The impact of the General Data Protection Regulation
There has been lots of discussion and confusion regarding the impact the General Data Protection Regulation will have on all electronically stored data once it comes into force next May.
The Government’s Information Commissioner’s Office has issued a a 12 Steps to Take guideline which will help all SMEs work out whether they need to conduct a full audit of their data management procedures. We discussed this in our earlier blog – Demystifying GDPR for the SME Sector – where we explained how the new regulation applies to controllers and processors handling the personal data of individuals.
For marketers working in the B2C marketspace the regulations will have a serious impact if they are found to be non compliant as the customer’s consent becomes paramount to any agreement to hold and use data.
Electronic mail marketing
The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their permission.
However, there is an exception to this rule. Known as the ‘soft opt-in’ it applies if the following conditions are met:
- where you’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
- where the messages are only marketing similar products or services;
- where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.
Compliance for B2B once GDPR is in force
But there is still confusion over how the new regulations will affect B2B marketing and SMEs need to make sure they read up fully on the current situation. According to the Digital Marketing Association (DMA), the only difference between B2C and B2B marketers now is in connection with email and text marketing to employees of corporate organisations.
When dealing with sole traders or partnerships, the rules governing B2C marketing will apply to B2B marketers so the general position for email and sms will be that you will need opt-in consent. For telephone and direct mail, you need to offer an opt-out.
For any B2B marketing communications, regardless of channel, the content must be about products and/or services that are relevant to the recipient’s’ job role. This situation will not change under GDPR. These rules for email and text messages come under the Privacy & Electronic Communications Regulations (PECR) and this will not be affected by the implementation of GDPR.
The DMA has also issued an easy checklist which can be used by SMEs and marketers to audit their databases:
- What personal data does your business hold?
This could include prospect data (potential customers), current customers and lapsed customers.
- Where did this personal data come from?
Customer data (from transactions), bought in data (from a third party list), online data (cookies and web capture) and data from customer profiling.
- How does this data leave your business?
You sell the personal data to third parties, you share personal data with data processors, you store the personal data in a non EU country.
Once you’ve completed this audit you will know whether you meet the compliance regulations for GDPR. There are six legal bases for processing personal data under the GDPR:
- Legitimate interest
- Legal obligation
- Public interest
- Vital interests of the data subject.
Many of the fundamentals remain the same and have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and GDPR seeks only to build on those principles.
Some parts of the GDPR will have more of an impact on some organisations than on others (for example, the provisions relating to profiling or children’s data), so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.
What this means, broadly speaking, is if your company is fully compliant with the DPA and is meeting the Privacy and Electronic Communications Regulations, you are already on your way to being compliant with GDPR. However, there is still time for this to change as PECR is also being reviewed and leaked versions of that show that the B2B “soft opt-in” may be removed.
Until we know what will happen with the PECR review, businesses should be refining what they already know and taking into account industry best practices when building strategies to communicate with potential customers.
Make sure you’re fully DPA and PECR compliant, audit your existing data, consider employing a Data Protection Officer if you don’t already have one, draft up a comprehensive data management plan and make sure all your employees are aware of the GDPR changes.
Plan a robust data management system in order to track engagement and honour ‘opt outs’ and you will put yourself in the best position not only to comply with the GDPR legislation, but to encourage ‘opt ins’ and engagement with your campaigns and content.