In this article, we will be looking at GDPR from the perspective of how it will impact upon your marketing strategy in 2018. The bottom line is that – as long as you are using data that has been ethically collected to market your business in a fair and transparent way – you have nothing to worry about. Furthermore, we consider GDPR to actually be a positive step in the right direction when it comes to the appropriate use of data by organisations who wish to raise awareness about their products and services to prospects and customers, in the hope of generating additional sales in some way or another.
The best advice we can give you is – don’t panic! This legislation is a relatively simple piece of good practice CRM housekeeping that we feel is absolutely necessary to protect the rights of all individuals globally, in an increasingly invasive dynamic digital world of big data marketing solutions. If you take on board the underlying principles upon which GDRP is based, not only will you keep on the right side of the law, but you will also in all probability develop better relationships with prospects and customers – and therefore deliver more effective marketing campaigns too.
Why not put yourselves in the shoes of the people receiving your communications, and try to see things from their perspective? Do you think they value receiving materials from your company in all the different ways you communicate with them? If not, perhaps you ought not to send them. We pretty much all dislike receiving junk mail through the post, but most of us do enjoy receiving tailored and relevant communications from brands we love from time to time. Why is this the case? Well, if you work out the answer to that question, then we guarantee that you will have an incredibly strong foundation for your organisation’s future communications strategy…!
As many will already know, GDPR stands for ‘General Data Protection Regulation’, an EU regulation coming into force on 25th May 2018. It sets out the rules by which companies must abide if they gather, hold and process anyone’s personal data. It sounds innocuous enough, but has generated some unnecessary panic in certain quarters – by self-interested parties who may seek to benefit in some financial way through their unhelpful scaremongering – with the sense of metaphorical iron doors about to close between companies and any customers who haven’t positively expressed their willingness to receive communications.
Although true for some communication channels, it’s not true as a whole. Nor should anyone get into a flap over the stipulated fines for offenders of up to £17 million or 4% annual global turnover. Yes, these are eye-watering numbers, but these would only be levied for the most serious breaches.
In fact, so many stories of imminent doom have been circulating about the impact of GDPR that the body with responsibility for enforcing the regulations in the UK, the ICO (Information Commissioner’s Office), has felt the need to create a blog debunking some of the myths that have arisen. Here’s a quote from Elizabeth Denham, Information Commissioner, on the matter of those fines:
‘It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.’
So, as you can see, there is no need to panic! Yes, GDPR does involve a bit of effort, but it will ultimately help to create databases that emphasise quality over quantity – and that showcase your business in a better light to its customers. In fact, being proactive when it comes to GDPR governance could actually end up giving your business a long-term competitive edge in its marketplace…
What is behind GDPR?
GDPR affects how marketers are allowed to approach customers, and what they can do with the customer data they collect. Rather than a radical overhaul of the system, it is more a consolidation of existing practice preparing for GDPR – “less of a leap and more of a small hop!” as one commentator put it. The EU have set up a website specifically to provide information about GDPR at https://www.eugdpr.org/ that shows that the aim of the legislation is to “protect all EU citizens from privacy and data breaches”.
Of course, here in the UK, we are (at time of writing!) not very far away from ceasing to be EU citizens, but whatever doubts about the Brexit deal (if any) that we end up with, it is already known that we will continue to abide by GDPR rules, as well as those under another regulation coming in at exactly the same time as GDPR, the e-Privacy Regulation. In fact, it is the latter that has generated much of the anxiety about the impact of the new regime.
The e-Privacy regulation specifies the processing of data in connection with electronic communications, and will replace the current Privacy and Electronic Communications Regulations (PECR). As well as encompassing phone calls, email and SMS – all previously governed by the PECR – the new regulation will extend to VOIP interactions (such as Skype), web-based email and the IoT (Internet of Things). It requires organisations – including marketers – using these channels in a B2C context, to have obtained the recipient’s consent to be sent communications. Every communication must be ‘transparent’, i.e. a message for marketing purposes must be clearly framed as such, state who it is from, and provide a simple option to opt out of future communications. Please note, by the way, that there is an overlap between B2B and B2C, in that the rules governing B2C marketing apply when dealing with sole traders or partnerships, even if one is communicating to them as businesses.
None of this seems unreasonable to us, and our sense is that most organisations will need to make few, if any, changes to comply. The main issue to consider is whether, and in what form, consent has been obtained from B2C customers. To comply with the e-Privacy Regulation – and GDPR – consent must have the following characteristics:
• Separate: A consent request should be separate from any terms and conditions and not a precondition of signing up to a service unless necessary to receive that service.
• Granular: Customers must be given options to consent separately to different types of processing. For example, separate consents should be obtained for sending emails and making telephone calls.
