Direct marketing and GDPR
Despite GDPR having been a reality for about a month now, there are probably a number of businesses, particularly small ones, that are still getting to grips with what GDPR means in practice, especially with regard to direct marketing, so here is a brief guide to what you need to know.
You need total visibility of your data processing from start to finish
The GDPR ideal is that privacy and its corollary, security, will be built into new products, services and systems as they are designed. That may be promise a bright future, but right now, it’s unlikely that many companies, especially small ones, will have the budget or inclination to update all their systems from the group up in the light of GDPR.
You do, however, need to have a full and complete overview of who is doing what with your data, where, how, when (and for how long) and, crucially, why, in order to be sure that you are fully compliant with the requirements of GDPR. Make a data security statement available to your clients and customers who want to know how you are handling their data, and include these details in this document.
Legitimate interest does apply to direct marketing, but only if you can show it
One of the fundamentals of GDPR is that you need to have a clear awareness of not just what you are doing but why you are doing it. You need to think through the balance-of-interests test carefully and record your process of analysis, together with your plan for protecting the data subject’s rights and meeting their reasonable expectations.
If marketing with consent, be ready to demonstrate that it is informed consent
One of the most highly publicised aspects of GDPR is the switch from “opt-out marketing” to “opt-in marketing”. What may be less well understood is that while an opt-in is necessary, it is not guaranteed to be sufficient. Consent needs to be informed, meaning that data subjects were given a clear-English explanation of what was being asked of them.
GDPR also requires much more detailed privacy notices, which have to be written in plain English. You need to be able to provide evidence that you are taking GDPR seriously and that your data-protection specialist can demonstrate how your email subscribers, for instance, have demonstrated a clear desire to be on your email list.
Use appropriate tools to help you comply
The good news is that there are software providers who have committed to providing tools that will help direct marketers and other business owners to comply with the new legislation. Some examples are:
- The Snow Software GDPR Risk Assessment that will look for vulnerable points in your software and alert you if have a version of an application that holds or transmits personal data
- The latest version of WordPress has tools to let users access the data you hold on them
- The Nymity GDPR Compliance Toolkit has established which parts of GDPR require evidence and helps you to demonstrate that you are complying with these aspects of the law
- The Microsoft GDPR Assessment lets you quickly review how compliant you are with GDPR.
Stay up-to-date with all relevant data-privacy news
Even though GDPR is an update to existing laws and even though EU member states have had two years to implement it, the fact is that it’s still very new to regulators and legislators, too.
That means there’s probably going to be quite a bit of guidance issued over the next year or two and possibly some new legislation. In particular, the EU has promised to create a new ePrivacy regulation to replace PECR. At the current time, it is not clear when this will happen, but given the EU’s focus on data security, it is likely that this will be a high priority.