to overcome.
Profiling
To comply with GDPR, you need to ask key questions about the type of profiling techniques your organisation uses. Do they require consent? How might you obtain this consent and have you informed your customers about all profiling? Further guidance is expected at a European level on this and, for many marketers, can’t come soon enough.
Legacy Data
What happens to the data you have collected under existing laws when GDPR is enforced? Many commentators believed there may be leniency, but I wouldn’t count on it. The Regulation is clear that where consent has been given under the Data Protection Directive, it will only be valid if it also meets the requirements under GDPR. Steve Wood, the UK’s Information Commissioner’s Office Head of International Strategy and Intelligence recently commented at an IAPP event: “Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.” He continued: “What you will see is a common-sense, pragmatic approach to regulatory principles.”
Be warned if a customer complains after 25 May 2018, about receiving a marketing communication and you can’t prove you have adequate consent; this complaint could be escalated to the Regulator and you will be in breach.
ePrivacy Regulation
If the GDPR wasn’t enough for marketers to get to grips with, crucially we are anticipating the final text of the proposed ePrivacy Regulation (repealing the 2002 ePrivacy Directive). The European Commission aims to implement this Regulation in line with the GDPR on 25 May 2018. Following a draft text earlier this year, clarification is hotly awaited specifically surrounding soft opt-in (which is likely to remain, but with tighter limitations on its use) and whether there will be a clear distinction made for B2B communications. Cookie consent is also set to get tougher.
With two new Regulations to contend with, data-centric marketers can’t take a back seat – they need to be prepared.
Rosemary Smith is speaking at the forthcoming MINT Global in Amsterdam (April 3-4, 2017): a conference that is unlike any other; offering delegates an unforgettable experience as well as top-level insight into the very latest marketing expertise. She is also running a workshop on the Monday of that event, looking at how GDPR and ePrivacy will impact on marketing.
Places are limited, so book your seat now at this unique event and don’t miss the boat (which is a hefty clue about that ‘unforgettable experience’)!
Read also:
Customer consent and new regulations: check-out your ‘golden ticket’
EU: May 25 2018 is data protection rule implementation date
Leave your thoughts