• Named: The organisation and any third parties that will be relying on consent must be clearly and unambiguously named.
• Active opt-in: Unticked opt-in boxes or similar must be offered. In other words, customers must take a positive step to opt-in. Silence or pre-ticked boxes cannot be construed as consent.
• Documented: Records must be kept to demonstrate what the individual has consented to, and when and how they consented.
• Easy to withdraw: It must be as easy to withdraw as it was to give consent – via a simple, effective mechanism (e.g. a clear ‘unsubscribe’ option within emails).
Where organisations are already working to these standards, the consents they have obtained prior to 25th May 2018 will continue to be valid. The e-Privacy Regulation does not govern B2B marketing communications (except to partnerships and sole traders), nor non-electronic marketing channels. In these areas, while it is true that organisations can rely on consent – to the same standards described above – as their ‘lawful basis for processing data’, consent is not the only lawful basis available. In fact, the ICO itself says:
‘The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.’
In addition to consent, there are five other lawful bases for processing data. One is ‘contract’ which can be invoked where communication is necessary to fulfil a contract or provide a quote, but the one most relevant to marketers is ‘legitimate interests’.
The ICO suggests that the legitimate interests basis ‘is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing’. In a marketing context, a company promoting its wares will not usually impact seriously on anyone’s privacy, especially when recipients of their promotions can unsubscribe at any time. The ICO continues:
‘There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
• identify a legitimate interest;
• show that the processing is necessary to achieve it; and
• balance it against the individual’s interests, rights and freedoms.
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.’
So, if you have a commercial interest in holding a customer’s data, this in itself can be a valid reason for you to hold and use some data about them. If following this route, the ICO requires you to balance your interests against the individual’s. ‘If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.’
To rely on legitimate interests as a basis of consent, organisations must carry out a legitimate interests assessment (LIA) and record the results to help demonstrate compliance. The legitimate interests should also be explained in the organisation’s privacy notice, which should include:
• how long personal data is retained,
• details of any sharing of personal data with third parties,
• an explanation of any profiling activities undertaken,
• how individuals can exercise their rights to opt-out or be ‘forgotten’,
• where to send complaints and if non-EU countries will process personal data.
The impact of GDPR and the ePrivacy Regulation on different aspects of marketing
Much of good practice under GDPR is about good communications between organisations and their customers – which is what good marketing is all about. As the Chartered Institute of Marketing puts it:
‘Whilst GDPR affects everyone within an organisation, marketers are particularly well placed to ensure GDPR compliance throughout their business. With a superior knowledge of the customer, marketers are able to enter into a dialogue with consumers regarding the changes GDPR will enforce, and understand what customers are willing to tolerate.’
If marketers are to take the lead in instilling GDPR into their organisations, they need to understand the effects of GDPR on the various communication channels they use.
With email marketing, GDPR doesn’t distinguish between B2B and B2C, but ePrivacy law does – so opt-in consent must be obtained from individuals, including sole traders and partners. B2B marketers can continue to send marketing emails if they have completed their legitimate interests assessment, as described earlier.
Direct mail will be largely unaffected, as long as the means to opt out of receiving it is provided. There is no one opt-out service, so senders should therefore say which service they refer to when checking if people have opted out or not, and point people towards it if they would like to opt out of receiving their mailings. Current services include the DMA’s ‘Your Choice’, the Mailing Preference Service and the Royal Mail’s Door-to-Door Opt-Out. Expect to see direct mailing in a B2C context to increase, at least in the short term, because no opt-in consent is required from the customer.
Regarding telemarketing, the ePrivacy Regulation recommends the introduction of an ‘opt-out consent regime at a national level’. In the UK, we already have this in the shape of the Telephone Preference Service (TPS). Telemarketers are already required to refer to the TPS, and not call anyone who has opted out of receiving calls (those still bombarded by messages telling them they’ve been mis-sold PPI will appreciate the tighter enforcement that is being promised!).
The use of bought-in data lists may be limited by GDPR and the e-Privacy regulation. If individuals have to give their explicit consent to receive specific electronic communications from an organisation, that consent cannot be extended to other third parties. Companies who sell data as a major part of their activities may find this is no longer open to them. In response to the ICO’s draft guidance on consent, Experian said:
‘On the whole, the Guidance was in line with our expectation apart from the requirement to name all third parties with whom personal data would be shared. Our view is that this requirement, if applied, could create significant challenges including for SMEs and start-up businesses who do not have an existing database of prospective customers that they can engage with to generate sales.’
