The General Data Protection Regulation, or GDPR for short, is a new EU law regulating data privacy, specifically aimed at improving the privacy of EU citizens.
It is the result of a decade of negotiations to improve various out-dated data protection laws such as the UK’s Data Protection Act (1998). While the GDPR is in fact EU law today, it is not enforceable until 25th May 2018, giving businesses time to change their data processes and structures to accommodate this shift in the data protection landscape.
As the GDPR deadline is fast approaching, it is important to know all the legal bases for data processing. As outlined in Article 6 of the new regulation, at least one of the below must apply in order for personal data to be processed:
- Consent: Clear and unambiguous consent had to be given for an individual’s personal data to be processed. Explicit consent is required when processing special categories of personal data, such as, data about an individual’s ethnic origin or sexual orientation.
- Contract: the data is necessary to fulfill your contractual obligations to them they have asked you to do something before entering into a contract and you cannot comply without processing their personal data.
- Legal obligation: data needs to be processed for you to comply with a common law or statutory obligation (not applicable to contractual obligations).
- Vital interests: data needs to be processed to protect someone’s life. You can only rely on vital interests for health data.
- Public task: the processing is necessary in ’the exercise of official authority’.
- Legitimate interest: the legitimate interest can be your own interests, or the interests of third parties. Legitimate interest is more flexible than the other legal grounds and could potentially cover any data processing for any reasonable purpose. However, the processing must be necessary and must not override an individual’s rights.
When asked, 26% of marketers felt they were unprepared for the new GDPR regulations
DMA Insight: GDPR and you, read more here
What GDPR means for B2B marketers?
Views of GDPR are divided, as some B2B marketers still believe it is something that will never happen in the business to business spectrum, while others brace for the worst. There is however a lack of understanding of what needs to be done to comply, as some areas remain grey even only two months away from when the regulation comes into place.
Some question whether the new law will be enforced at all in the B2B world. The answer is, certainly-YES!
GDPR applies if an organisation is processing personal data, and B2B marketers use personal data -therefore the GDPR will apply to them too. All contact details such as email, name, mobile or direct dial telephone number, or job title are considered personal data. In fact, according to the DMA, the GDPR definition of personal data is so broad that it even includes cookies and IP addresses. Any piece of data that in conjunction with other pieces of data identifies an individual is defined as personal data.
We have spent the past year trying to understand and comply with the upcoming regulations. The B2B world will see important changes, and such as in the B2C world the new regulation has one important creed: the best interest of the individual.
In part, unethical marketing practices drove demand for a new law that could give people greater control over their personal data. Businesses that have used data as a way of understanding their customers and build bilinear advantages will not be affected as much. The GDPR has put on paper what has been in the heart of many ethical companies for a long time.
None the less, there will definitely be changes in the way marketing data users approach their future campaigns.
But when it comes to processing personal data for direct marketing, there are two legal grounds businesses may use: consent and legitimate interest.
Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” This means that opt-in will have to be under no circumstances a pre-requisite for accessing any services or products.
‘As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.’(Art. 29, Data Protection Working Party; Guidelines on Consent under Regulation 2016/679, p 6 )
We have come across numerous examples of “forced consent”, where you cannot access content or a service without approval for your data to be used- even though that is not a necessity for the service you are accessing. Under the new regulation this will no longer be accepted as consent.
Another important way of ensuring your consent process is covering all grounds is to make the opt-in process more granular- giving individuals preferences on all marketing communication channels. While someone might object to phone calls and emails, they might accept SMS, or mail.
GDPR puts emphasis on the rights of the individual to not only know what data is being processed but how it will be used and by whom. The purpose of consent is not to limit the relationship between an organisation and its customers but to give individuals more control over how that relationship is managed.
On the other hand, legitimate interest in the most flexible lawful basis for data processing. However, it can also be the most complicated.
Under legitimate interest, data will need to be used in way they reasonably expect but also have a minimal privacy impact. According to the ICO, there are three elements to be considered when taking the legitimate interests route:
- identify a legitimate interest;
- show that the processing is necessary to achieve it;
- balance it against the individual’s interests, rights and freedoms.
In cases in which an individual’s right will be breached, their rights will override your legitimate interest.
However, please keep in mind that, according to the ICO the legitimate interests can be your own interests or the interests of third parties They can include commercial interests, individual interests or broader societal benefits. Recital 47 recognises that direct marketing may be regarded as carried out for a legitimate interest.
