While it’s several years since GDPR came into full force, organisations continue to get things wrong, and marketers still have questions about how the legislation affects what they can and can’t do.
Our ebook will give you the answers you need. What to do with your contact database, what type of emails, DM or telemarketing you can use. Plus, you can work out if you are a data processor or controller and what goes into the all-important data processing agreements you should have.
The ebook will also guide you through the process of auditing your own data and how that will help determine what activity you can carry out.
The history and future of data protection
Are marketers Data Processors, Data Controllers or both?
Your data – is it time to panic?
What to do with your outbound communications
Storing data in a GDPR world
Breaches and requests – not my circus, not my monkeys
GDPR – what’s the point of it all?
GDPR represents a shift in the way that data on European Union individuals can be gathered, stored and used. It is being introduced to try and catch up to the advances that have happened in how personal data is used, which has been driven largely by changes in technology.
In short, the Data Protection Act, which it replaces, doesn’t deal with the way that data is stored in the cloud or, for example, how companies like Facebook and Google exchange their services for our data. GDPR seeks to match appropriate legislation with today’s technology. As such it should be viewed positively.
As it has been adopted EU wide, it’s a method of introducing standardised protection laws in each of the 28 member states.
If you’re involved in handling personal data of virtually any kind, it is highly likely that you will need to change your current working practices to some extent.
Why does this affect marketers?
As marketers, we collect personally identifiable and semi-identifiable data to make more informed decisions, create and personalise the customer experience and, ultimately, deliver a stronger experience for consumers, both B2B and B2C.
We want this information to help us retain customers, to lure them back in when they visit our websites and to send them content that is appropriate and relevant.
Because GDPR tightens the reins on who we can lawfully communicate to, there is a lot of panic in the marketing community that we’ll no longer be able to use this data in the traditional ways. One recurring theme in particular is that direct marketing will only be possible to those who have given their consent.
In practice, we don’t believe things are half as bad as have been widely suggested. There is sure to be some attrition in terms of the size of your prospect database, but who can hand on heart say that every prospect they have is genuinely valid anyway?
And while you will certainly need to look at what data you hold, how and where you store it and who has access to it, that’s actually good position to be in anyway.
So, while GDPR is sure to affect marketers, it’s not as bad as all that and can genuinely bring positives if approached correctly.
A word about another acronym – PECR
While GDPR is the hot potato right now, marketers also need to be aware of the Privacy and Electronic Communications Regulation (PECR). This is the legislation that actually dictates how you can communicate with someone by email, text message, telemarketing call or other ‘electronic mail’ (a purposefully broad definition which was designed to allow new methods of communication to be added as they became available).
Currently, PECR sits alongside the Data Protection Act and it will continue to do so when GDPR takes the place of the DPA. It is perhaps easiest to think of it as a two-step process:
- GDPR determines what personal data you can hold and how you go about managing that in a secure and compliant way.
- PECR adds some specific rules around the methods you use to communicate with that data.
For example, you have consent to process an individual’s data, limited to sharing updates about a range of products. It is GDPR that governs the specifics of the consent and the safe storage of that data. You choose to communicate the product updates via email so you have to include your company details, what consent applies and a means of unsubscribing. It is PECR that governs the specifics of the email.
In reality, there is some overlap between GDPR and PECR and it can be difficult to distinguish between the two regulations. What is important to note is that BOTH apply.
Also, PECR is being overhauled (due to come into force some time in 2019). That may change the rules again on what can be sent to whom, so bear that in mind when forward planning. For now at least the existing rules still apply – and the ICO provides very detailed descriptions of what you can and can’t do.
“But, hang on a minute, what about Brexit?” I hear you ask?
After all, with 52% of the vote favouring ‘leave’ surely there is no need to worry about any of this after we exit the EU?
Nope, wrong. Whatever side of the Brexit fence you’re on, the UK will continue to be a member of the European Union beyond the GDPR implementation date so we’re going to have to adopt it – at least, until Theresa May delivers Brexit and we’re free to make up our own rules…right?
Wrong again! The ICO has already stated that, while it doesn’t know what a UK-only GDPR model will look like, trade with the EU will be very problematic if we don’t adhere to the same levels of data protection. So, even if the Government chooses to create its own version of the regulation it will need to be as stringent as GDPR.
And just to be clear, GDPR will extend beyond the boundaries of the EU. No matter where you are in the world, if you process the data of individuals in the EU (including the UK for the time being), you must adhere to GDPR.
There’s really no way out of this one!
The history and future of data protection
The transition from one law to another can be a bit of a minefield, and with the fines you could face for getting it horribly wrong, it’s tempting to want to hide and hope that the monster under the bed will disappear. But GDPR is simply a step up from current practices and is not something to be feared.
This chapter explores the difference between the current legislation; the Data Protection Act and how it differs to GDPR.
DPA vs GDPR
The Data Protection Act has been around since 1998 and is a UK-wide regulation that aims to protect the personal data that can be used to identify a living individual. The scope of the legislation refers to identifiers such as names, phone numbers, addresses and emails, and applies to data that is held on computers, recorded in order to be held on a computer, or recorded in a system that is easy to access (known as a ‘relevant filing system’).
As an EU-wide regulation, GDPR applies to the whole of the EU and its 500 million residents, as well as any company that holds data on individuals in the European Union.
One of most fundamental shifts from DPA to GDPR is ‘privacy by design’. That means when designing information systems that will process personal data, privacy needs to be built in from the get-go. In layman’s terms, this means privacy can’t be bolted on.
But for everyday marketing activity, external systems and third party software will handle a lot of this. After all, most marketing departments are unlikely to be designing new mechanisms for the mass processing of data. Where marketers need to be more mindful is in ensuring access to your systems and software are carefully monitored to lower the risk of data breaches.
For marketers though, probably the key difference between the DPA and GDPR, and the one getting the most coverage, are the justifiable reasons you can cite for processing data. Specifically, the ones that govern how you can market your products and services to people have been seriously tightened up. (more on this in chapter 5).
Quick guide to the differences:
|Issue||Data Protection Act||General Data Protection Regulation|
|UK-wide legislation, applicable to UK businesses||All 28 EU member states, as well as any businesses that sell products or services to EU individuals and organisations|
|Accountability||Limited and more of a ‘box ticking exercise’||Explicit and ideally built in to the fabric of an organisation – ‘privacy by design’|
|Fines||£500,000 for the most serious of breaches, which is also the case under PECR||€20m or 4% of annual turnover for serious breaches, whichever is higher, and €10m or 2% for minor breaches|
|Breach notifications||Not a requirement||Supervisory authorities must be notified ‘without undue delay’, and no later than 72 hours after the breach has been discovered|
|Right to erasure||Not explicitly required of businesses to comply||Individuals have the right to insist their details are deleted from your database, including backup and secondary backup data stores|
|Subject Access Requests||£10 fee can be charged – must respond in 40 days||Free of charge – must respond in 30 days|
|Responsibilities||Data controllers only||Data controllers AND data processors|
The six principles of GDPR
There are six principles that underline the GDPR. These principles state that:
- Data is processed lawfully, with fairness and transparency. Subjects must be informed about your data processing methods. They should also know that what is being requested matches what you state you plan to do with that data and that your data processing meets expected security and fairness standards.
- Data is collected for a specified, explicit and legitimate purpose or purposes, depending on what you’re collecting information for. You must not use that data under any other circumstances.
- You must limit the amount of information you collect on an individual to what is adequate and relevant to the purpose you’re collecting that data for.
- Data should be kept up to date and accurate; you cannot assume that permission to use a subject’s data is granted if they haven’t actively agreed that you can hold this information.
- Data must be kept in a form that permits identification of your subjects, but also that you only keep it identifiable for as long as you need it
- Data needs to be processed and managed in a way that retains appropriate security and privacy. This will hinge on the size of your organisation, the amount of data you collect and what you need to do with it.
The GDPR shouldn’t get in the way of your marketing. It’s certainly a step up from the DPA, and will inevitably affect who you market to and how, but it’s really not the death knell you might’ve been led to believe.
Are marketers Data Processors, Data Controllers or both?
For marketers, GDPR shines a light on what data we can hold and what we can do with it. It’s also helpful to understand what our relationship to that data is. Here, we explore the two types of data manager, what their roles are and how that applies.
Definitions and responsibilities
Data processors – these are the people who process data on a controller’s behalf. If you’re an agency and you’ve been given a client’s customer data to send emails out to them, you’re a processor.
Data controllers – the person, authority, agency or body that’s responsible for choosing why and how they will process data. So, to use the agency example again, the client that gave you that data to use is your data controller. They’ve decided what data you should process.
It’s important to understand that your role as a processor or controller will change, depending on each individual relationship. As a marketer, you’ll probably need to wear both hats.
Example controller vs processor roles
To help make it easier to understand the difference between the two roles, here are some examples:
The bank will be creating any number of marketing assets, alongside their usual data processing activities. It’s in control of who gets what data.
|External print company|
When instructing a printer to print personalised direct mailers, for example, the bank will be handing over data to the printers. Therefore, they are a data processor.
The bank also uses a marketing agency to generate leads using email marketing and gated content on their website. Data capture will be handled by a marketing automation platform.
The agency processes data on behalf of the bank because they manipulate the data before it is added to the marketing automation software.
Marketing automation software
In this case, the software will also be a processor because the data exists and is being used in their system.
It doesn’t stop there. The software is SaaS and is delivered via a data centre. The data centre is also a data processor.
The agency also uses a marketing automation platform for their own marketing activity. In this instance they are the controller!
|Marketing automation platform and Data centre apply for the same reason as above.|
It’s not as clear cut as it first appears, is it? Understanding whether you are a controller, processor or both is vital to outline the responsibilities you face.
Regardless of whether you are a controller or processor, one thing you need to know about is data processing agreements. These are a legal requirement that set out what is being asked of the processor by the controller.
If you are unsure about whether you have processing agreement in place, double check! The chances are that there may be one hidden in existing trading agreements, which gives you an opportunity to revisit the agreement with GDPR in mind.
The scope of this ebook does not include the detail of processing agreements, so please don’t consider this legal advice; it’s vital that your legal team are involved in the creation of processing agreements.
However, things you will need to consider include:
- Adapt the agreements to the nature and requirements between yourself and that particular data processor.
- Consider what is being processed and for how long
- Assess how individual agreements comply with privacy laws, including the technical requirements set out by GDPR
- Establish and assess a procedure to notify data breaches, including a process that identifies the negative effects of a data breach
Software and systems
Whether you realise it or not, you’ve probably already been exposed to data processing agreements. Software and system providers will issue updated terms and conditions which include clauses that deal with the new requirements.
Again, none of this should be ringing alarm bells, it even already be in place but it’s certainly a good step to check your current position and adjust as necessary.
For marketers, perhaps the most pressing question is whether the data you hold is still of value after GDPR kicks in. Will you still be able to use it or have you got to throw everything away and start from scratch?
To answer that question you need to understand what type of data you are dealing with. Under GDPR, the different types of personal data are broken down into two distinct categories:
The usual suspects – names, addresses, email addresses, phone numbers and digital identifiers (IP addresses and mobile device IDs) for example. However, more emphasis is now placed on ensuring protection is in place for data such as shopping information, web surfing habits and other digital identifiers.
Physical, physiological, mental, economic, cultural or social data will also count towards this new standard data, because it can lead to the identification of particular individuals.
Special categories of personal data (also known as sensitive personal data)
This refers to data held on an individual’s racial or ethnic origin, criminal records, trade union membership, political opinions, religious beliefs and sexual preferences. It also includes genetic and biometric information.
It is important to note that processing data that falls under the special category requires explicit consent from the data subject or must satisfy one of several other legal bases for processing. Most of these are way outside the scope of the marketer, for example when it is in the public interest or to protect the vital interests of a subject who cannot physically or legally consent.
In short, for most situations, if you are handling sensitive data, we’d recommend seeking legal advice to ensure you are doing things by the letter.
The legal bases for processing data
Once you know what kind of data you have, you can apply a legal basis for processing that data. There are six legal bases for processing data under the new regulation, and no single basis is better or more important than another. It all depends on what data you’ve got and what you plan to do with it! The six bases, as defined by the ICO are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
For most marketing situations, either (a) or (f) will be the legal basis to use and that’s what the next section focuses on.
As marketers, GDPR compliant consent is the Holy Grail. Your data subject has actively agreed to you communicating specific information to them. If that relates to the ongoing promotion of a product or service, arguably that’s not just consent. It’s analogous to lead scoring and probably denotes a fairly strong buying signal. Happy days indeed.
But with consent, the devil is in the detail. First of all, consent has to ACTIVELY given. So no more pre-checked tick boxes or soft opt-ins, thank you very much. Consent must also be specific. No more vague, woolly, catch all phrases about sending ‘information’. If someone consents, it’s for a specific purpose.
Consent is also for a limited period – it doesn’t last forever. The length of time is set by you and will depend on what you’re gaining consent for. For example if the buying cycle for your product or service is 3-5 years, then you could argue your consent could last that long. If your typical buying cycle is weeks or months, then consent lasting beyond 12-24 months would be a stretch. At that point you need to renew consent.
Which leads neatly in to recording consent. You have to be able to show when and how consent was given and you need to be able to keep track of it, so when consent expires, those contacts are either removed, you choose a different basis for processing or they are deleted. In most situations, CRMs or other software will play a big part in managing this, but that will require some up front thought, so be prepared!
For those companies who already have opted in contact lists, what GDPR does mean is that you will most likely need to gain consent again in order to meet the specific requirements now in place.
That sounds like a bit of a pain. You’ve already made the effort to gain consent once, why do you have to do it again!! But sticking with the lead scoring analogy, it’s actually no bad thing. It simply means that anyone who consents is really interested in something specific and that offers a great opportunity to be hyper targeted.
All in all, consent for marketing is great, but it does require some forward planning and ongoing maintenance.
All in all, if marketers could choose a basis for processing all their data, it would be consent. But, as we know, data subjects (or people as they’re also known) can be a fickle bunch and might not realise they want or need your product or service!
Fortunately, we have legitimate interest to fall back on, and it offers the most flexible lawful basis for processing. According to the ICO: “It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”
They go on to offer some definitions of what legitimate interests might be: “A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits.”
In order to use Legitimate interest, the ICO recommends a light touch risk assessment they term as a Legitimate Interests Assessment (LIA). This is broken down into three-parts as described by the ICO:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
Essentially, it boils down to whether you are marketing your products and services to appropriate contacts. If so, then you’re probably on safe ground.
