As the international resident’s compliance deadline was 25 May 2018, there is more emphasis than ever on using and storing data responsibly. But what does this mean for organisations such as digital marketing agencies where personal data acts as currency? For marketers, data forms the foundation of successful campaigns – it enables us to target the appropriate audience with the relevant content, recognise site visitors and more. So, how will this impact the way marketers consider data?
While the GDPR is European legislation, it applies to any company that handles the data of EU citizen’s data, regardless of where that company is. The GDPR legislation strengthens residents’ rights and creates unprecedented transparency surrounding how their data is controlled, ensuring that individuals are informed about – and in control of – the personal data they share with companies.
According to the GDPR, set principles that controllers must comply with include the following:
This means that the processing of information must be lawful and not excessive. Processing should be for a defined purpose, and there should be openness as to any processing activities. The principles and conditions of the law must be followed. In an essential step towards data transparency and consumer empowerment, the new legislation stipulates that the data subjects may obtain confirmation as to whether or not their personal data is being processed, where and for what purpose.
The processing of the information must be for a defined purpose and limited from further processing without consent thereafter.
Only necessary data should be kept in order for processing to take place. Organisations should be cognizant of the fact that they should not be keeping excessive data that is unused for their purpose.
The data itself should be accurate and should allow for those whose data is being processed to participate in making sure it is up to date.
Once data processing has completed, the data should be removed. It should not be kept for longer than is necessary to perform the data processing activities.
Data, wherever it may be stored, must be stored responsibly and with the correct safeguards in place to ensure its security. It is the obligation of the organisation to prevent loss, damage or unlawful access to the data via appropriate security measures. This information must be treated as confidential. In the instance of a security breach, both the regulator and the data subject should be notified of such.
This legislation impacts a multitude of fundamentals for digital marketing, including:
As per the GDPR, ‘implied consent’ or ‘soft opt-ins’ is no longer acceptable for personal data – consent must be explicit. Organisations must be able to provide proof that a user chose to opt-in to any communication. Under this legislation, marketers are able to email someone, as long as that person had the option to opt-out of emails at the time of purchase.
Now that opt-in has to be explicit, any on-site forms must comply. This extends beyond the option to opt-in – forms must be deployed and hosted in a way that complies with GDPR.
Legitimate interest means that users’ data is processed in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. When a business uses a legitimate interest precedent for direct marketing, the marketer is allowed to send email marketing on an opt-out or unsubscribe basis.
For many marketing agencies, third-party tools and marketing tech providers form a large part of their data ecosystem. Therefore, it is imperative for marketers to ensure that their suppliers are compliant, or at the very least held to the same standard as their own organisation. Further to this, third parties must only provide data that is necessary, or falls under legitimate interest.
While users have always had the right to opt-out, under the GDPR, users have the right to be forgotten. This means that the user’s data can no longer just be marked as ‘do not contact’ but must be deleted. It is also worth evaluating tech stack integrations to ensure that when requested, data can be removed from all related databases and platforms.
In light of the updated opt-in consent requirements, marketers will no longer be allowed to add event attendees to a campaign, unless you can prove explicit opt-in.
In the instance of creating a new data record, or integrating third-party contacts into a database, opt-in compliance is still non-negotiable. This is applied across contexts, such as importing contacts from a spreadsheet or integrating contacts with your CRM.
Ensuring that your organisation complies to GDPR legislation begins and ends with transparency. Our fundamental goal as marketing agencies is to build relevant and valuable relationships with our consumers, and transparency is key here. By giving your consumers insight into why they are opting into your messaging, they can see the value in it, thereby building a foundation of trust and good faith.
