The Department 3 Blog
Direct Marketing Data and the Impact of GDPR
June 08 2018, Michael Concannon
First, a disclaimer:
This post isn’t intended as legal advice and should be considered only as suggesting guidelines for your GDPR planning. You should work with your legal counsel to make the right decisions based on your business needs and circumstances.
Why start with that?
Because this is big news for direct marketers, or for anyone who’s been collecting personal data, buying lists from brokers and vendors, or otherwise assembling direct marketing data. It’s also a very serious business, with many complexities and serious consequences – but also a big potential upside.
On May 25, 2018, the new General Data Protection Regulation (GDPR) went into effect, after nearly four years of debate and discourse by the parliament and regulators of the European Union. The GDPR was created to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and reshape the way organizations across the region approach data privacy,” according to the official GDPR website.
So far, it’s showed a lot of panic and confusion among the media and marketers. Plus a certain amount of annoyance and wry amusement with the public:
The future of email is just receiving GDPR privacy notices until your inbox fills up and you no longer have the will to use email anymore.
— Aaron Levie (@levie) May 24, 2018
This GDPR thing has backfired! I’ve never had so many unwanted emails in my life.
— Jason Manford (@JasonManford) May 24, 2018
My Nan just emailed to confirm if I’d still like to receive:
□ Birthday cards
□ Lynx Deodorant Sets
□ Phone calls about nothing
□ Updates on who died #GDPRJokes
— Stevey Boyle (@STEVEYBOYLE) May 24, 2018
Still, the GDPR is unavoidable, even for U.S. companies. With personal data serving as the vital cornerstone of all successful direct marketing efforts, these regulations have big ramifications for direct marketers moving forward. They’ll not only need to make sure their data drives actionable insights, accurate targeting, ROI, and campaign success, but that their existing contact databases and data collection efforts are GDPR-compliant in the first place.
Who does the GDPR apply to?
Marketers everywhere need to be concerned about GDPR compliance, not only those within the EU’s boundaries. The new regulations have the potential to reach far and wide, affecting three primary groups:
- All organizations within the European Union (see a full list of the countries here.)
- Any organization located outside of the EU that offers goods services to EU residents or monitors EU resident data behavior (i.e. tracking an EU resident’s online behavior to predict future behaviors, decisions, or attitudes.)
- Any and all companies holding or processing the data of subjects residing in the EU – or even non-EU residents, in some cases. For example, if an American tourist visiting a European country uses their Facebook account during their stay and you’re capturing their data, you’re liable.
It’s also important to note that Cloud data isn’t exempt from GDPR liability.
Why comply with the GDPR?
Organizations that fail to comply with the new GDPR could potentially be fined up to 4% of annual global revenue, or up to the maximum penalty of 20 million euros, or 27 million in US dollars (for a more detailed breakdown of this tiered fining system, see this post). Even though it’s expected that E.U. regulators will only impose penalties for the most egregious and deliberate violators, they’ve made it clear they intend to flex their powers to enforce the regulation.
But for a marketer, there are other costs to consider: Being branded a non-complier can ding your brand image, for one thing. Consumers and buyers everywhere are more worried than ever about how companies collect, use, and share their personal data.
Again, even if you’re not based in the EU, and you’re not actively targeting EU users, you could be liable. If you’re using a third party’s lists or data? Even if an outside agency or list broker is collecting the data, you’re still liable, since they’re doing so on your behalf; in the eyes of the law, you’re the “director” who’s ultimately responsible.
The bottom line? It’s your bottom line that might take a hit if you fail to become GDPR-compliant. But while many direct marketers are confused and fearful about the impending changes, and only half of global firms are compliant, the GDPR will also provide a great opportunity to improve data security and management systems, refresh contact lists, and add more value to your existing databases.
Three big impacts (and the changes to make)
There are three primary ways the GDPR will affect direct marketers. Here’s what you need to know and do in the areas of consent, new data subject rights, and compliance.
Big Change #1: Consent
The GDPR’s guidelines surrounding consent have direct marketers atwitter with rumors about the need to ask for consent (i.e. asking specifically for permission to collect and process personal data) from every person in their database, even long established contacts. But, this isn’t necessarily true.
Under the GDPR, consent forms must be intelligible (i.e. written in easy to understand, clear, plain language), easily accessible (clear and unambiguous, so “silence, pre-ticked boxes or inactivity should not therefore constitute consent” Recital 32), and the purpose of the personal data processing must be attached to the consent form. Another biggie? Consent must be as easy to withdraw as it is for the consumer to give.
