Menu

A marketer’s guide to GDPR

9 months ago by Sophie Webber

What is GDPR?

The General Data Protection Regulation (GDPR) is the new legislation which will be enforced from the 25th May 2018. It requires businesses to protect the personal data and privacy of citizens for transactions and communications that occur within the EU.

Basically, it will mean the introduction of tougher fines for non-compliances and breaches. People will have more of a say over what a company does with their data, and there will be identical data protection rules throughout the EU.

You may have some work to do to ensure you’re compliant before the GDPR deadline, otherwise you may be fined.

As marketers, we use customer data almost every day, so how is GDPR going to affect our work?

Why is it changing?

The amount of digital information we create, capture and store has dramatically increased – particularly because of digital marketing. Therefore, this meant that Europe’s previous 1995 Data Protection Directive was no longer sufficient. Countries were all creating their own data protections acts, none of which matched, and they needed to be regulated.

Talk of the GDPR started years ago, and has now been finalised. There is now one high standard across all 28 EU countries regarding the use of data. This new regulation is effectively a law, so the terms must be followed.

The changes will directly affect business, and will take some investment to meet and to administer. Consumer rights have changed, and they now have more of a say in the use of their own data. The GDPR’s provisions require businesses to protect the data and privacy of EU citizens for transactions that occur within EU member states. Placing more responsibility on the data controllers and data processers. The flow of the data outside of the EU will also be regulated.

The GDPR is set to offer greater protection to consumers again criminals trying to steal their data. In 2016, companies in the UK lost more than £1billion to cybercrime. This included major data breaches which gave criminals access to names, birthdates and addresses, social security and pension information.

How will the GDPR affect marketing?

Data is key to the success of a marketers’ campaigns. Through data we can recognise site visitors, our target audience, improve email marketing and make sure we engage with the right people at the right time.

The GDPR is going to affect digital marketing in a few main areas. It’s by no means the end of the world, but there are some things to keep in mind:

1.  The first is regarding opt-ins, opt-outs, and consent regarding communications. This means that consent should be clear, and any ambiguity or inactivity should be taken as consent. Customers must actually agree that their data can be used and they can be contacted. You need to make sure that you have actively received confirmation that you can use their data.

A positive of this new regulation is that you will be able segment your customers, and focus communication. A pre-ticked box which opts them in will not suffice anymore. There must be a physical option to opt-in.

2. The second is the right to be forgotten. This means that the customer will now have increased control of their data. As a marketer, it’s going to be your responsibility to make sure that users can access and remover their data if they so wish.

By having a single system where you can host the consent record of every consumer, you will be able to track all your data and easily ensure that you’re GDPR compliant.

You could simply provide an unsubscribe link, or a link to a page where the user could pick and choose what they would like to receive.

3. The third change is to the legal basis for processing personal data. This means that marketers will not be allowed to unnecessarily process data. We will all have to process our data better in-house.

This isn’t as complicated to do as it sounds. It will simply mean limiting to only collecting the necessary data that you can prove you need.

Within marketing, who will most be affected?     

The GDPR will affect every business and public body that processes the personal data of EU residents. Therefore, everyone needs to be ready to carry out the necessary procedures to ensure that they will comply with the GDPR.

Within the marketing industry, there are 3 roles in particular who are going to experience the most change within their workplace.

  • Email marketing managers - Ensure that users have opted-in to your email marketing campaigns, and don’t just assume they will opt-out if they don’t want to receive content from you.
  • Marketing automation specialists - Every person on your automation list needs to have opted-in at some point. If an email is sent to someone who should not be in your CRM database, you could find yourself in trouble
  • Public relation executives - The process of pitching new products to journalists is exactly the same, you will still have to receive consent from them. This could be done directly, or through social media.

How aware are you?

gdpr graph

 

The penalty for non-compliance

Under Article 83 (5) under the Regulation, serious infringements will result in a fine.

The highest fine of up to €20,000,000 or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher and apply to breach of:

1.     The basic principles for processing including conditions for consent
2.     Data subjects’ rights
3.     International transfer restrictions
4.     Any obligations imposed by Member State law for special cases such as processing employee data
5.     Certain orders of a supervisory authority

The lower fine of up to €10,000,000 or, in the case of an undertaking up to 2% of total worldwide turnover of the preceding year, whichever is the higher apply to breach of:

1.     Obligations of controllers and processors, including security and data breach notification obligations
2.     Obligations of certification bodies
3.     Obligations of a monitoring body
4.     Direct liability for data processors

Organisations that process personal data of other companies whilst providing a service will also be directly liable for breaches of the GDPR.

gdor chart

How marketers can prepare

There is no reason why the new legislation should catch you out if you prepare properly. We’ve come up with a checklist of procedures you should definitely think about doing before the transition:

  • Raise internal awareness
  • Audit all your data. By the 35th of May only 25% of data will be compliant with the regulation. Remove anyone who has not consented to opt in, or ask users to confirm subscription if unsure.
  • Review any of your privacy notices
  • Have procedures in place to detect, report and investigate any breaches to data
  • Check how data flows across the borders both within the EU and outside of it
  • Prepare for data subjects to employ their extended rights (e.g. their ‘right to be forgotten’)
  • Appoint a dedicated Data Protection Officer if you have a large business
  • Marketers need to be ready to deal with requests to view, amend or destroy prospect and data
  • Invest time and money to educate your team and adjust your systems
  • Seriously consider how you are going to obtain consent

A new era of digital marketing

This new legislation will no doubt take some getting used to for all us marketers. There may be some difficulty on the road to becoming compliant with the legislation as marketers are made more accountable for their customers. However, this is not such a bad thing.  

The introduction of the GDPR could mean even better targeted marketing campaigns with consumers who want to engage with your brand. There is going to be quality to all our data.

As a marketing agency, we recommend always being as transparent as possible with your users about their data. Consumers should always understand what they have agreed to opt in to. From May 2018, the new legislation will bring more trust and better relationships.

If you swat up and do everything that you can to comply with the regulations, then you shouldn’t have any problems.

Disclaimer: This is a summary of publically available information and should not be taken as legal advice. We take no responsibility for any non-compliance.

 

Interested? Let's talk

Or join the conversation: