HOW TO MAKE SURE YOU’RE PREPARED FOR GDPR

The end of May next year might seem a long way off. But time flies when you’ve got something as significant as the new GDPR legislation to get ready for.

This explains why, with a year to go, only 54% of businesses surveyed by the Direct Marketing Association (DMA) expected to be compliant. 25% hadn’t started looking into it at all.

So what should the unprepared be doing right now to get their businesses in shape?

FIRST OF ALL, WHAT IS GDPR?

GDPR stands for the General Data Protection Regulation. This EU-wide legislation (which will be implemented by the UK despite leaving the EU) aims to give individuals more control over how their personal data is used.

Illustration of an European Union long shadow flag with a lock pad, symbolising the upcoming GDPR legislation               Image credit: DMC Canotec

It also wants to simplify the legal environment around data protection for businesses by making the rules identical right across the EU.

Hefty fines will be dished out for breaches and non-compliance.

WHAT DOES IT MEAN FOR MARKETEERS?

Any business that has personal and/or sensitive data on its customers will be more accountable for how it uses that data.

  • PERSONAL DATA: A piece of information that can be used to identify a person
  • SENSITIVE DATA: Genetic data, information about religious and political views, sexual orientation etc.

So it goes without saying that marketeers responsible for their companies’ databases need to be 100% clued up on the legislation. Particularly so around these four elements…

The definition of ‘consent’
Consent needs to be ‘freely given, specific, informed and unambiguous’. This means the end of pre-ticked boxes and other opt-out tactics, as a ‘clear affirmative action’ must be taken to articulate consent.

The right to be forgotten
Individuals must be given a clear means of accessing (and removing, if necessary) their data. This applies not only when it has been unlawfully used, but whenever the individual decides to withdraw consent for it to be used on the original terms.

The legal basis for processing personal data
Why, legally, is your company justified in holding and using any personal data it has on individuals? Knowing and understanding this (and making it clear in your Privacy Policy) is vital.

The definition of ‘legitimate interest’
There is a provision within the GDPR legislation referred to as ‘legitimate interest’. Some observers have suggested it could allow personal data to be obtained and used without consent, as long as there is a relevant reason. This is absolutely not the case, as this excellent article from PageFair confirms.

I HAVEN’T BEGUN PREPARING. WHERE DO I START?

Anyone in this boat really needs to get paddling fast.

Begin by reviewing and cleansing your database(s). You need to ensure that you can prove how you gained consent for the information you hold on each person within it.

If this isn’t possible, using the affected data from May 2018 runs the risk of breaching the GDPR laws. So it is strongly advisable to get in touch with the affected customers, ask them to verify their details and get their expressed permission to opt in. Ensure that the aforementioned legal basis for opting in is made abundantly clear.

With a rich history of successful email campaigns, we can provide the perfect creative solution to maximise the effectiveness of this process.

An iPad, a laptop, a mobile and a desktop screen, each showing a different email campaign by the creative agency Ready

WHAT ELSE SHOULD BE DONE AS A MATTER OF URGENCY?

There are a few more things you can do to get your house in order.

Educate your team
Create internal policies and processes that provide absolute clarity to everyone involved in handling and processing data.

Update your website
Change how you clarify the purpose of collecting personal data and what it is used for. Make it unambiguous, clear and simple, and make sure opt-in boxes are used in place of any pre-ticked ones.

Appoint a Data Protection Officer
Larger businesses in particular should consider handing responsibility to a dedicated individual. They can oversee the necessary changes post-GDPR and undertake routine data audits afterwards.

WHAT DOES THIS MEAN FOR FUTURE DATA CAPTURE CAMPAIGNS?

Essentially, any campaigns or competitions that request data from a subject must make it absolutely clear what purpose the data will be used for. The data can then only be used in this way. Creating another purpose to use that information will need further consent.

A typical online data capture form, including fields for first name, last name and email address

It’s essential to record how the consent was given to everyone who submits their data, so it can be proved if required.

Again, it’s worth reiterating that the subject must be able to withdraw consent as easily as they give it, if they want to. And a pre-ticked box or any other ‘silent’ agreement doesn’t constitute consent!

Our position here is twofold. Firstly, the days of hoodwinking users into opting in are over. Honesty, transparency and simple mechanics enabling users to opt in and out are the future – and rightly so. This is long overdue.

Secondly, the brands that will ultimately win are those that not only deliver on the above, but focus on content and engagement that gives users a truly compelling reason to opt in – and stay opted in.