For example, if a marketing automation platform uses legitimate interest as the basis to communicate with Marketing Managers or Digital Marketing Agencies, is that reasonable? Arguably yes, because both types of recipient may well have an interest in marketing automation and that could benefit their businesses.
On the flip side, if an HGV insurance specialist uses legitimate interest to communicate with HR Directors, then the legitimacy of that comes into question.
Legitimate Interest Assessment (LIA)
To carry out a full LIA, you need to answer a number of questions in each part of the test. The ICO breaks down each section in much more detail.
First, identify the legitimate interest(s). Consider:
- Why do you want to process the data – what are you trying to achieve?
- Who benefits from the processing? In what way?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if you couldn’t go ahead?
- Would your use of the data be unethical or unlawful in any way?
Second, apply the necessity test. Consider:
- Does this processing actually help to further that interest?
- Is it a reasonable way to go about it?
- Is there another less intrusive way to achieve the same result?
Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:
- What is the nature of your relationship with the individual?
- Is any of the data particularly sensitive or private?
- Would people expect you to use their data in this way?
- Are you happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual?
- How big an impact might it have on them?
- Are you processing children’s data?
- Are any of the individuals vulnerable in any other way?
- Can you adopt any safeguards to minimise the impact?
- Can you offer an opt-out?
Once you have answered all the questions that apply in your situation, you should be in a position to determine whether legitimate interest applies or not.
If it does, then you will need to record the process you went through to reach that conclusion and be ready to do it again if you change the original reason for processing. You must also make it clear in your privacy notices (both on- and offline) that you cite legitimate interest as a basis for processing and what that processing actually entails.
The Data Protection Network have published a very detailed guidance document on the use of Legitimate Interest which includes a template for carrying out an LIA.
In conclusion, for responsible marketers, legitimate interest offers a perfectly valid basis for processing data. One issue legitimate interest does raise is how to apply it your existing data and we’ll look at that in the next chapter.
Your data – is it time to panic?
One of the biggest concerns for marketers seems to be whether their data will be rendered useless under GDPR. And that’s hardly a surprise, a great deal of what marketers do relies on contact data, so is it time to panic?
Well, if you’ve followed the ebook up to this point, then hopefully you will have a broad enough understanding to be able to determine what basis you will use for processing data. And if you’ve chosen legitimate interest, which is highly likely for many organisations, then you are going to need to spend some time getting to grips with your own data in order that you can carry out LIAs.
Carrying out your own audit
A data audit sounds a bit scary but in reality it’s a great exercise to go through not only as part of the LIA, but to also tackle the more fundamental question of quality v’s quantity. i.e. do marketers really want to communicate with ALL their contacts?
The first step is to actually work out what data you’ve got and group them as closely as you can, For example: contacts you’ve bought in, lists you’ve compiled organically, companies you have prepared proposals for, warm leads, customers, lapsed customers, contacts gathered from specific events. Whatever the contact, include it.
Use whatever breakdown works for your situation, but try and keep all the contacts in any particular group quite closely aligned. Once you have identified your groups, draw a simple chart with two axes.
On the horizontal axis is ‘risk’ – which means the risk of any GDPR related issues as a result of contacting that individual using legitimate interest as the basis for processing. The vertical axis is ‘value’ – relating to the potential value of that individual to your business – most likely in terms of contract/sale value.
The next step is to go through each of your data groups in turn and plot their position on the chart. For example:
Current prospects – if you’ve been in close contact with a company for a few months, have had a meeting about providing goods or services and have submitted a proposal, then that is a high value, low risk contact.
On the flip side, contact data from business cards you collected at an event you attended in 2014, fall firmly into the high risk, low value category.
As you plot the position of your groups, you will quickly work out if they are suitably well defined or whether you need to break them down in more detail.
For example lapsed customers might include data that is five or more years old. But if you know that you have a 50% re-engagement rate within the first six months of a customer lapsing, then you would want to treat that group differently to five year old lapsed customers. That might mean splitting your groups down even further. And this is particularly important because you may need to show how an LIA applies to different groups.
The output of this exercise will be a fully populated matrix showing risk against value and this gives you a framework to be able to make some decisions. Most likely they will be broken down into three streams:
- Data that are already opted in or where legitimate interest applies
- Data where legitimate interest applies or where you should focus efforts to opt in contacts
- Data you should discard
That information is then useful in a number of different ways. First and maybe most importantly you can prioritise where to put the effort in to opt in contacts in to your communications.
Additionally, by using a framework for grading your data it’s easy to defend your position if/when your MD, Board or any other ‘powers that be’ question why the database has reduced. Although the size of a database isn’t really a metric worth measuring in isolation anyway…
And finally, you can use this to demonstrate that you have a thought out approach to defining when legitimate interest can be used as the basis for processing data in case the ICO come knocking at your door.
