26 Jan 2018
If your business engages in marketing activity it is worth checking that your actions will be compliant under the new data protection rules because most businesses will have to review and amend their current processes. Here’s a brief summary of what the new rules mean for your marketing activity.
On 25 May 2018, the General Data Protection Regulation (GDPR) will introduce new rules on how personal data can be gathered, processed and used. For most (if not all) businesses, this will likely affect their marketing activities.
If your business sends out regular e-newsletters, bulletins, customer magazines or other communications, you may need to review your current processes and databases to ensure your actions are compliant with the GDPR. The new rules will apply to information that you currently hold, not just new information that you gather after May 2018.
Generally, organisations need an individual’s consent before they can send marketing communications. Under the GDPR, the rules on obtaining consent to store and use personal data will change. Consent must be freely given, specific, informed, properly documented and easy for people to withdraw. This new definition has many practical implications.
For example, in order for consent to be freely given, it is no longer acceptable to use pre-ticked boxes on webpages which state that the information provided by a customer when placing an order will also be used for marketing purposes. This means your customers and other business contacts will now have to “opt-in” and explicitly agree to their data being used in a particular way.
Similarly, for consent to be specific and informed, organisations cannot rely on the idea that ‘one consent fits all purposes’. For example, if a customer in a clothes shop provides his or her email address and consents to receiving an electronic copy of a till receipt, the clothes shop cannot use this email address to send out newsletters or promotion offers unless the customer has also agreed to receive these types of marketing materials. Essentially, the customer must understand what the actions are to which he or she is giving consent.
But that isn’t all. Consent will also need to be documented and stored in a way that organisations can easily demonstrate compliance with the GDPR or can action a request from an individual to withdraw consent. This is a significant change and imposes additional operational burdens on a business. You will need to have processes in place to be able to demonstrate compliance.
Databases and Processes
If your business carries out marketing activities, it will likely have a database of recipients’ names, addresses (postal or email) and perhaps other personal information.
As well as imposing stricter rules on how to obtain consent to gather personal data, the GDPR will give individuals increased rights to manage the information which a business holds about them in databases and in other forms.
In order to satisfy any such requests, businesses will need to know where and how individuals’ data is stored, must have the tools to recover any data that has been shared and must be able to amend, delete, or share the data as required.
Consequences of Non-compliance
The Information Commissioner’s Office (ICO) can impose stringent penalties if businesses, charities, sole traders and other data controllers and data processors cannot demonstrate that they have complied with the rules on obtaining consent for direct marketing and are properly using, storing and securing personal data.
Additionally, there is the risk of bad publicity, reputational damage and loss of consumer confidence, not to mention the possibility of consumers or competitors taking legal action.
You can also refer to this useful GDPR checklist for areas of your business which may need reviewed.