Therefore, as long as the data has been source in a lawful manner it is safe to say any organisation can process data that’s has been outsourced, as long as their legitimate interest is proven, and it does not limit any rights of the individuals.
What impact will GDPR have on your existing database?
The GDPR is a catalyst for change; an opportunity to make privacy a brand asset and build stronger relationships with your customers.
First step into evaluating your current database is start with the data cleaning. Use a data cleaning provider that will be able to not only advise on the validity of your current contacts but could also append missing information. You cannot attribute value to a contact that is incomplete or invalid. This process will help you get rid of any duplicates, as well as gone-aways from your database and help improve engagement.
[B]2B, or not 2B?
Sole traders and partnerships have the same rights as consumers under the current Privacy and Electronic Communication Regulation (PECR) and will remain so after GDPR is enforced.
Therefore, not paying attention to the legal status of your existing database can void a large chunk of your current database. A data cleaning process can also append (if not already in place) a legal status selection in your existing contacts so as to help define sole traders and partnerships vs incorporated limited companies or government organisations. This is a simple way of segmenting your database for future communications.
These types of companies are classified as ‘individual subscribers’, and will need to be marketed to as an individual, rather than corporate.
The rules will become even stricter, once PECR becomes the ePrivacy Regulation in 2019.
It is said 80% of your business comes from 20% of your customers, so keeping existing customers close is always a good investment.
To ensure a continuous relationship with their current database, many organisations have chosen to re-permission their existing data. An excellent example of a successful re-previsioning campaign is the one deployed by Manchester United FC, who have found an ingenious way of asking their email subscribers for consent, without any pressure.Their opt-in campaign, titled ‘Stay United’ features the club’s top players and explains the benefits of opting in to receive marketing communications from the club.
A unique approach to what could be otherwise a boring process and it engages with the audience in a non-invasive way.If you are indeed following the re-opt-in path, make sure you offer both Opt-ins and opt-outs as options in your email. This will not only give you an accurate update, but it will help you identify which emails have been overlooked and therefore, no clear permission has been obtained.
However, please keep in mind that regardless of the contact method you have chosen, when asking for re-permission, make sure you are not targeting people that have explicitly asked to be removed from your list or have unsubscribed from that type or communication channel in the past. This is a trap that even companies such as Honda and Flybe have been caught, in an attempt to obtain consent.
What individuals need to be told
Marketers will face another important challenge when it comes to utilising personal data. GDPR offers individuals the right to know about how their data is used and for what purpose. The ICO have created a simple table to help marketers understand what information they need to provide whether they are utilising in-house data, or a database purchased from a third-party data provider.( ICO, Right to be informed)
The GDPR places greater emphasis on the documentation that data owners or processors must keep demonstrating their accountability.
Under Article 30 of the GDPR you must document the following information:
- The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
- The purposes of your processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of your transfers to third parties including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures. (Source: ICO)
There are still a few grey areas around upcoming regulations. A new directive regarding electronic Privacy was set to come into place in May 2018, alongside GDPR, however there are still a few elements that need to be confirmed, as it is still going through the European legislative process. It is now predicted to come into force in March-June 2019.
Currently marketers are able to send emails to corporate subscribers using legitimate interest- this could all change if the e-Privacy regulation will come into place.
According to the ICO, earlier this year, the European Commission published its proposal for the new updated ePrivacy Regulation (ePR), to better protect people’s privacy in the digital age. This legislation seeks to tighten the rules of marketing to individuals, proposing all marketing communications including telephone and email must be opt-in.
ePR will potentially apply to all individuals, therefore B2C subscribers, as well as staff of a sole trader or partnership.
It’s great that one of our members is working so hard to increase understanding
around GDPR, and going to such lengths to make sure that they deliver helpful and accurate information. – Zach Thornton, External Affairs Manager, Direct Marketing Association
For a deeper documentation and additional advice, please refer to the sources below :
- DMA: https://dma.org.uk/gdpr
- Information Commissioner’s Office,(ICO): https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf
The report we produced goes into more detail about the affects of GDPR on the marketing world, covering the likes of: consent Vs legitimate interest, expanded definitions of ‘personal data’, sole traders & partnerships and the affects of GDPR across the main 4 marketing channels.