Data Protection Impact Assessments
We’ve spoken a lot about auditing your own data, which is a really useful exercise, but this shouldn’t be confused with Data Protection Impact Assessments (DPIA).
A DPIA is a very useful tool when implementing a new data processing system, or reviewing if your current systems comply with the GDPR. DPIAs highlight the impact of a data breach, and whether such a breach is likely to result in high risks to that individual.
Data Protection Impact Assessments are not going to be a requirement for the vast majority of us.
The ICO states that You must carry out a DPIA when:
- Using new technologies; and
- The processing is likely to result in a high risk to the rights and freedoms of individuals
So for most of us, they are not going to be something to worry about.
What to do with your outbound communications
We’ve discussed how GDPR will impact the data you can hold, how you manage it and our roles as marketers in this process. Now it’s time to look at how it impacts the actual day to day marketing activity. Much of this section is governed by PECR and the rules you currently abide by still apply.
The holy grail of some marketers’ toolboxes and still a very valuable tool even in and amongst the myriad social channels available. So if email is part of your approach, what can you do?
If your communications are targeted at private individuals (which includes sole traders and non limited partnerships in England, Wales and Northern Ireland and any partnerships in Scotland) then you need to rely on consent to send any marketing message that is unsolicited.
Confusingly, there are some exemptions to this – known as the ‘soft opt-in’:
- If you obtained the contact data in the course of a sale (or the negotiation of a sale)
- You are only marketing your own similar products or services
- You have always offered the ability to unsubscribe
Now this is slightly at odds with what has already been discussed – after all, you might have concluded that you can use legitimate interest as the basis for processing data. But, and it’s big but, GDPR does not govern what you can send, only what you can process. PECR governs what you can send and as stated earlier you need to be in line with both GDPR and PECR.
The rules around email change again when you’re communicating with corporate or business contacts. Specifically, the rules on consent and soft opt-in do not apply, so as long as you can identify a legal basis for processing, then you’re good to go. But beware sole traders and partnerships as mentioned above!
Telemarketing has it a bit easier than email. As long as the number being called is not registered on the Telephone Preference Service or Corporate Telephone Preference Service (TPS & CTPS) then in most cases you are on safe ground provided you have a legal basis for processing the data in the first place!
There are some peculiarities and other things to be aware of:
- If a person has told you they don’t object to your calls, then you can continue to call them even if they are on the TPS/CTPS. That means consent (ideally opt-in consent) and that should be recorded if proof were ever required.
- Organisations making marketing calls must allow their number (or an alternative contact number) to be displayed to the person receiving the call.
- If the person you call asks not to be called again, then that overrides the need to be on the TPS/CTPS. Basically, they have unsubscribed.
- The same set of rules applies to individuals and businesses.
Now it gets a lot easier!
As long as you have determined a legal basis for processing data and the contact data was obtained legally and fairly, then you are fine to use DM in your outbound marketing mix.
Again, if someone objects to your marketing, then you are obliged to stop. Which of course you would – after all why would you continue to send costly, unwanted mail packs!?
There is a Mail Preference Service (MPS) which is similar to the TPS and applies to residential addresses only. However, it is not legally enforceable, although members of the Direct Marketing Association agree to abide by the MPS so if in doubt, it could be worth screening against before spending your marketing budget.
Having your brand, company or products on social media is part and parcel of your digital presence. And if you’re doing it right then your audience have clearly indicated that they want to hear from you, which is why they followed your account or liked your page.
Social media also presents a huge opportunity for marketers to target advertisements and promotions to a clear-cut demographic and will continue to be so under GDPR. Fortunately, the social media platforms have been among the most pro-active in ensuring their terms and conditions make it explicitly clear how personal data will be used.
Interestingly, there hasn’t been a cataclysmic decline in the use of these services as a result of GDPR which gives some kind of indication about how much we actually care about how our data is really used, but that’s a different conversation altogether…
Largely speaking then, social media is not going to be a problem, but of course, there are exceptions. Notably, if your CRM system integrates with social media platforms and social media handles are part of the contact information, then you must make individuals aware of this, even if it is just as part of a privacy notice.
Collecting data in a GDPR world
There are a number of ways that you might collect data: via web capture, events/networking, referrals, telemarketing list building or even using commercially available lists.
Although the way you collect data will differ, the need to inform data subjects about what you plan to do with their data and what basis you will use is a constant. This is where the transparency element of GDPR really becomes a focus for marketers.
One of the most common approaches will be collecting opted in, consented data via your website. And while a lot of confusing information has been published about GDPR, one thing that is crystal clear, is that consent must be freely given by the data subject and be unambiguous.
This means that your web forms need to be really straightforward. You can no longer used pre-filled tick boxes on your sign up forms, what it is that individuals are consenting to needs to be really clear, consent needs to be granular if you’re using data for different processing purposes and you need to clearly signpost your privacy notice.
