Our round-up and recommendations on practical steps to comply with European Union data protection and privacy legislation

Are you ready for GDPR? The GDPR (General Data Protection Regulation  (Regulation (EU) 2016/679) comes into force in all 28 countries in Europe on 25th May 2018. It is a new regulation agreed by the European Union which seeks to improve transparency and the effectiveness of data protection activities. It affects how businesses must explain and obtain consent for new and existing prospects and customers who subscribe to their email lists and are stored within CRM and other systems.

Our research found that only 6% of over 200 respondents said their company is ready:

GDPR readiness

If you’re unsure about what GDPR is, how or if it affects you, and how you can prepare for it in time without receiving a fine, our Email Marketing Manager has written a brand new guide detailing everything you need to know about GDPR.


What does the GDPR mean for marketers?

Where marketing is concerned, this completely changes the way we think about handling data. Direct marketers will need to demonstrate how their organization meets the lawful conditions. If an organization cannot prove how they have obtained consent the likelihood is that they will be fined. Marketers must align themselves with the GDPR principles.

The collection of data needs to be relevant for the purpose. This means if you have run a campaign or competition you can only use the information for that purpose. Creating another purpose to use that information will need further consent from the data subject.  This is bad news for marketing as a common practice has been to grow databases using these methods. In terms of marketing databases these will need to be cleansed and reviewed to ensure your organization can identify if consent has been granted lawfully and fairly, whether it is being used for explicit and legitimate purposes, what data has been collected, and the accuracy of that information.

Consent must be given and not assumed

Consent plays a very big part in digital and direct marketing as the Data Controller and processor has to adhere to a clear set of boundaries which are demonstrated in the following text taken from the regulation

“Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (the General Data Protection Regulation).

If we analyze the regulation with reference to consent there are definitely some clear guidelines that outline the dos and don’ts of gaining consent;

  • You must be able to demonstrate how the data subject has consented to the processing which means marketing must record how and who gave consent.
  • The data subject must be able to withdraw consent at any time (the right to object) and it shall be as easy to withdraw consent as to give it. This must be demonstrated by policy and process how to withdraw consent.
  • Consent should cover all processing activities carried out for the same purposes.
  • If processing for multiple purposes consent should be given for all of those purposes.
  • Consent should not be considered freely given if the data subject has no genuine or free choice.
  • Silent consent, pre-ticked boxes or inactivity should not constitute consent.

The rule of thumb is that consent must be given and not assumed. Already I am seeing corporations update their websites and changing the language they use to clarify the purpose of collecting the data and what it is going to be used for. Then there is a physical action such as having an opt-in box so they can record how the data subject gave consent. In the past, the purposes of using personal data would have been written in lengthy legal and corporate jargon. However, in GDPR the purpose has to be unambiguous, clear and simple. If it is not then it will not be accepted.

I have used the term personal data a lot within this blog to clarify, Personal Data is name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. If we focus on online identifiers, we can see that IP addresses, cookies, mobile IPs and even search engines will fall into scope of GDPR.