Infographic GDPR: Frequently Asked Questions
The General Data Protection Regulation extends consumer protection around corporate use of private data and, from May 25th 2018, brings in massive fines of up to €20m or 4% of global turnover for companies who flout the rules. It will replace existing laws, such as, in the UK, the Data Protection Act, 1998.
Personal data must be stored safely and only for as long as its needs to be held. The so-called “right to be forgotten” is clarified. Any person can ask a business to disclose what data they hold on them and request it is deleted. The definition of personal data has been extended to not only include name, address, medical history and date of birth but also new identifiers, such as social media user names. Any security breach must be reported to the country’s 5 information watchdog – the Information Commissioner’s Offce in the UK. Fines for breaching the law can go up to 4% of a company’s global turnover.
This is where the biggest changes apply; namely consent has to be provable through a clear a rmation from a consumer. A passive acceptance of a pre-ticked box is no longer acceptable, neither is an assumed opt-in which requires a tick to opt-out. Those tricky ways of getting people to sign up to hand over their data for future contact will be consigned to the past.Instead, it has to be clear what the data will be used for and consent has to also be freely-given, meaning it can’t be bought with an o er not available to those who do not
Any channel that relies on personal information which clearly reveals the identify of an individual will be impacted. So, in terms of pushing out messages to customers and prospects notable channels impacted will include direct mail, because it relies on postal addresses; social, because it requires user names to be held; telesales and SMS, because each needs a lead’s number and email, which requires an email address to land in an inbox. Consent has to be clear and unambiguous and so too does the use a company has in mind. So businesses will have to clear about asking permission if they want to go beyond using contact details to better serve a customer. Businesses wanting to go beyond a courtesy call to let someone know their car is repaired, or the shoes they ordered are now in stock, will need to get clear and unambiguous permission for each use of each type of personal data. The details cannot be automatically added to a marketing database.
It’s possibly b2b marketing which will feel the biggest change because b2c rules have always been comparatively tighter. The grey areas much of b2b resides in, though, are being brought more in to line with b2c. So, the bowl of business cards at an event stand can be used for a competition, it cannot be used to build a contact database for future emails and mail shots. Personal data, such as email addresses containing a person’s name rather than a generic department and a sole trader’s address or telephone number, can only be stored and used for marketing purposes with explicit consent. Generic data, such as a head office address or a firstname.lastname@example.org non-personal email address will not be affected. Business contacts have a right to opt-out of communications and that must be honoured. Any lists that are brought in should be compared to a business’s own list of opt-outs. Contacts can also request to know what information a business has on them and ask for it to be corrected or deleted.
Yes, but these are generally meant for organisations – such as the banks and government authorities – who have a need to store personal data to fight fraud and offer high quality services. The ICO has clearly been concerned with chatter in marketing circles that such a ‘legitimate interest’ can easily be used instead of consent. It was minded to recently issue a warning to marketers that alternatives to consent cannot be assumed, they will only apply if a business truly does have a very clear “legitimate interest”. For example, a utility firm needs to hold a postal address for a customer to issue a bill or a late payment warning and cannot be bound by requiring permission to do so, otherwise it could never chase payment. A local authority could not issue parking fines if it relied on the consent of those it is fining to receive an unwelcome letter.
If marketers cannot prove that informed consent to store and act on personal data has been freely given, it’s time to repermission databases. Very few businesses will have had the foresight to predict GDPR and so repermissioning is now widespread. Businesses need to be up front about wanting to continue to be able to call, text, email or write to customers and offer them the option of signing up for continued contact. If it is not forthcoming, that person’s personal data should be removed from marketing databases. This will obviously have a massive impact on the size of lists for each marketing channel but, on the bright side, a thorough Spring clean of data will at least cleanse databases from customers who have no interest in a particular set of products or services.
Children are considered “vulnerable individuals” under GDPR and so to hold data on a child under 16 and use it for marketing purposes requires parental permission. This is the age to bear in mind although some countries in the EU will allow data to be held without parental permission for children allow data to be held without parental permission for children aged as young as 13 or over. Each country is different but a good rule of thumb is to assume under 16s need parental permission.
Any company where there is a clear value exchange for personal information will likely find repermissioning data not overly difficult. Social media sites, email providers, search engines and high profile publications, for example, should find people still want to offer their personal data in return for a service they truly value. Brands with loyal, engaged fan bases will similarly find their lists shrink the least. It is organisations who have been unclear in how they persuade people to hand over personal data and inadvertently give permission to use it that will be affected the most.
Yes, the UK will still be in the EU on May 25th 2018 so it automatically applies. It also highly unlikely the UK would prevent its marketers working with brands selling to EU citizens post Brexit. Hence, it is almost certain to remain law, albeit potentially under a new name.