Now is also a good time to review what you gather when you ask people to sign up and what information you make available. Do you go into enough detail about what information they’re likely to receive? This helps people make an informed decision, which only helps your GDPR compliance and transparency.
The mechanism for using sign up forms doesn’t change. You can place them anywhere on your site. In the footer, in a pop up screen, alongside blog content and, of course to gate content.
The ICO produce some really detailed guidance and examples of how to structure sign up forms and privacy notices that comply with GDPR.
If you use the telephone to build your database, either in house or outsourced, then similar rules apply. You need to show you have a standardised, auditable way of gathering data, so if the ICO ever ask, you can demonstrate your compliance.
Adopting a standard scripted approach to explaining the purpose of your call and what you want to use someone’s data for should be an acceptable method to capture consent – provided the individual actively agrees! You can’t work on the basis of inactivity as a means of consent.
Of course, you need to keep records of when the call was made and manage any opt outs accordingly.
Business events and exhibitions
You know the drill. You’re at a business exhibition and drop your business card into a bowl for a chance to win an Ipad or some other prize. You do so safe in the knowledge that part of that ‘transaction’ is that you will be contacted by the prize giving company in the near future.
Now the big question, do you have a lawful basis for processing that data? It would be very hard to justify consent, but does it constitute legitimate interest?
In our view, yes, it probably does. After all, as business professionals, we’re not going to waste our time going to irrelevant events. On the flip side, a lot of business cards collected at events are not relevant, so it would be worth sifting through the cards before adding all of them to your CRM under the banner of legitimate interest.
You’re also going to need a privacy notice for that activity, but you don’t need to have a lengthy document on display. You could argue that a layered approach would be justified in this example (see the section below on privacy notices).
Opt in – single or double?
There seems to be a lot of conflicting information about exactly what constitutes an opt-in. For example some marketing automation platforms and email broadcast providers are going to great lengths to point out their robust, ‘GDPR compliant’ double opt in process.
While this is certainly GDPR compliant in that you can unequivocally demonstrate consent, it is not necessary. Provided you have a process in place to record consent in a structured way then you should be fine. Double opt in is just one way to achieve that.
Interestingly, the ICO make the following statement about documenting consent:
“When relying on consent as your lawful basis for processing, you must be able to demonstrate how and when that consent was obtained. It may be impractical to document each individual consent as part of your record of processing activities. But you can use this record to indicate you are relying on consent for a particular processing activity, and to link to where the consent has been documented.”
Reading between the lines, the ICO are saying that if you have a process in place that demonstrates you are being responsible and taking a proactive approach to recording consent, if one or two records are not perfectly recorded, then the world is not going to end.
You should already have a privacy notice on your website that outlines what is done with the data that people submit and what cookies you use. GDPR explicitly states that details relating to how data is used must be concise, transparent, written in clear English and be available to anyone, free of charge. The thinking behind this is that it enables people to understand what you plan to do with their information in no uncertain terms.
This is all about the transparency element of GDPR. People have a right to know what data you’re collecting. The ICO publish some great guidance about how to write your own privacy notice including actual examples of how to create your own notice and different approaches to deal with specific situations – it’s a great resource.
But even with the ICO guidance, creating a meaningful privacy notice is heavy going. Fortunately, there are 3rd party services like Iubenda or Termsfeed that generate a policy for a fee and include wording for the specific services you use, like Google analytics or Facebook.
Privacy notices are not just the confine of the website. The ICO lists the following examples:
- Orally – face to face or when you speak to someone on the telephone (it’s a good idea to document this).
- In writing – printed media; printed adverts; forms, such as financial applications or job application forms.
- Through signage – for example an information poster in a public area.
- Electronically – in text messages; on websites; in emails; in mobile apps.
There are also specific types of privacy notice, including the layered approach which is very helpful to marketers in particular as it ensures that design is not compromised by having to include masses of privacy notice text.
With an estimated 50 million websites using Google Analytics as the provider of choice, there’s a fair chance your site is among them. The good news is that for most use cases, Google Analytics does not store any personally identifiable information, so you can probably carry on with your existing setup without much to worry about.
More advanced analytics software that can identify specific organisations that have visited your website, for example Lead Forensics or Canddi are approaching this from the point of view of legitimate interest.
The reasoning behind which is that if someone actively visits your website, which is basically a marketing tool, it is in your legitimate interest to process that individual’s data. Which makes sense, after all, why would they be on your website if they weren’t potentially interested in your products or services.
Buying data lists
There is still some argument about whether data lists will go the way of the dodo come 25 May 2018 – certainly there was a big fear that would be case throughout 2017.
But largely speaking, reputable list owners and brokers are taking the approach of legitimate interest. i.e. they are willing to provide lists that are regularly updated and accurate. The onus is then on you to ensure the use of that list is legitimate and of course that you look after it securely and treat data subjects honestly.
So, in that regard not much has changed – until PECR is updated at least…
Storing data in a GDPR world
This is the part of GDPR where things take a more procedural focus and security and transparency become the watchwords. It’s all about ticking boxes and having a robust process in place. It’s also the moment to engage your IT team.
