When the General Data Protection Regulation (GDPR) comes into force on the 25th of May, many businesses and organisations believe that the new requirements set out by the legislation circumvent and replace any existing legal bills. However, this is not entirely the case.
While the GDPR certainly replaces its predecessor, the Data Protection Act, it also sits alongside another piece of legislation, the Privacy and Electronic Communications Regulation (PECR). This is a UK-wide law, and you will need to ensure that you comply with both regulations after the GDPR comes into force.
PECR gives marketers specific rules for sending marketing emails, SMS messages and making telemarketing calls. These include the requirement for consent from the named individual that you’re contacting, as well as offering clear, regular and unambiguous opt-out mechanisms.
As always, there is an exception to the rule. It’s commonly referred to as a ‘soft opt-in’ under PECR, which means you can still contact people if you’ve obtained their details via the course of a sale of your products or services; you’re only marketing your own products and services and you provide ample opt-out mechanisms, such as unsubscribe links.
When it comes to GDPR, you are able to process data under six lawful bases and the two that apply to marketers are consent and legitimate interests. PECR isn’t affected by this, but under GDPR, any consent you gather must be at the level the regulation outlines: clearly obtained, actively sought (so no pre-filled check boxes anymore) and for a reasonable timeframe in relation to the services you offer. For example, if your sales nurturing cycle is 18-24 months, then it’s reasonable for the recipient to assume that they will hear from you during that time period.
Consent is a clear-cut, black and white reason for processing that personal data. The other basis we’ve mentioned is legitimate interests. While it’s certainly subjective, if you’re realistic with who would be interested in the services/products you’re promoting then you should be able to stand by your decision.
Using legitimate interests as the basis for processing the personal data that you hold is a likely route for a large part of our efforts as marketing professionals. Think of it this way – if you know who you target with your electronic communications, have audited your data to remove anyone without a legitimate interest in your company’s offering and have a clear method of opting people out, you can continue doing what you’re doing.
Our GDPR eBook clearly outlines this and many of the other issues that us as marketers face with moving towards compliance. Designed to be a useful tool for those in the profession, it can help you understand more about our role within the regulation’s requirements.