It has been almost two years since the initial adoption of the GDPR in the EU, meaning that the data protection act will soon be enforced in the coming months.
People have known about this for years now and yet, many marketers don’t quite understand how this will change their business. What does GDPR Compliance actually mean for marketing in the UK? Before it’s enacted, learn more about the new regulations here.
What is General Data Protection Regulation and what are requirements?
The GDPR is a regulation in European Union law on data protection and privacy, applying to all individuals who are a part of the European Union. Essentially, it’s related to the export of personal data outside the EU, as it aims to give control back to citizens over their personal data.
Businesses see benefit too, since the General Data Protection Regulation will simplify the regulatory environment for international businesses. This regulation is meant to replace the 1995 Data Protection Directive that was adopted on April 27th, 2016.
After the two-year transition period is over on May 25th, 2018, it will be enforceable, allowing for the homogenization of data protection regulations throughout the EU.
This will make it easier for international companies to comply with regulations, although there will be a serious data protection compliance regime and high penalties for violations.
GDPR Implications for Marketing
The GDPR will affect how businesses operate. With the implementation of these regulations, there will be new methods for explaining and obtaining content for prospective and existing customers who are a part of a company’s email lists.
Essentially, the way you use data will be completely different. Marketers will need to demonstrate that their company is GDPR compliant and if they can’t, it’s likely that a fine will be enacted.
This means that all marketers must align themselves with GDPR principles, making the collection of data incredibly important.
When markers are collecting personal data during marketing campaigns, they are only able to use this data for the purpose they obtained it for.
In other words, databases cannot grow using traditional methods, as consent must be continually given.
Databases will need to be completely cleansed and reviewed in order for companies to clarify that they’ve received consent lawfully and fairly, that data is being used legitimately and that the information is accurate.
This means that users will be able to easily access the data companies have on them and can unsubscribe with more ease, while companies have to do more to justify the data they currently hold.
GDPR for B2B Marketing
Usually, data subjects of B2B marketing are seen as a sort of fair game by marketers, as long as there are appropriate opting out procedures set up.
Marketers were basically free from the strict marketing regulations in terms of obtaining data permission.
Now, with the advent of GDPR, there must be explicit consent of the data subject in cases where processing is necessary for performing tasks or protecting the interests of the subject.
This doesn’t apply as strictly with B2B marketing though, since the GDPR only applies to data relating to individuals, rather than to businesses.
Data that is clearly related to a business is outside of the GDPR, although all personal business emails still fall within the realm of personal data.
Affecting B2B Marketing
Consent will be more rigid with a notable change in the opt-in process.
There can be no ambiguity, no pre-ticked boxes, or any other marketing methods. Opt-in must be separate and individual, with a clear right to withdraw.
B2B marketing will be most affected by the idea of legitimate interest, which means that data processing needs to be done for the genuine interest of the individual.
Companies most commonly fit well into this category, since as long as a company can prove that a person has an interest in what’s being marketed, their data can be collected.
GDPR for Email Marketing
Email marketing is incredibly common in the modern world and is a great way to spread the word about a company’s products or services.
The marketing industry uses email all the time, but many people are concerned about how the GDPR will change that, since it is meant to give power back to the data subject. In this case, that’s the person who receives the email.
In future email marketing campaigns, the marketer must explicitly ask for consent of data access so that subjects can clearly see what they’re agreeing to.
Consent cannot be assumed, people have to actively opt-in and every difference between handling different types of data must be explained with separate consent.
Marketers will also have to reveal the name of the organisation that handles the data as well as any names of the third parties who also handle the data.
If subjects do not want to participate, they need to easily be able to withdraw, as there can’t be any power imbalance between the data subject and the organisation. In this case, consent may have to be renewed and reconsidered multiple times.
How to Adapt GDPR
As the required adaption of GDPR draws nearer, companies have been wondering how they are able to adapt to the new privacy policy and regulations which accompany it.
In order to remain compliant with the GDPR, it’s best to begin by understanding the individual requirements of the policy.
Data Collection
The servers where you store information should be located in Europe, meaning that data cannot be sent outside of the EU – this includes Cloud services. Consent is also required for all information that is collected.
Not only is consent needed, but the manner in which consent is obtained is important too. Boxes cannot be pre-ticked and silence is not considered to be an affirmation to collect information.
Everything must be obtained with explicit consent from the subject.
Transparency
If you’re working with any type of data, it’s mandatory to keep all of your data transparent. The subject must be in the loop for all aspects of data collection, transfer and use.
They need to know what you will be using their data for and if you plan on transferring that data anywhere else.
Data Minimisation
The GDPR is also concerned with what type of data you’re storing. Only data that is needed for whatever service you’re providing should be stored – this is known as data minimisation.
Subjects should be able to ask what personal data companies are storing and why that data is needed. You’ll need to be able to relay this information while giving them the chance to opt-out.
Data Storage and Processing
The controllers and processors of data processing operations must create a record of all processing activities that they partake in. If your data processing operations are expected to continue past May 25th, 2018, all activities have to be recorded from that date onwards.
Purpose and Limitation
You must disclose the purpose of the data you’re using, although you don’t necessarily need consent when it comes to providing a service that is a legitimate interest of the individual. For instance, if a brand has a direct benefit, online marketing can count as a legitimate interest.
Security
Companies must have a security certification that is not just a listing from a self-certifying body. A certification badge on a website is not enough to prove that you’re actually compliant with the new data protection laws.
You must have a European certification and a security badge that will work for your company; these have to be certified by an expert or legal counsel.
A risk analysis must also be carried out for your processing activities too.
This is meant to help you determine the security measures that need to be implemented to be sure that you meet the requirements of the law.
Accuracy
Any data collected should be accurate. This can be done by an appointed data protection officer, or by trained employees who are considering how the data is being collected and what it will be used for.
Accountability
Everything must be accounted for when it comes to people’s data. The new requirements for the transparency of processing mean that all data should be accounted for and any mediums used to collect data should be made clear to the individual.
Information clauses should be published on your website to keep you accountable.
End of the Relationship
If a subject does not want to continue to have their data used or does not want to contribute data, they must have the opportunity to opt-out. This can be a simple “unsubscribe” button or an opt-out page.
Retention
If you’re continuing to obtain data with the implementation of the GDPR, the privacy of the subject is a main concern.
This means that to retain your data, you must redo consent and must conduct a data protection impact assessment of the processing operations.
People can also do a double opt, meaning that even when they agree to have their data collected, they will also have to respond to an email to confirm.
Deletion
Since the subject has the power to opt-out and must know what their data is being used for, they also have the right to have their data deleted.
Databases have to be cleared out with the implementation of the GDPR to be sure that all regulations are met. In other words, data not in compliance will be deleted.
GDPR summary
The GDPR will be enforced fully in the coming months, meaning that companies have been scrambling in an attempt to be sure they meet data regulations.
Marketers need to consider how data will be collected, what it will be used for and what information they need to be transparent.
Before the GDPR is enacted fully, it’s best for marketers and companies to consider these points to see how the GDPR will affect marketing in the UK.