This is incredibly important. You need to understand, and be able to demonstrate, that you have clear knowledge of what data you have, where it is stored and what security measures you have in place to keep it safe.
The first step is to conduct a data storage and use audit. You might need to consider:
- What data do you and your department hold?
- Bought in data, web capture forms, event attendees – look for everything
- What data is stored in cloud systems (CRMs, email broadcast systems etc)
- What data is stored as spreadsheets/other digital file formats?
- Is any of this data stored on local computer hard drives (even tucked away in downloads, temporary files, the recycle bin or attached to an email)
Depending on the scale of your organisation, you could do this manually. If that seems unwieldy, there are plenty of software systems that will scan hard drives, servers and email accounts for GDPR relevant data and provide detailed reports for you to work through.
Once you know what you’ve got, you need to ensure it is stored correctly. Purely from the point of view of good record keeping, this is your opportunity to delete any unnecessary copies (Excel spreadsheets being the worst offender – they seem to multiply on their own). The idea being you have a clean and tidy filing system ideally with a minimal number of duplicate data records, all appropriately labelled for ease of reference.
Now you need to decide where you are going to store this. Assuming that most organisations will use some sort of file server, be that a physical device, Microsoft One Drive or even Dropbox, it’s time to talk to your IT people about some specifics.
Questions you need to ask IT include:
- Encryption – how is the data encrypted?
- If it isn’t encrypted, how do you password protect files and can you use two-factor authentication
- How are passwords managed in your organisation? Do you use post it notes stuck to monitors [shriek] or is there a password locker software system?
- If you open data held securely on a server via your computer, are temporary copies made/stored? If so how can these be deleted to avoid files being out in the open?
For data that you don’t store on your own servers, then make sure you check the processing agreements in place with 3rd party software providers. The likelihood is they will be ahead of the curve and have GDPR in hand, but at the very least check the small print.
For most marketing applications, taking the time to understand what data you hold and then working with your IT team to consolidate it and make it secure will be sufficient to comply with GDPR. Remember, the ICO wants companies to be responsible and follow good practice, so a measured, documented approach will stand you in very good stead should you ever have to answer any questions from the ICO!
Pseudonymisation and anonymisation
For a lot of day to day marketing applications, using legitimate interest will provide a sound basis for processing data. Where things get more complicated is when you plan to use data to run profiling exercises or analyse the data in a way that a data subject might not expect or have given consent for.
In these instances, you can turn to pseudonymisation or anonymisation to carry out your processing. Anonymisation is by far the simplest approach here. It means you deleted enough of the data so that it cannot be used to identify an individual…simple.
However, pseudonymisation means removing a portion of the data, storing enough of it elsewhere or obscuring it in a way so that it can’t identify an individual. Clearly there are risks associated with this approach because if the data is joined back up again after you’ve processed it and that processing is attached to an individual then you’ve probably broken the law.
For most marketers, it’s not going to be an issue, but if you fall into this category of processing, take extra care!
GDPR places a good deal of emphasis on an individual’s right to be erased. For marketers, this is probably a case of deleting an individual’s record from the CRM, email or marketing automation system so shouldn’t pose too much of a concern.
It’s important to note though that deleting is not the same as simply unsubscribing. Erasure really does mean erasure, on all live systems and back ups too. Which is another reason why it is so important to understand what data you have and where it is located.
Breaches and requests – not my circus, not my monkeys
One element we have spoken about but not explored in great detail yet surrounds the processes you must establish and abide by when a data breach occurs or a subject access request is made.
Strictly speaking, neither are really the responsibility of the marketing department. But, because GDPR affects a good deal of what marketers do, there seems to be an expectation that we’ll somehow be across the non-related requirements too. It is very tempting to think of the phrase ‘not my circus, not my monkey – a Polish phrase which translates as ‘not my problem’.
But there is a fair chance you’ll get dragged into this, so here’s what you need to know…
According to the ICO, it will be compulsory to report a personal data breach ‘if it’s likely to result in a risk to people’s rights and freedoms.’ What that means, is if the lost/stolen data can cause a person damage or distress, for example discrimination, identity theft or fraud, financial loss, damage to the reputation or loss of confidentiality.
Confusingly, there are no hard and fast rules about what exactly constitutes such a risk, so breaches will need to be judged on a case-by-case basis. But breaches that do fit the bill will need to be reported without undue delay and no later than 72 hours after having become aware of it.
For the coming months and maybe even years, while the limits of GDPR are being tested and checked, it is probably sensible to err on the side of caution. After all, nobody wants to be first in the UK to get a fine, no matter how unlikely.
As such, data breaches certainly need to involve your legal, IT and senior management teams along with a documented approach for reporting. There is a lot of useful information on the ICO website.
Subject Access Requests
We’ve spoken about the rights that individuals will have under GDPR, and one thing everyone is entitled to is reviewing what information an organisation holds on them.
