We need to talk about….GDPR

The imminent implementation of the General Data Protection Regulation is one of the most talked about subjects in business just now. Everyone seems to have a different opinion on what the impact for business will be. There is a great deal of hype and even fear being generated around GDPR and B2B email marketing. Therefore, I feel it would be useful to have a look at some of the key facts in relation to SME businesses.

Before I start, this article is my opinion of the regulations, not a definitive legal interpretation. GDPR is a document full of legalese and EU-speak. However, the principles are not designed to put unnecessary barriers on people doing good, honest business. They are designed to give individuals reasonable protection in an increasingly complex world. No bad thing in my opinion.

There has been a great deal of ‘fear talk’  and I want to establish some balance.

I am not proposing to attempt to deliver a ‘One size fits all’ approach to GDPR. Rather I am looking objectively at the regulation based on the output of key partners to the regulation including the ICO (Information Commissioners Office) and the DPN (Data Protection Network)

The ICO is the UK representative on the EU’s Article 29 Working Party  – the EU body at the heart of GDPR.

The DPN is dedicated to providing expert opinion, quality resources and learning materials, to both experts and non-experts in the field of Data Protection and Privacy.

GDPR is coming.

One thing is for certain:

GDPR will apply from 25 May 2018

So what should you do about GDPR in your business?

First and foremost, you shouldn’t ignore GDPR. I believe there are 4 key issues to consider:

  1. Is it legitimate for you/your company to hold & process personal data as you do?
  2. Have you assessed the data you hold to check it is appropriate?
  3. Have you assessed potential risks arising from any data breach and have you taken reasonable steps to protect against any such breach
  4. What procedure do you have in place to take appropriate action in the event of a breach resulting in the unauthorised release of personal data

To look at these another way:

  • You need to be comfortable that your business operates within the regulations
  • You need to be aware of the principles of GDPR and the rights of ‘Data Subjects’ regarding the data you hold on them.
  • Your policies (e,g, Data Protection/Privacy policies on your website) should meet the requirements of GDPR
  • You should be ready to engage openly with people about the data you hold
  • You should respect the rights of Data Subjects to say ‘No Thank You’

The principles

I have read around the subject of GDPR. The principles behind the regulations actually seem to come down to four words: Reasonable, civilized, common sense

If you hold information on a person, you should respect that data and only use (‘process‘ in the jargon) the data in ways that are – to quote the Advertising Standards Authority:

  • Legal
  • Decent
  • Honest
  • Truthful

The idea applies here to all data, not just that used for Advertising & Marketing, in addition, I think we should also add the principle of openness.

If someone holds data on you it is reasonable that, if you want, they should be open about letting you know what information they hold, why they hold it and how they use it. Furthermore, you should have the right to oblige someone holding your personal data to stop using it – unless there is some higher legal obligation.

Must I gain opt-in consent from my data subjects?

This is a key question from businesses using data for marketing and the answer, in short, is No!

Consent is not an absolute requirement under GDPR

Understandably, there is a lot of emphasis on consent. In many instances, getting the consent of a data subject to hold and process their personal data may be ideal. Getting specific opt-in consent should never be a bad thing though sometimes it is impractical.

Under the GDPR, there are 6 ‘Lawful Bases’ for processing data. Consent is listed first although there is no hierarchy in the list. Each ‘Lawful Basis’ has the same weight.

In practical terms, the basis most likely to be relevant to marketers (B2B in particular) is ‘Legitimate Interest’

Legitimate Interest in GDPR

The GDPR states,

‘the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest.’  An organisation may wish to rely upon Legitimate Interests where Consent is not viable or not preferred and the Balance of Interests condition can be met.

Note the phrase: “may be regarded as…”, so organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications.This may be where consent is not viable or not preferred, though the DPN rightly stresses the fact that organisations will still need to show that there is a balance of interests – their own and those of the person receiving the marketing.

Though the GDPR does not list all circumstances in which legitimate interests may apply, it does specify that any processing under this banner meets the balance of interests condition – are the interests of the controller overridden by the interests or rights of individuals?

The DPN’s guidance document explores these ideas and gives a range of examples (though these are predominantly B2C)

Is the Legitimate Interest basis appropriate for my business?

There is a difference between B2C where you are targeting individuals and B2B where you are using personal data to actually target job roles. Consequently, in B2B it may be easier to establish Legitimate Interest relevance. In B2C, particularly where children, the elderly or more vulnerable adults are involved, if you apply the common sense approach I talked about earlier, you will see that things become more complicated.

There is a template for such an assessment in the DPN’s guidance document

Whatever your approach you should always be Legal, Decent, Honest and Truthful – and open.

Conclusion

In summary, GDPR is not a threat to the large majority of businesses. There is a great deal of hype and ‘fear marketing‘ around at the moment. Many of the principles enshrined in GDPR already exist in the current data protection legislation. Some, however, have been clarified and extended. There are some great guidance notes available from both the Information Commissioners Office and the Data Protection Network.

The sun will rise on the morning of 26th May and the world will still be turning!

Please Note: The above are my own views based on my research, not a definitive legal opinion. For more detailed advice on the application of GDPR to your business, I recommend you approach a GDPR specialist.

Filed under: Database Development, E-mail Best Practice, Lists, Lists and Data, Marketing Best Practice, Marketing Resources, Marketing Strategy, News

About David Wright

Alternative Text

Every business has a brand. Building yours can be the best way of adding sustained value to your business. A strong brand also builds market confidence and creates a great platform from which to develop sustainable business opportunities.

I combine professional marketing qualifications and experience with a solid understanding of real business to discuss and advise on building your business brand using effective marketing communication in a down-to-earth, no jargon way.

As well as discussing plans and strategies I am keen to 'get my hands dirty' and work with clients to make sure things happen!

  • Understanding you, your business, and what you want to achieve
  • Helping you choose the right tools for a practical marketing communications plan
  • Working with you to make sure things happen - and keep happening

My business goals are to achieve effective, long term relationships with clients, to deliver real benefit and to help clients drive their business forward.

Specialities:

  • Practical, joined-up marketing communication.
  • Professional, internet focussed business marketing.
  • Relevant content creation
  • WordPress training – take control of your website
I work on clarifying your goals then developing and implementing practical marketing to help you achieve them.

Extensive understanding on the internet and web marketing enables me to tap into highly cost-effective tools to achieve effective, sustainable marketing at realistic budgets.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.