The General Data Protection Regulation (GDPR) will apply from 25th May 2018, less than a year from now.

Whilst there is still some ambiguity in the guidance offered on GDPR in the UK by the Information Commissioner's Office, savvy marketers that understand their customers shouldn't have too much to worry about.

Best practices that have been identified for some years will likely be enough for marketing to fall in line, alongside one or two changes to your data strategy.

But many businesses don't feel ready

As pointed out in Marketing Week, only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant come May 2018. This may partly be due to ICO definitions when it comes to lawfulness of data processing.

The GDPR sets out a number of legal bases available for processing personal data (read them here). One of these states that data processing is lawful if 'necessary for the purposes of legitimate interests....'

The question is – what does 'legitimate interests' mean? GDPR states that direct marketing is indeed a legitimate interest, though the ICO has given no further guidance. The ICO and GDPR do make clear, though, that where consent was sought under previous EC regulations 'you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR.'

In short, using personal data to power direct marketing shouldn't be a problem if you have already communicated with the consumer in the right way.

Plain language FTW

So, what is the right way to communicate with people? The right to be informed means that users should be supplied with a whole raft of information about how their data may be processed (read the list here).

Much of this is unchanged, but in a neat summary of GDPR advice for small businesses, the EC makes clear that what is important here is the use of plain language – telling the user who you are, why you are processing their data, how long it will be stored and who receives it.

This is one of the important points of GDPR, which necessitates that information should be 'concise, transparent, intelligible and easily accessible', as well as 'written in clear and plain language, in particular for any information directed towards a child.'

Marketers worth their salt will hopefully already have been working towards these ends, as well as demanding 'clear affirmative action' when a user gives specific and informed indication of their wishes.

Any marketers out there who are still persisting with checkboxes that come pre-clicked will need reminding of the penalties that failure to comply with GDPR can bring, not to mention the fact that the consumer expects better (though it should perhaps be noted that the fines widely reported of 4% of annual turnover are a worst case scenario for the biggest GDPR trangressions where no mitigation is attempted).

gdpr

Data breaches pose a challenge

A recent survey of 187 marketing and advertising companies by Irwin Mitchell (conducted by YouGov) revealed that 70% of respondents were uncertain of their ability to detect a data breach. Only 37% said they would be equipped to notify users within the GDPR-required 72 hours.

There are criteria for what constitutes a breach (read them here) and the ICO advises businesses to 'make sure that [their] staff understands what constitutes a data breach, and that this is more than a loss of personal data.'

Marketing as the voice of the customer may be able to play a role here in helping IT and data officers to communicate with the wider business about what is required.

Profiling regulations may guard against the dangers of AI?

GDPR dictates that any profiling using customer data that has a significant or legal effect, for example when processing loan applications, must give the customers the right to contest the decision. The business must also have a person, not a machine, checking the process if it ends in failure.

This doesn't apply to all automated processes but is particularly pertinent where data is used or predicted about a person's health, behaviour, location, movement, performance at work and similar.

There's an important point here about the need for marketers and data officers to protect against the runaway efficiencies of machine learning. Where any algorithm is used with such personal data, marketers should understand and be able to explain the outcome.

These regulations are not particularly novel but they are becoming more and more relevant. Fairness is an important part of data processing, and the ICO includes a whole raft of guidance on big data and machine learning (read it here).

Behavioural targeting is a grey area

Targeted advertising is one area set to change under GDPR as the regulations say that behaviour tracking, even when users are pseudonymous (but are still served ads as unique users), uses personal data tied to IP addresses and cookies.

The guidance dictates that a data protection officer must be appointed if you carry out behaviour tracking on a large scale.

What does this mean for advertisers? Well, Osborne Clark reckons that 'a business which pseudonymises all data may potentially find it easier to justify processing under the “legitimate interests”.' However, writing for AdExchanger, David Raab argues that some businesses may be more cautious with their data and this could play into the hands of Google and Facebook.

Raab says that "stricter data regulations also will give the big companies even more reason to be cautious about sharing data they’ve gathered – data that marketers want to access in as much detail as possible for their own purposes. The result will be even greater reliance on the giant firms to select the audiences for advertisements because marketers will have less data to do the targeting themselves."

This may be overdoing it a tad, but publishers will certainly have to work with adtech providers to make the right information available to users, whether in notifications (popups) or publicly available on site.

Privacy by design 

Ultimately, what GDPR is pushing businesses towards is privacy by design. That is, understanding privacy as a central tenet of any project you undertake.

As such, the ICO provides a handy code of practice for a privacy impact assessment, designed to help businesses take account of anything that will impact on privacy during a new project, or to reassess the privacy of current systems.

The concept of privacy by design is nothing new and nor are these assessments, but they do now become mandatory for 'organisations with technologies and processes that are likely to result in a high risk to the rights of the data subjects'. This is perhaps unlikely for a marketing campaign, but not unheard of. 

There's lots more to consider, but customer-focused marketers should follow their instincts

Data protection officers, the right to be forgotten, the right to data portability, new time limits on many requests – there's no doubt there are challenges for organisations, both those in already highly regulated industries and those not.

However, the GDPR will be a boon for marketers who already put the customer first during onboarding and subsequent marketing. Yes, lawyers are set to make hay while the sun shines, but by passing the ICO overview to all of your marketing team, it's not too late to get ahead of the game.

To get prepared for the GDPR, book yourself onto Econsultancy's data-driven marketing training course.

Ben Davis

Published 31 May, 2017 by Ben Davis @ Econsultancy

Ben Davis is Editor at Econsultancy. He lives in Manchester, England. You can contact him at ben.davis@econsultancy.com, follow at @herrhuld or connect via LinkedIn.

1145 more posts from this author

You might be interested in

Comments (3)

Avatar-blank-50x50

Nick Wood, Partnership Operations Director at Datastreams.io

At a recent network event I attended GDPR legitimate interest was the key theme and in terms of direct marketing, I noted three takeaways which echo what you are saying here. Firstly, you must have a relevant and appropriate relationship with the person you are going to market to. Secondly, you tell them you are going to market to them. Thirdly, you tell them how to opt out. Recital 47 of the GDPR goes into more detail.

7 months ago

Johnny Ryan

Johnny Ryan, Head of Ecosystem at PageFair

Be cautious when suggesting that 'legitimate interest' and 'pseudonymization' are a solution. They are not viewed this way in Brussels.
This is why pseudonymization is not the silver bullet: https://pagefair.com/blog/2017/pseudonymization-gdpr/
Here is a note on legitimate interest, and why it is not a legal basis for behavioural advertising https://pagefair.com/blog/2017/gdpr-legitimate-interest/

7 months ago

Avatar-blank-50x50

Paul Dawson-Hart, Director at Member360

I thought this must be a relatively old article until I noticed the Date. Legitimate interests needs to be balanced against the new rights of the data subject which take precedent. Using the fact that you don't need to re-permission if consent was gained in alignment with GDPR as an argument seems very odd. No mention of legacy opt-outs. A listen to the latest DMA webinar on consent just yesterday, highlights just how confused the marketing sector is, and how much it is sticking its head in the sand to the new realities. Remember this is regulation not a directive. Outside of the derogations you do what the ICO tells you to do and the ICO does what the Art 29 group (soon to be European Data Protection Board ) tells it to do. Look to what the Europeans are doing. Not what CRM/CMS/Mark Auto Vendors and their sponsored events are advising.

6 months ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.