The introduction of the EU General Data Protection Regulation and the associated UK Data Protection Act 2018 has led to concerns and confusion within businesses around what they can and can’t do with personal information.
One area of concern is if and how existing contacts can be used for marketing purposes, and if so what do they need to do to make sure this is legal and in line with the new regulations. Businesses are worried they may need to delete customer databases and the potential monetary impact this may have on their business.
So, what is the truth behind GDPR and marketing and could it in fact be a force for good? This article provides some guidance on what this may mean for your business and quashes some of the myths currently in circulation.
GDPR and Marketing – The Facts
Does GDPR apply to my business?
The GDPR affects any organisation based within the EU wherever they are processing personal data. It also applies to organisations who are not in the EU but are processing personal data of EU residents where that organisation is offering goods or services to these residents or are monitoring their behaviour within the EU.
But this is just about people’s private contact details, isn’t it?
No, GDPR and the Data Protection Act relates to any information that is identifiable to an individual, so that will include business client, colleague and customer details (including those of your staff).
So as long as I use personal information for marketing in line with GDPR I’m OK?
Yes, but there will be other regulations and laws that affect your use of personal information. Of particular importance to marketing is the Privacy and Electronic Communications Regulation (PECR). This governs how you market electronically e.g. via email, telephone, fax and provides additional rules around the situations where you will need consent to market to people. In the majority of cases, you will be able to market to businesses without consent (if you give them the option to unsubscribe), but you may need explicit consent to market to individual customers, especially if they’re not a current client. Further information can be found in the ICO's Direct Marketing guidance.
Is what I’m doing really marketing?
If you are promoting your organisation in some way, it may well be seen as direct marketing. The Data Protection Act 2018 defines direct marketing as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. The ICO's Direct Marketing Guidance clarifies that this isn’t just commercial marketing, but any promotional material, including material promoting the aims of not for profit organisations.
So, it’s important I get consent from anyone I market to?
What’s important is ensuring you have a legal reason for using personal information for marketing. Consent is one legal justification for sending people marketing materials, but remember for this to be valid, consent must be:
- Freely given – people shouldn’t have to receive direct marketing just because they want a service from you
- Specific – you need to give them specific choices about what they’re signing up to i.e. to a specific newsletter rather than any marketing you might want to send to them
- Informed – how well have you informed them of what you’ll do with their information once you have it? Have you made it clear what this marketing will involve, who their details will be shared with, their right to unsubscribe and other rights they may have in relation to their data, including the right to have their data erased in certain situations?
- Unambiguous – you cannot imply consent from lack of action e.g. they must tick a box rather than not tick a box and pre-ticked boxes will not be appropriate
- Easy to unsubscribe – it should be as easy for individuals to unsubscribe to marketing as it is for them to subscribe
There are other legal justifications for direct marketing, including for the legitimate interest of your business. But, in order for you to rely on this, you must consider whether your legitimate interests outweigh the privacy of individuals in the use of their data. It is recommended that you carry out a legitimate interest assessment before you decide to use this legal justification.
Can I continue to use bought in contact lists for marketing?
If you are using bought in lists, you will need to be assured that the people on these lists have agreed to their information being used in this way. Any consent obtained by the other organisation must have identified you specifically and your use of this information. You will need to keep records to demonstrate what the individual has consented to, including what they were told, when they consented and how they consented. In addition, you’ll need to make sure that these people are provided with your privacy notice so that they understand how you will be using their personal data if they haven’t been made aware of this.
Complying with the GDPR
Those who fail to comply with the GDPR are at risk of extremely high fines. For the most serious breaches, penalties can reach €20 million or 4% of the organisation’s global annual turnover. Often organisations will not face this level of fine, however they will need to put into practice appropriate approaches to the collection and processing of personal data to ensure compliance with the requirements of the GDPR.
This may include:
- Ensuring the quality of information – A lack of quality data is a hinderance to effective marketing. By ensuring your client data is up to date and accurate, you will more effectively be able to generate leads and implement effective marketing campaigns.
- Promoting the importance of GDPR – To become and remain compliant with the legislation, it is paramount that people within businesses and organisations understand it. It will be important to have a Responsible Person or a Data Protection Officer to answer any questions and help keep individuals within the organisation abreast of the current legislation. This will help clarify any of the grey areas and help to understand your obligations to maintain compliance.
- Responding to data subject requests – Individuals have a number of rights under the GDPR and the new Data Protection Act. This includes the rights to have access to their own information and to have their data rectified, restricted and erased in certain circumstances. Marketers will need to set themselves up to react appropriately to such requests. While most will not choose to exercise this option, it is a legal right under the GDPR and to implement best practices as soon as possible is advisable.
At this point most organisations have found that preparing for and becoming compliant has cost them time, money and resources. However, once systems have been adjusted and staff have become educated the business or organisation will be in a far better position.
A New Age of Marketing
Despite the rumours that the GDPR will single-handedly destroy marketing, the new regulation is an opportunity to properly understand your market base, ensure you have a client base that is interested in receiving your marketing materials and to ensure individuals are informed about how you use their information.
If you need further help in understanding the new GDPR and Data Protection requirements and how it may apply to marketing in your business, please contact us.