The impact on how marketers interact with customers and prospects at different points within their strategic bowtie marketing CRM solution (that communicates to both prospects and customers) could be significant. As suggested above, we may see significant growth in non-electronic communications, such as direct mail, being used to generate leads and build databases to add new contacts to the left side of the bow. At the same time, with some routes to gaining new B2C contacts being cut off, retaining and developing existing customers will become even more important: the more of these who can be turned into advocates and ambassadors, the more they will help bring in new contacts that companies can no longer reach directly. Jim Conning of Royal Mail Data Services adds:
‘If you’ve got a relationship with a customer, and you develop that, so it’s an accurate conversation, and you give the customer the opportunity to opt-out every time you communicate with them, then you’re going to get more business from that. It’s much cheaper to develop a customer that you already have than find a new one.’
Marketers (along with everyone else) must also respect consumer rights
GDPR not only provides rules that organisations must adhere to when handling data, it also sets out specific rights for individuals, namely:
1. The right to be informed about how their data will be used
2. The right of access – an individual asking what data is held about them and how it is used must be given that information
3. The right to rectification of inaccurate or incomplete data
4. The right to erasure – known colloquially as ‘the right to be forgotten’
5. The right to restrict processing, e.g. preventing data’s use if it is inaccurate
6. The right to data portability, allowing individuals to obtain and reuse their personal data for their own purposes across different services
7. The right to object to data processing based on legitimate interests (so the individual’s right to say ‘No’ will generally outweigh an organisation’s right to hold and process data based on its legitimate interests
8. Rights in relation to automated decision making and profiling
The last of these rights is particularly significant given the increasing use of automation in managing and using data. People must be informed about how their data is held within databases/CRMs, including any profiling done with it. In a recent Marketing Week article, John Mitchison, Director of Policy and Compliance at the DMA, offered the following advice:
‘If you’re doing something straightforward like segmenting your file based on the consumer’s age, what they have bought in the past or where they live in the country, that’s fine – you can explain that very simply. However, if you were doing something much more intrusive – maybe you’re going out to third parties and getting additional data about the income of the household or the car they drive – while you may have a very good reason for collecting that data, it might be more difficult to do that under legitimate interests. If you’re doing particularly sensitive profiling, you might have to ask for consent.’
The post-GDPR environment
The new regulations will be a good thing for marketing. Bad practices, which irritate and alienate customers, will be clamped down on, with marketing’s overall reputation theoretically rising as a result. GDPR will help to make consumers aware of how and when their data is used, so successful brands will be the ones trusted to handle data correctly. (Campaign magazine recently reported that seven out of ten customers would boycott a brand that mishandled their data.) That’s why the fines that could be levied for breaches are in many ways a side issue – far more important will be the impact on a brand’s reputation if the ICO finds it manifestly failing to safeguard data.
Viewed positively, the need to comply with the new regime from 25th May 2018 represents the perfect opportunity for organisations to review and tidy up their databases, data handling processes and data analysis strategies. All databases of any reasonable volume are bound to contain outdated or redundant entries that ought to be cleared out anyway as a matter of good governance, let alone in the interests of legislative compliance. Yes, databases will end up smaller, but they will be more accurate and up to date, potentially leading to more targeted marketing and better responses from recipients.
Consumers gaining awareness of the data held about them – and its value – with the ability to access and review it at any time, will effectively become owners of their data, the use of which they have full control over. This opens up the prospect of individuals even selling rights to companies to handle and use their data. No doubt there will be some developments none of us can foresee – rules and regulations almost inevitably lead to unexpected and unintended consequences, so it will be interesting to see what plays out.
The existing data protection regime was established before many of the platforms so familiar to us today were even invented, and the new GDPR and e-Privacy Regulations are largely concerned with catching up with the fast-changing world of digital communications. Inevitably, technology will continue to advance faster than legislators can keep up with it, but the new rules applying from May 2018 create a sound set of broad principles for those handling data – including marketers – to follow. They represent a chance to build greater trust and engagement. As the Direct Marketing Association puts it,
‘There is no need for marketers to fear GDPR, far from it. Use these new rules as a catalyst to become more customer-centric as an organisation, rather than thinking of it as merely a legal requirement.’
What to do next
1. Audit and, if necessary, clean up your existing database
2. Decide which lawful basis for processing your organisation will operate under.
3. If you use electronic communications to communicate with individuals, sole traders and partners, the only lawful basis for processing their data is to have their opted-in consent, so use multi-channels to encourage as many of them to opt-in prior to May as you can.
4. If you will be using the legitimate interests basis, carry out a legitimate interests assessment.
5. Update your privacy notice and make sure it easy to find on your organisation’s website.
For more detail, the GDPR section of the ICO website provides helpful and detailed checklists to work through to ensure you meet the requirements of the GDPR and e-Privacy Regulation.