One of the biggest ever shakes up in EU data protection law is on its way – and for sales and marketing teams, it’s something you simply cannot afford to ignore.
GDPR, which stands for General Data Protection Regulation, comes into force on 25 May 2018. It applies to any business that operates in the UK and so has implications for millions of firms worldwide.
The regulation is designed to strengthen and protect the rights of EU citizens, regarding how businesses use their personal data. It sets out clear reasons for why businesses might legally gather and use personal data, and how they should go about doing so.
Why do you need to be up to speed on GDPR?
Because it’s a big deal!
The financial penalties for getting it wrong are hefty (up to a cool £20 million, or 4% of worldwide annual turnover, depending which is higher) and there’s no quick fix.
Basically, if you collect, hold and process any type of ‘personal data’ – which most businesses do – then you need to have a plan. If you don’t and you wait until the last minute to get your head around it all, then you could find yourself in some very hot water.
Who is responsible for GDPR compliance?
As the basis of GDPR is data protection, it’s likely that the weight of responsibility may fall on the shoulders of marketing teams. After all, it would seem a natural fit.
As marketers, you are likely to hold and process lots of data that will fall until the remit of GDPR. For example, you may be building a database of customers and prospects, using contact lists to send out email campaigns, or using telemarketing to generate leads.
But GDPR has implications for any department that processes personal data, from marketing and sales, to HR and accounting. It’s not simply a challenge for marketing alone.
Whoever is tasked with heading up the whole compliance process, needs to look at the big picture. It should be a cross-company effort that considers all the data the company holds and all the systems involved in its collection and processing.
If your company is large, with 250 or more employees, then you’ll also be legally required to appoint a dedicated Data Protection Officer (DPO).
For more advice on getting started and ensuring your business is GDPR compliant, we’ve put together this free checklist: 12 easy steps to GDPR compliance
How is GDPR likely to affect sales and marketing?
Anyone working in sales and marketing needs to be up to speed on GDPR and what its implications are. Your planning will depend on you knowing exactly what’s what and ensuring your processes are lawful.
4 key issues that teams need to be aware of are:
- Personal data – what GDPR classifies as personal data
- Legal bases – what the legally permissible reasons for processing data are under GDPR
- Legitimate interests – why legitimate interests is likely to be the legal basis behind many types of sales and marketing activity
- Consent – what GDPR deems as consent and the implications this has for existing and new data
What does GDPR classify as personal data?
GDPR is being introduced to better protect personal data, in part because current laws are struggling to keep up with all the digital advancements that are being made.
The regulation bolsters existing data protection rules and takes them to a whole new level. Personal data, in the eyes of GDPR, covers any information that could be used to identify a person, either directly or indirectly. This includes name, email address, telephone number, ID number and IP address, and also online handles and pseudonyms.
‘Sensitive’ data is covered too, including genetic data and biometric data, such as fingerprints, retinal and facial recognition.
What are the ‘legal basis’ under which you can process personal data?
To lawfully process personal data under GDPR you need to have a legally acceptable reason for doing so. GDPR specifies six options:
- Contractual necessity
- Compliance with legal obligations
- Vital interests
- Public interests
- Legitimate interests
You must determine which legal basis you will be working under, before you begin processing any data. You also need to let individuals know exactly what that basis is, within a clear privacy notice.
Legitimate interests and consent are the most likely choices for sales and marketing activity, just be aware that if you rely on either of them, there are specific requirements and conditions that must be met.
What is legitimate interests?
Legitimate interests is the most flexible legal basis and, along with consent, is the one that lends itself most easily to sales and marketing activities. But that doesn’t mean you have a free pass to do whatever you want.
There are three elements to it. You need to identify a legitimate interest for the data processing, show that the processing is necessary to achieve it and prove you have balanced this against the interests, rights and freedoms of the individual.
The legitimate interests can be your own interests or the interests of third parties, and can include commercial interests, individual interests or broader societal benefits.
What is a Legitimate Interests Assessment (LIA)?
If you decide to use legitimate interests as a lawful basis, then a Legitimate Interests Assessment (LIA) must be completed in all cases. A LIA is basically a risk assessment that ensures you’ve gone through a comprehensive decision-making process and have balanced your own interests against those of the individual.
There is no standard format for doing this, however you must be able to prove you’ve considered everything and can justify the outcome.
The Information Commissioner’s Office (ICO), the organisation tasked with enforcing GDPR in the UK, is expected to release further guidance on this at some point. In the meantime, the Data Protection Network has put together this handy Legitimate Interests Assessment template.
What types of activity might legitimate interests cover?
While GDPR doesn’t detail all the circumstances under which legitimate interests may apply, there is one overriding rule – the rights of the individual are the most important thing. If the interests of the data controller (you) are overridden by the interests or rights of the individual, then legitimate interests can’t be used as the legal basis. If the same result can be achieved in a different way, then it also doesn’t apply.
For example, in the case of direct marketing, if an individual objects to receiving your communications then your legitimate interest as a controller will be overridden.
Again, the DPN has pulled together a detailed overview, along with examples, which can be downloaded here.
What is classed as consent?
Consent is about transparency and it must be freely given, never just assumed. You need to explain to individuals who you are, what you want their data for and how it will be used. As we’ve mentioned, you also need to specify the legal basis under which you will be processing it.
Consent needs to be given for a specific and specified reason. What you write must be clear and it cannot be hidden away or bundled up within other terms and conditions. In short - individuals need to know what they’re signing up for.
What you can’t do:
- Use an automatic opt-in function
- Use pre-ticked box to opt someone in
- Use ambiguous or confusing language
- Ask for consent as part of gaining approval for other terms and conditions
The emphasis is on you as a company to prove that any data was collected and is being processed in a lawful way. You need to have a strong system in place for recording what consent has been given, when and what for. You will need to provide this as evidence in the case of a complaint.
If you have existing data, then you will only be able to continue using it if it ticks all the GDPR boxes. Otherwise, you will need to gain consent again, in a GDPR compliant way.
Don’t forget about PECR
Remember, all your electronic marketing (emails, text messages, telemarketing), needs to comply with GDPR rules, but also needs to meet the UK’s Privacy and Electronic Communications Regulations (PECR).
If you’ve not refreshed your knowledge recently, then now is a great time to do so. You can find out more about the regulations here.
Other helpful resources
- Infographic for marketers
- GDPR compliance in B2B marketing: Let us help you through those hard decisions
- What does GDPR mean for B2B marketing?
- How Lead Forensics complies with GDPR
DISCLAIMER: Lead Forensics is a global market leading SaaS organisation. We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force. Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR. If you have any need for legal advice, please contact a solicitor or visit the ICO website for further informationwww.ico.org.uk