As a marketer, you will not have failed to notice all the media attention devoted to the General Data Protection Regulation (GDPR), which came into force on 25 May 2018.
The law represented a significant change to previous data protection laws and means you must have adjusted your marketing. The rules affect your email marketing, direct marketing and CRM systems and require you to change your website and other data collection methods to comply with the law.
Data collection and consent
A key principle of the new legislation gives individuals greater choice over which companies they receive information from. This is done by tightening up data collection and consent. Consent must be “any freely given specific, informed and unambiguous indication of the data subject’s wishes by which he or she, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed” (as clarified by the Privacy Commissioner).
This means that a ‘soft’ opt-in is no longer allowed; the individual must specifically opt in rather than opt out. This means that you cannot have pre-ticked boxes that then have to be unticked by the user. Consent to receive marketing information also cannot be bundled into other agreements, such as agreeing to terms and conditions. Many companies have had to reconfigure the data collection and consent aspects of their websites to fulfil these requirements.
Consent also affects other aspects of your marketing. For example, you can no longer assume that the people who gave you business cards at a trade fair have given their consent for you to add them to your CRM system or newsletter; they have not given their specific authorisation for this activity.
Business-to-business (B2B) email marketing
Currently, you can send business contacts emails without prior consent. In other words, business correspondence still counts as opt out. It is only when the person or company opts out of your mailings that you have to stop emailing them. So it’s only for private individuals that you need consent before you email.
A big change with the GDPR is that the new regulation does not differentiate between individuals and companies. So even for email marketing, you need to get consent where the data refers to a person.
Clarity in your privacy information
Under the GDPR, individuals have the ‘right to be informed’, which means they must receive fair and transparent processing information from you. Basically, this means that your privacy notice should clearly state what data you collect and how you will use it.
The right to be forgotten
The GDPR gives individuals the ‘right to be forgotten’. Previously, the legislation only went as far as giving people the choice to opt-out of receiving communications from you. So, if someone requested it, you had to remove them from your mailing list, for example. However, under GDPR legislation, individuals have the right to have their data completely deleted from all your systems. This means that not only do you have to know where their data is stored, you also have to completely remove it from your systems upon request.
That might mean creating a process to find and remove data from your CRM, website, email databases, and any third-party companies or applications that collect data on your behalf. It is no longer enough to label a contact as ‘do not contact’; if requested, you must delete all records about them.
Liability
One of the most stringent aspects of the GDPR is that you are always accountable. You must demonstrate that you are following the rules. For example, you must be able to verify that you obtained consent from an individual. One of the best ways to do this is to make sure you only collect data using a double opt-in method, which provides the electronic signature you need to prove consent.
Audit details for your data collection, storage and deletion are also important so you can prove you are complying with the law. If you outsource email marketing to third parties, you are still ultimately responsible for the information they collect for you. This requires you to carefully check that your partners are GDPR compliant and that any deletion requests or requests for individuals to access their data are processed correctly.