Scope & Disclaimer: GDPR is likely to have a far wider impact on your business than just your marketing activities, therefore it is recommended that you read Information Commissioner’s Office (ICO) guide to GDPR in order to fully understand the impact on your business. This starter guide is solely focussed on the impact GDPR on your marketing activities. As with any new regulation, the interpretation can vary from one source to another. Kandidly makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability or suitability with respect to the information contained in this document for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
What is GDPR and why should I care?
GDPR comes into effect on 25th May and is designed to harmonise the data privacy laws across Europe, in other words, it standardises the way personal data of EU citizen must be processed, irrespective of whether the data is being processed within Europe or outside. Her Majesty’s Government has already confirmed that GDPR will be enshrined into UK law from 25th May and beyond Brexit, therefore, this regulation is here to stay.
Okay, so what’s changing?
Quite a few things, but here is what you need to know about from marketing perspective.
Data Protection Act 1998 required businesses and public authorities to process data on a lawful basis and there is nothing new on this in front in the GDPR other than the fact that you now have to be completely open and transparent about your intent and purpose of processing the data and GDPR provides EU citizens with eight very specific rights which are as follows:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
As far as lawful bases of processing the data are concerned, the two that are likely to be used by most business in the marketing context are ‘Consent’ and ‘Legitimate Interest’, here’s how ICO defines these:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
So consent is relatively straightforward, the data subject (a person whose data is being processed) must give informed and explicit consent.
Using ‘Legitimate Interest’ as the lawful basis, on the other hand, is tricky and here’s why. This is what clause 47 has to say:
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
I have highlighted the last sentence of that clause but it must be read in the context of the entire statement. More importantly, where it states that the data subject must reasonably expect at the time and in the context of collection of the personal data that processing for that purpose will take place.
The question is, how do you prove that the data subject would have reasonably expected the data to be processed in the way that you as a business intend to use it? So use this lawful basis carefully as it may be hard to prove it if a claim is made against your business.
okay, so what particular marketing activities will GDPR effect?
- Ensure your data subjects are well informed of what data you are collecting and how you intend to use it;
- making clear the lawful basis for processing this data; and
- how the data subjects can excise any of their 8 specific rights
How you handle cookies: If you have a website then you are most likely using cookies. The first thing to note is that cookie is classed as a unique identifier and therefore by extension it is seen as personal data by the EU.
As per the EU cookie law 2011, you had to explain that your website was using cookies and get consent from the user. The interpretation and implementation of this law varied with most websites displaying small banners stating that by continuing to use the website, the visitor is giving consent to all cookies being used. This implementation will no longer be suitable under GDPR. Here’s clause 70 that which provides a hint as to why not:
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
So each type of cookie that you use on your website will require a clear and separate explanation as to why it is being used (purpose) and the data subject should be able to exercise their rights for each of the cookies in questions which is to either give consent (lawful basis) or not amongst other things.
The example above illustrates how you may need to present the cookie message. Kandidly does not endorse this message, neither can it confirm that this is GDPR compliant.
You can no longer package all your cookies into one statement and expect your site visitors to consent to all or nothing. You can’t deny access if they opt out either. It is therefore in your own interest to separate the cookies consent options in order to ensure that you get consent for the most important cookies, the lack of which may affect your site performance and/or user experience.
On a related but separate point, browsers may also have a role to play here with Apple being the first one to implement what it calls Intelligent Tracking Prevention to the annoyance of the ad tech industry. As a business, you cannot rely on browsers presenting users the options to give or withdraw consent to individual cookies, the onus will still be on you to present the relevant information and consent options to your website visitors.
Email marketing: Another tricky territory, especially if you are using third-party email database. Why? Because you will have to prove lawful basis, it will be almost impossible to use ‘Legitimate Interest’ as when data was collected, it is unlikely that the data subject would have reasonably expected your business to use their data for the purposes of sales and marketing. So consent is the only option. If the data subject gave consent to the third-party (that you have bought the data from) for their data to be used for sales and marketing purposes by specifically your business or any business in general then you may be in the clear otherwise you can probably no longer store, let alone use that data.
As far as first party data is concerned (the data that you have collected yourself), you have to figure out the lawful basis for continuing to use that data. Did you get consent from the data subject? Is the purpose of processing the data still the same now and will remain so in the future, as it was at the point of collection? If not then you have to carefully consider the next steps.
Here’s what ICO has to say about this:
You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason. If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
So if the purpose presented to the data subject at the point of collection is different now then you can’t continue to process the data unless you get the consent again.
Finally, there is no doubt that best practices around email marketing will look profoundly different come June 2018 then they do now and this change is more likely to be spearheaded by email mar-tech companies such as MailChimp.
It is worth noting that use of first-party cookies such as web analytics where you are purely be using it to identify site performance and user behavior in a non-personally-identifiable way (for the technically-savvy out there, it means no custom dimension) then you may not need to get consent as it may be classed as essential for delivering the best user experience and therefore satisfy the lawful basis of ‘legitimate interest’, however, this is not a recommendation and you should get legal advice or wait and watch and see how the big tech companies deal with this situation.
Careful attention should be paid to the set up of web analytics tools as additional features such as remarketing or profiling users based on their interest is something that needs to be disclosed to the user in plain English. Furthermore, you also need to explain which parties will use the data, how and for what purpose. This should be seen as a binding ‘consent contract’ and you need to facilitate the 8 rights mentioned earlier in this article.
Online Advertising: Okay, so this one has billions of dollars at stake. Facebook, for example, buys third-party data and layers it with first-party data to help advertisers target users based on behaviour or socio-economic status. This, by and large, is Facebook’s problems so it needs to figure out a way to keep on using the data or stop. It does affect advertisers only if Facebook and Google (amongst other ad tech companies) can no longer rely on third-party data, this will lead to less effective advertising at least in short term.
There is an aspect of GDPR that does effect advertisers directly, that is ‘customer audiences’ feature on Facebook and ‘customer match’ feature with Google AdWords. They are more or less the same thing and it involves businesses sharing data of their ideal customer (names, email ids, phone numbers etc.) with Facebook and Google and the two will then try to profile these customers on their respective platforms and allow the business to target them directly or find other people that show similar attributes to your ideal customer.
This activity is likely to stop past 25th May 2018 unless you can get explicit consent to use your customer’s data for profiling them on the web. The lawful basis of ‘legitimate interest’ is not likely to wash with the European Commission or indeed the UK government.
GDPR is set to bring about the biggest change marketers have seen for a generation. The only option for businesses is to adapt or perish. Some companies that have their entire business model based on collection and sale of data will struggle and some will indeed perish. No one is predicting the demise of Facebook or Google and given what’s at stake (a multi-billion dollar industry) new and innovative solutions will be invested.
So what about the small businesses? If you are a small business then you need to be ready for this change, no one knows what the perfect solution is right now so as long as you put necessary measures in place to be compliant and stop carrying out activities that are against the spirit of the regulation then you should be clear in the short-run. Beyond that it’s the case of monitoring the developments closely and changing course as required.
Image source: Cookiebot