Head of Digital
Posted on September 26, 2016
2018 is expected to be a big year for marketers and the way they use data. Predictions from the International Data Corporation indicate that by 2018, the amount of data that organisations store will increase by as much as five times the current levels. As organisations continually increase the amount of data they store, there’s also a big change on the horizon – the adoption of GDPR.
The General Data Protection Regulation is a new regulation (passed during April 2016) which aims to give citizens the right to control who holds, processes and shares their personal data. It is one of the largest shake-ups seen in the business world and has far reaching consequences, particularly for marketers. Organisations must be compliant by May 2018, which gives little time to adapt current business practices to be compliant.
1. Does Brexit Affect GDPR?
Since Brexit many have questioned whether the regulation will still have relevance after the UK has left the EU. The short answer is that the regulation will still be relevant, post Brexit.
Countries that wish to establish trade agreements with the EU will likely have to comply with the regulation and thus the regulation still applies to the UK – assuming we successfully negotiate a trade agreement with the EU!
2. Marketing through Implied Consent
Up until now many marketers have relied (at-least partially) on an implied consent model to collect data on prospects and to use that data for marketing purposes. For example:
- Sending marketing emails to existing customers who have not specifically opted-in to receive marketing communications
- Sending multiple forms of communication to a prospect who has only agreed to one form of communication – e.g. sending special offers to those who have only agreed to receive a newsletter
- Sourcing lists of prospects from third party sources and marketing to them
- Pre-ticking checkboxes on website forms which give consent to receive marketing information
- Burying data usage clauses at the bottom of lengthy and complex terms & conditions and privacy policies
These practices are not compliant with the GDPR and will have to be amended by 2018.
3. Becoming Compliant
Organisations have until May 2018 to become fully GDPR compliant. The GDPR comprises of multiple models, which define the rules under which organisations can store and process personally identifiable information. Two of these models are specifically applicable to marketers (although you’re advised to check all of the models).
R32 Consent Model
R32 is the most comprehensive and also the most widely recommended model for B2B and B2C marketing communications. Under this model organisations must satisfy the following criteria before processing personally identifiable information.
- Consent must be obtained through action: A person must have performed an action, such as ticking a checkbox to demonstrate their consent. Pre-ticked checkboxes are no longer acceptable. However configuring a technical setting (such as configuring their browser to accept cookies) is acceptable.
- Consent must be freely given and not forced: As marketers we cannot withhold something if a person does not consent. For example a person cannot be denied a white paper download, or entry into a competition should they not give consent.
- Consent must be informed: A person needs to be aware of exactly how their data will be processed (and shared) and the marketing communications they can expect to receive by giving consent. If you have multiple lists or communications, a person must consent to each individually.
It is recommended that organisations have a method of proving that an individual gave consent to their data being processed. Web or paper-based forms which demonstrate consent should be securely stored. Any changes to consent forms should be documented and an audit trail kept.
R47 Legitimate Interest Model
R47 is an alternative to R32 and is similar in nature to the traditional implied consent approach. Under this model an organisation may communicate with an individual if they can reasonably assume that the person would have a legitimate interest in the contents of the communication.
It is important to note that this model does not apply to individuals. Only employees of limited companies and public limited companies are covered by this model. Staff working in partnerships, limited liability partnerships and sole traders are effectively treated as individuals. Therefore to use this model you need a reliable way of determining a person’s status and a process to treat them accordingly.
The ICO is still working on clarifying the UK’s approach to GDPR and it is suspected that this model may be adapted over the coming months to become more like R32, so use with extreme caution.
4. The Right to Removal
Regardless of the model used, organisations must ensure that a person can revoke their consent as easily as they can grant it, by:
- Providing details of an information officer who can respond to requests for information and can remove data for an individual if requested
- Allowing a person to easily opt-out of email, SMS and telephone communications
5. Terms & Conditions and Privacy Policies
Organisations must clearly publish Terms & Conditions and Privacy policies on their website and other materials. These documents must:
- Be clear and easy to understand
- Be placed in a prominent area of a website at the point of data submission
- The name and address of the data controller
- Whether data is used for marketing purposes and if so how
- Whether data is passed to third parties and whether data is transferred outside of the EU
- How long data is kept for
- How to request a copy of the data stored or to be removed
- How the information is used for profiling
The use of marketing tools such as HubSpot which store data overseas and provide prospect profiling must be considered within these documents.
Where these documents may be lengthy, it is acceptable to adopt a multi-tiered approach, whereby the first part of the document gives a key point overview, followed by further and more in-depth information.
The ICO will continue work over the coming months to clarify and help organisations interpret the GDPR, so expect things to change over the short-term. We will continue to provide updates on our blog as developments occur, so be sure to register for our weekly blog update email.