Individuals can ask data controllers whether they are processing any data about them and, if the controller is, they can also request a description of that data, the reasons why the controller is processing that data, and who it might be made disclosed to.
This is outlined as a Subject Access Request, and all information must be delivered to the data subject for free, within one month of the request being made and in an electronic format.
Now, this might sound entirely feasible but imagine being a retailer with hundreds of thousands of data subjects. What if they all turned around and demanded this bank of information on them? Are you capable of withstanding such a huge amount of work?
The good news is that you’ve already scoped out where your data sits. Can you track all of this swiftly, and is there any data that you cannot deliver to an individual? You can’t ignore these requests so setting up a procedure that can rely on the powers of data tracking tools and automation will help take a considerable chunk of the burden off your shoulders. However, you’ll still need manpower to oversee these requests and ensure that you don’t supply anything intended for another recipient – a potential data breach in itself!
Again, this really isn’t a marketing issue, but as marketers are being thrust into the GDPR spotlight, it’s undoubtedly wise to be across this. We strongly recommend working with your IT team, software suppliers, HR team and wider management to ensure that everyone’s responsibilities and commitments are agreed. This is unchartered territory for a large proportion of businesses, and more information will come to light once individuals can request this information.
Have you found yourself struggling to get to grips with GDPR because the language used is just so clinical? Don’t worry, so have we!
Here is our glossary that outlines the key terms used in the legislation and what they mean. We’ve got you covered!
- Biometric Data – Data that relates to physical and behavioural characteristics of an individual – retina scans or fingerprints and the like.
- Breach Notification – A data breach must be reported within 72 hours to the relevant supervisory authority if it could risk the ‘rights and freedoms’ of the data subject.
- Consent – An individual’s freely given permission for the processing and control of their personal data.
- Controllers – The people responsible for stating how and why specific personal data is processed. Sounds a little Harry Potter to us!
- Data Breach – The destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, like laptops left on trains or hacked Cloud accounts.
- Data Erasure – Also known as data wiping or data clearing. It is a software-based method of overwriting data, rendering it unusable and unrecoverable. Give your data A Little Respect. Geddit?!
- Data Portability – The idea that data should be stored in a format that is easily transferable between data controllers, not on incompatible closed platforms or formats. For example, when you transfer phone providers or change bank accounts. This information must be easily digestible by the receiving party.
- Data Subject – The person of which the data relates to. You, me, everyone else.
- Double Opt-In – A two step process to ensuring that a data subject has confirmed that they wish to receive your communications. The first step is typically done by them filling out a sign up form and the second step is them confirming to opt in by following a confirmation link.
- Data Protection Officer (DPO) – An individual within an organisation, or appointed externally, who is responsible for ensuring data protection processes are GDPR-compliant. You must appoint a DPO if you’re a public authority, if you carry out large-scale monitoring of individuals (tracking online behaviour, for example) or carry out large-scale processing of special data or criminal conviction data.
- GDPR – General Data Protection Regulation.
- Genetic Data – Data that relates to any inherited or acquired genetic characteristics. For example, this includes fingerprint records and other biometric data.
- ICO – Information Commissioner’s Office.
- Legitimate interest – one of the lawful grounds for data processing. In short, it refers to the ‘why’ of data processing – is processing this data, for whatever reason, relevant and something the data subject may expect to have happened to their information.
- Personal Data – Data or any information or data types relating to the individual or ‘data subject’ that can be used to identify them. See also: Genetic Data, Biometric Data, Special Data, Sensitive Personal Data and Standard Data.
- Privacy By Design – A principle that ensures data protection is compliant with GDPR from the onset of system design, rather than as an addition.
- Processors – A person whose role is to process data, such as service providers. The processor usually does this under the data controller’s instructions. (Do the Dementors report into these guys?)
- Protection Impact Assessments (PIA) – A process which helps an organisation to identify and reduce the privacy risks of a project. The assessment is mandatory if a breach is likely to risk the rights and freedoms of the people affected.
- Right To Be Forgotten – Also known as ‘The Right To Erasure’. The data subject has the right to request Data Erasure. The Data Controller is obliged to honour this request.
- Sensitive Personal Data – Information relating to the subject’s racial or ethnic origin, political views, religion, trade union activities, health, sexuality and criminal record.
- Soft Opt In – A previously acceptable form of gathering consent, this is method is not considered as explicit under GDPR. It refers to the ‘assumed’ consent of an individual, through methods such as pre-filled tick boxes or the thinking that, if an individual didn’t say ‘no’ it could be assumed that they have said ‘yes’.
- Special Data – An umbrella term encapsulating biometric, genetic, and sensitive personal. Simply, anything beyond the boundaries of Standard Data.
- Standard Data – Simple contact details: Names, addresses, email addresses, contact numbers and digital identifiers.
- Subject Access Right – The data subject is entitled to know, and ask you to provide, what and how their personal data is being processed.