Fergus Lynch – Senior Account Executive
We’re all aware of the impending implementation the General Data Protection Regulation (GDPR), viewed by many in the marketing profession as a looming data-pocalypse, with the threat of huge fines for data mis-management. The GDPR will come into force on 25th May 2018, leaving businesses just six months to make sure their data operations are compliant with the new regulations. Perhaps in the misguided hope that in a post-Brexit world the GDPR won’t affect them (it will), the marketing industry seems to be dragging its feet when it comes to preparing for the GDPR. According to a survey conducted in September by the World Federation of Advertisers, just 65% of major global brands expect to be fully compliant by the deadline and, shockingly, 25% of businesses admitted that they are still in the “initial planning stages”.
However, as responsible marketers, we must face up to the reality that the GDPR is coming and we must all comply. Gathering data, analysing it and using it effectively is an essential building block of any marketing campaign. Crucially, those working in the marketing profession must familiarise themselves with how the GDPR will affect this crucial function of their role, how it will impact campaigns, the data they hold, how they use it and how they manage it.
The general thrust of the GDPR is that data must be collected lawfully and fairly, for legitimate purposes and only kept if the person who it concerns consents. Personal data can be gathered in multiple ways, on online sign-up forms to access the contents of a website, at conferences and exhibitions, and as a requirement for downloading white papers. Under the GDPR, businesses must be absolutely clear, at the point of collecting this data, about what it will be used for and get the explicit consent of the person giving them their data that they understand and agree to this. This cannot be passively given, e.g. through a pre-ticked box, an individual must actively opt-in to hand over their personal information.
If businesses cannot show that they gained an individual’s consent to collect, process and use their data then they may be fined. The Information Commissioner’s Office (ICO) will be able to hit offenders with a huge financial penalty of up to €20 million or 4% of global turnover, whichever is higher. For many businesses, this could be catastrophic, and reinforces how important it will be to prepare for the GDPR.
There is, however, some flexibility within the GDPR to allow businesses to collect and process data without opt-in consent, if there is a clear and defined “legitimate interest”. A “legitimate interest” for data processing can include fraud detection, security measures or transferring data between different parts of an organisation. Several marketing campaign activities can fall under a “legitimate interest”, including direct marketing, website personalisation, maintaining customer preferences and communication suppression, ensuring individuals are not contacted after they opt out. Crucially, marketers must be able to demonstrate that they have considered the balance of interests between themselves and the individuals whose data they have collected, and whether an individual could reasonably expect that their data would be used for marketing purposes.
Once marketing professionals have gathered an individual’s data, they must then ensure that they handle it responsibly, transparently and securely. One key aspect of the GDPR is the right to erasure, more commonly known as the right to be forgotten. Under the GDPR, individuals must now be given the power to access and remove their data from a company’s database, as the GDPR gives them more control over how their data is used and gathered. Marketing professionals must ensure that they implement simple processes that will allow individuals to view the data that is held on them, and, if necessary, ask for it to be removed.
GDPR is undoubtedly going to cause many in the marketing profession a real headache when it comes to ensuring their compliance with what is a fairly stringent set of regulations. However, marketing professionals should also look upon GDPR as an opportunity to refresh how they collect and manage data when implementing a campaign, to operate with clarity and transparency and give consumers and individuals the flexibility to control who has access to their personal data, and what they do with it.