GDPR MARKETING OVERVIEW
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
GDPRMARKETING OVERVIEW
fig.agency
OVERVIEW
The GDPR will replace the Data Protection Act from 25th May 2018.
There will be no ‘grandfathering’ period thereafter – it is expected that all businesses will comply with GDPR as soon as it comes into force.
BRANDING • DIGITAL • MARKETING & PR 3
WHAT EXACTLY DOES THIS MEAN?
• All marketers will be affected by
the new rules, so it’s important
to prepare in advance of the
new legislation.
• GDPR aims to move businesses
away from a ‘box ticking’
mentality to build a ‘culture
of privacy’.
• In a nutshell, the biggest change
will be around how personal
data can be used for marketing
purposes, and how that data is
stored and protected – putting
the rights of the individual first
and foremost.
In effect, your organisation needs to be able to demonstrate compliance with all of these principles.
Failure to comply can reach fines of £20million, or 4% of last year’s global turnover; whichever is greatest.
WHAT IS ‘PERSONAL DATA’?
THE SIX PRINCIPLES
GDPR’s definition of personal data (Article 4.1) covers any information that could relate to an identifiable, living being. In practice, this could cover names, email addresses, phone numbers, social IDs etc.
fig.agency
GDPR is underpinned by six principles. Personal data should be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals
2. Collected for specified, explicit and legitimate purposes and not processed beyond those
3. Adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed
4. Accurate and, where necessary, kept up to date
5. Kept in a form which permits identification of data subjects for no longer than necessary for which the personal data are processed
6. Processed in a manner that ensures appropriate security of personal data
Carry out an information audit Look at how you collect and use information. Where is data collected and stored? Who is able to access this data? What security measures are currently in place?
Raise awareness internally Make sure everyone is aware of GDPR and the impact it will have. Personal accountability is a must.
Review policies and statements Look at what you currently tell users about how their data is used, and assess how far it goes to complying with GDPR.
SO WHAT DO WE DO NOW?
BRANDING • DIGITAL • MARKETING & PR 5
Assess current policies and procedures Do you have formal guidance in place should an individual want to know what information you hold on them? What happens if there is a security breach?
Get in touch with your technology providers Compliance may rely on amendments to your systems (CRM for example). Speak with them to determine what changes they need to make and how they can support you.
Look out for updated guidance The ICO will produce advice and guidance on interpretation of the GDPR. Please be aware, there is still no formal clarification on B2B marketing at this point.
Under the GDPR, there are six legal grounds through which you can process legal data – each one is equal to the other and will help you comply with the first principle – that data is processed lawfully:
LEGAL GROUNDS
1. The data subject has given consent
2. It’s necessary for the performance of a contract
3. It’s necessary for the controller to comply with a legal obligation
4. It’s necessary to protect the vital interest of the data subject or other natural person
5. It’s necessary to perform a task in the public interest
6. It’s necessary for the purposes of the legitimate interest pursued by the controller or third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
You will need to make it clear to data subjects which legal ground you’re using for the basis of processing data, and explain why in your privacy notice.
fig.agency
Specific and Informed: When seeking consent you must cover:
1. The data controller’s identity, as well as any third parties who may rely on the consent to process the data.
2. The purposes and activity of the processing; why you want the data and what you will do with it. As a minimum, it should cover how exactly the data will be used.
3. The right to withdraw consent and how an individual can do so.
Unambiguous: It must be clear that an individual has given their consent, and you’re able to prove this. This can be via:
1. A tick box (that isn’t pre-ticked)
2. Signing a consent statement
3. Oral confirmation (for example at an exhibition)
4. A binary choice presented with equal prominence (yes or no options, for example)
GDPR stipulates that consent should be freely given, specific, informed and unambiguous.
If we pursue the consent legal ground for processing data (and as marketers we most likely would), we need it no matter how we’re contacting people; be it email, telephone, or SMS.
CONSENT
Freely Given: This means that individuals have a genuine choice and control, and that withholding or withdrawing consent will not have a detrimental impact. It also means that consent cannot be bundled up (eg: it is a condition of sale that consent is granted).
Consent Explained
BRANDING • DIGITAL • MARKETING & PR 7
PROVING CONSENT
OBTAINING CONSENT IN PRACTICE
1. Who consented (Mr John Smith, Buyer)
2. When they consented (Consented at The FM Show on 16th May)
3. What they were told at the time (here is a copy of the document they signed and our privacy policy)
4. How they consented (as above)
5. If consent has been withdrawn (Copy of Mr John Smith’s email stating he wished not to receive any marketing communications as of June 2018)
The key for marketers communicating to data subjects is that consent has been given, and that they can prove this. A good record, according to the ICO, will include:
The above may mean you need to make changes to your CRM to effectively capture this information.
This is a guide only, however it is a good foundation to check your existing privacy policy against to make any necessary amendments.
In layman’s terms, it effectively means spelling out:
1. Who we are
2. What we’ll do with your data
3. How we look after it
4. Why we need it
5. How long we need it for
6. What your rights are
A good example of a clear, well presented privacy policy can be found at www.slack.com/privacy-policy
fig.agency
WHAT TO INCLUDE IN YOUR PRIVACY POLICY
So, your privacy policy is spot on and you clearly ask for consent on your website, but how do you get consent from your existing database before May 25th?
Many organisations are simply emailing customers on their lists to request consent in line with GDPR, however just an email itself is unlikely to generate the response you’d hope for.
It may be worthwhile tying the request for consent to an incentive, for example a whitepaper or eBook, but you MUST ensure this isn’t contingent on them giving consent otherwise it’s not valid under GDPR.
• There’s still the possibility that some of the GDPR provisions around consent may not apply to B2B marketing after all
• Currently, B2B marketing emails and texts are permitted to existing customers on a soft opt-in basis under the PECR
• A leaked version of new regulation on Privacy and Electronic Communication brought it in line with GDPR
• However, the latest version published in January 2017 and awaiting approval maintained the soft opt-in approach
• As a result, some B2B marketers are taking a gamble and adopting a ‘wait and see’ approach
• But we do not recommend this
BRANDING • DIGITAL • MARKETING & PR 11
GAINING CONSENT
IT’S WORTH KNOWING
Review your current data and understand your current consent provisions – if asked, are you able to prove consent?
Revise both your privacy policy and data capture forms to fall in line with GDPR so consent can be freely given, specific, informed and unambiguous.
Examine your record management or CRM systems to ensure they can capture the key information needed.
Start planning a strategy to build a new database of individuals with provable consent – FIG will work with you on this.
Come up with a definition on how long consent should last for your organisation’s marketing communications, and ensure your CRM can handle this by providing reminders to refresh consent or removing data subjects when they lapse.
Develop your marketing plan around alternatives to ‘mass marketing’ methods such as email marketing; content marketing will be very much key in a post-GDPR world.
Buy an SSL Certificate for your website and implement a privacy policy page.
fig.agency
OUR RECOMMENDATIONS
BRANDING • DIGITAL • MARKETING & PR 11
www.fig.agencyt: 01457 857111 e: [email protected] 172 - 174 High Street West, Glossop, Derbyshire. SK13 8ER
Related Documents
