Marketing & GDPR 101
Marketing and the General Data Protection Regulation (GDPR), In the lead up to May 25th and quite often after I’ve heard people refer to GDPR as the ‘death’ of marketing. In my opinion, they’re not wrong – There is a type of marketing that we’re all aware of, where we all know it’s a little below the board, a little sneaky. Even those that enjoy and have seen success from this marketing may tell others it’s fine but they know what they’re doing. It’s this style of non-transparent, mass personal data buying/selling and cold call style marketing that’s dying.
As a consumer, Former Data Protection Officer (DPO) and an avid believer in good data use and protection I’m happy to see this go. But what about the marketing style that stays, There’s a lot of confusion surrounding GDPR, what can and can’t you do on a daily basis and the following will hopefully help answer some of those initial thoughts.
Before we start, there’s a great phrase that I picked up at the GDPR event. Always ask yourself if what you’re doing with personal data is it Creepy or is it Cool. For our developers, this was a difficult concept, even practices that your customers might call ‘Creepy’ our developers called ‘Cool’ because of the complexity of creating it in the first place but after training this phrase has helped me teach the entire team here at Evosite to constantly question what they’re doing,
Does the GDPR apply to all Business to Business (B2B) marketing?
If it involves personal data, then yes. If any of your marketing activities can identify an individual, directly or indirectly, which is irrespective of if they’re acting in their professional capacity or not then GDPR applies. This could be their name, telephone details or their email address (The only exception would be for generic email addresses such as [email protected] or [email protected]).
What about business cards? Can we still contact someone who has provided us with their business card?
Yes, When it comes to GDPR, everything is a risk assessment, everything is a mitigation of risk where possible. For a business card if a person has business cards printed with information and hands them out then you can safely rate them as low risk. A person who hands out business cards expects to be contacted by those that they give them to and therefore it’s appropriate under GDPR to do this.
This isn’t the same however as sending them unrelated spam or selling on their data. You can send them related direct marketing under a legitimate interest but you should always give them the right to remove themselves from your lists.
Can we rely on legitimate interests instead of consent for marketing?
A trickier one to answer as we bounce back to the risk involved. As long as what you use the data for is proportionate and reasonable for the purpose it was provided to you. Does your marketing have a minimal privacy impact? Will they be surprised or likely to object from it? At the end of the day if you have a legitimate interest to send marketing then it will probably already fall under the Privacy and Electronic Communications Regulation (PECR).
What is PECR and does it still apply now that GDPR is law?
What does GDPR say on marketing emails, texts or postal communication?
Under PECR section 22 you can contact clients or potential clients who have shown interest or are part of a negotiation for the product this means If they’re in an existing relationship with you then you have a defence to contact them with relevant marketing as long as they haven’t opted out of receiving it. If they have opted out of marketing and you contact them anyway this is a GDPR breach. You need to be careful with your user lists to make sure that they aren’t duplicated and used for multiple purposes, if a customer asks you stop contacting them then this needs to be updated everywhere.
What does GDPR say about marketing calls?
You can call any business for marketing purposes that have consented to your calls (such as an opt-in box), This extends to any company that hasn’t registered with the telephone preference services (TPS) or the corporate TPS, for as long as the same company hasn’t already objected or removed consent for your calls in the past. This means similar to written marketing you’ll need to keep an updated ‘no marketing contact’ list to review prior to any campaign.
What does GDPR about social interaction using channels like Twitter, LinkedIn or Facebook?
As far as GDPR is concerned the relationship exists between users and the social network itself and is governed by their terms and conditions. What this means is that you can continue to engage with your follower base via the social network or with anyone who reaches out to you directly using social media. Similar to business cards if they follow or reach out to you then there’s an expectation of a response.
What you can’t do is go hunting for personal details such as email addresses across Facebook, Twitter, LinkedIn with the aim to contact them without consent regarding direct marketing. You also shouldn’t look to export your follower or friends data without their consent if your purpose is to put them into a CRM system or that you’re looking to contact them in direct marketing. It is vital that you don’t just assume that because someone is your social media friend or follower that you then have the right to hold and use their personal information.
An example of this if you exported all of your LinkedIn contacts with an aim to send them direct marketing then this would be a breach of GDPR unless you had consent from all of your contacts or another legal defence for that purpose but it’s fair to say that a majority if not all of your contacts would be surprised by that marketing and would want to unsubscribe.
What counts as consent to marketing?
Like all of the questions above this is another example where you should ask yourself is it creepy or is it cool. The only way you can get consent in a ‘cool’ way is by the letter of the law that is that consent must be given freely. This means that you give people a genuine on-going choice over how you use their data. Consent and what they are giving consent for must be clear and obvious to the user what it is they are consenting to. It must require a positive opt-in (so consent is unambiguously given) and unbundled from any other terms and conditions. So if your marketing for which you use consent as the basis doesn’t follow any of this then it’s simply not consenting under GDPR and use of the data would be a breach.
Does everyone in my team need to know the details of GDPR?
Yes, everyone in your team and in your company who has any chance of coming into contact with personally identifiable information (PII) needs to have basic awareness training take place. This training needs to be logged and for frontline staff who will come into a high level of contact with PII then refresher training every 3-6 months should be required. If you have a breach that relates to the mishandling of data through human error one of the first things the Information Commissioners Office (ICO) will ask you is if you trained your staff in data protection and evidence of this and if you haven’t or can’t provide that then chances are in the eyes of the ICO that the rest of your adoption of GDPR will be lacking as well.
What’s the best bit of advice you can give us?
Without sounding like a 90s crime film, It’s time to stop hiding in the shadows. You need to treat GDPR as the rebirth of being open and transparent with your customers with what it is that you do with their personal data. Don’t scare them, don’t do the minimum. Make the privacy and openness part of your companies direction by design. It won’t come as second nature to many and in the short term it’ll cost you time, money and business as you refocus but the future is clear both in customer expectation and the EU and UK laws are only going to get tougher in the protection of data.
You shouldn’t fear your marketing contact lists halving in size through unsubscribes or lack of consent. What you’ll be left with is a much higher quality of data with customers who are actually interested in hearing from you and purchasing your services or products.
If I can extend this to two bits of advice then I’d say it’s ok to get help. Speak with other companies, attend events. Speak with companies, give me a call but whatever you don’t bury your head in the sand. If you do then when (not if) something goes wrong and is reported by your customers to the ICO then it could be the end of your business.
If you’re the DPO of your company and you’re struggling to get or keep your company GDPR compliant then please do reach out to me. There are plenty of resources that we’ve put together and we can talk through what the next best step for you is.