Direct marketing efforts often constitute “legitimate interest” for the direct marketer and wouldn’t require new consent from users. Why? Since much of direct marketing already falls under opt-out, not opt-in, continued opt-out marketing doesn’t require a new consent. Or as Recital 47 puts it:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
So, as long as your legitimate interest in direct marketing isn’t infringing on any EU resident rights, and you offer an opt-out at the point of contact, you probably have a solid case for not asking for new consent
A good rule of thumb in asking for consent and collecting data? GDPR demands you legally justify the processing of any personal data you collect. This just means you should focus on the data you really need, and avoid asking for anything extraneous to your business purpose. If you’re marketing t-shirts and need to ask for their shirt size, that’s valid. But asking what their favorite TV show or football team is? That’s off-limits, since it doesn’t have to do with the product or service you’re trying to fulfill.
However, even in a “legitimate interest” circumstance, you’ll need to provide contacts with a notification stating you have their data. The notification can be provided upon first contact with someone, and needs to be sent no later than one month after obtaining their personal data.
The notification also needs to include information about your company, including your identity, contact details, the use you intend for the collected data, legal basis for processing (i.e. direct marketing as a legitimate interest), the types of data you’re collecting, the length of time you intend to keep it, recipients of the data, as well as compliance with the entire bevy of regulations set forth in Article 14.
If you feel unsure about where you stand on re-acquiring consent, use the Legitimate Interest Assessment test, recommended by the U.K.’s Information Commissioner’s Office, to see how resident rights would stack up against your legitimate need. Break residents into specific funnels for the most exact results and closest expected impact.
If “legitimate interest” doesn’t hold up for your direct marketing data collection, you’ll need proof of consent from EU users to remain compliant with the GDPR going forward.
6 Steps to Acquiring GDPR-Compliant Consent
- Establish with your data management team what your new consent form will look like, where the form will live, and how you’ll collect the form.
- Remember: the new consent must meet all of the requirements listed in Article 7.
- Create the new consent form.
- Review and update your tracking policy: closing a pop-up window or ignoring a box will no longer equal consent to tracking under the GDPR. Instead, the user will have to physically agree to tracking by checking a box or clicking a button.
- Create a method to document the newly updated consent. Proof of consent will be needed for the future, and should include a date stamp, source of the data (i.e. an e-course signup or webinar registration), and the exact same opt-in language seen before giving consent.
While a direct marketing data subject’s consent is the safest way to be GDPR-compliant, acquiring new consent will require serious investments in time, money, and infrastructure. On the flip side, reaching out to data subjects for consent is also great chance to clean up your data and ensure it’s up-to-date, accurate, and still relevant.
Big Change # 2: New Data Subject Rights – The Right to Be Forgotten
With strengthened rights for EU residents and their data comes The Right to be Forgotten.
“Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.” – Article 17
If you have churned or inactive users amongst your direct marketing data, you might be non-compliant with the Right to be Forgotten. Huddle with your legal counsel to create a realistic timeline for deleting this bad data and for ending future notifications to these users.
Big Change # 3: Compliance Records for Direct Marketing Data
In order to keep your direct marketing data GDPR compliant, there are several new organizational measures direct marketers will need to follow through on, as listed in Article 32, including:
- Pseudonymisation and encryption of personal data
- Having the capability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Establishing a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of your data processing.
Additionally, your company may also need to maintain detailed records of your compliance if you have more than 250 employees.
An opportunity, not a apocalypse
As with any new law, the GDPR will continue to be analyzed, tested, and sorted out by direct marketers in the years to come. Yet, despite the complications surrounding these new regulations, it also creates a powerful opportunity.
As Gartner put it:
“Don’t lose sight of the fact that implementing GDPR consent requirements is an opportunity for an organization to acquire flexible rights to use and share data while maximizing business value.”
It’s the perfect window for direct marketers to build, maintain or re-establish trust about data security, opt-ins, and messaging with old and new customers alike. In an era where data privacy is a concern for everyone, showing you’re GDPR compliant with your direct marketing data is an excellent way to gain the goodwill of consumers and B2B buyers, and gain a competitive advantage over others. A good starting point? Conducting quick and effective direct marketing data optimization.
Resources & Posts
Get our newsletter
Every month, receive new insights about direct marketing data ROI and optimization.