The May 25th deadline is looming, and if you work in marketing that date won’t need any explanation – it’s GDPR deadline day. Have you put a plan into place yet?
The good news about GDPR
We recently attended a useful session at Social Media Week Bristol on GDPR with John Michison from the DMA. He opened with the acknowledgement, “as marketers we often think of GDPR as something that’s attacking us” – but he had some reassuring words too.
Firstly, May 25th is only the deadline for getting a plan into place. Companies don’t necessarily need to be actioning everything in the plan, as long as they can demonstrate what they plan to do and when.
Secondly, try not to get too worked up about fines. “I don’t think the fear of fines should be the reason people comply with the legislation,” said John. “The Information Commissioner’s Office (ICO) is only likely to issue fines to companies who are desperately doing things in a non-compliant way and they don’t like to pick on people and make examples of companies.”
The problem with consent
The new rules mean that accountability is now fundamental – you have to be able to demonstrate how you will be complying with the new GDPR rules. Consent can be difficult, and with GDPR it is set to become even trickier.
Consent to GDPR standards requires you to:
- Explain what you are going to do, concisely, but in full, before you collect data
- Explain it in a way that makes your customer want to sign-up to it before they’ve seen the benefits
- Inform customers about the potential consequences of the marketing
- Make it understandable to them.
As the DMA explained, you may not know exactly what campaigns you’ll be running this year, or what new types of content options are on the horizon, but you still need to explain it to customers and ask their permission before you collect their data. If that all sounds like a big headache then it might be time to learn more about legitimate interest.
What is legitimate interest?
“Legitimate interest is a little more complicated, but it is an alternative to consent,” said John, explaining that legitimate interest is equal to consent in the eyes of the law, if it can be proved.
According to GDPR Recital 47:
‘The legitimate interests of a controller … may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
You still need to explain and give relevant choices, but you have a bit more flexibility about how to give this information and you can explain about the new data use when you start using it.
Think about these points when doing any direct marketing:
- Do you have a relationship?
- Weigh up the legitimate interest of the organisation with the rights of the consumer
- Is it reasonable?
GDPR and social media
Most activity within the boundaries of social media platforms will be covered by the privacy rules of the platform itself, and users will need to be presented with a clear privacy notice before they sign up. However, customers need to know if and when you are using their data for remarketing purposes.
- You cannot collect an email address from a social account and use that in any undeclared marketing or data processing activities
- If a social media handle is attached to a CRM account, then that needs to be provided voluntarily
GDPR is a complicated subject, but if it’s implemented properly, it should mean that everyone receives only useful and relevant marketing messages. If you’re still unsure about what it means to you, the DMA has a wealth of GDPR information and advice on its website.