As every marketer should be well aware, the new EU General Data Protection Regulation will be in force from 25 May – just over three months from now.
Marketers have had plenty of warnings about the penalties for breaching GDPR, and plenty of optimistic reassurances about the opportunity for improving customer relationships. But what are the most important things they actually have to do to ensure their use of personally identifiable information is within the law?
Marketing Week asked two experts in the field for their views on what marketers should be prioritising right now, to stand the best chance of being compliant by the deadline. This guide doesn’t constitute legal advice, but is intended to be the most useful and practical summary of responsibilities that marketers will get before the transformational new regime comes into force.
Many – hopefully most – marketers will have started taking these steps already. If not, this is the time to do so.
1. Have you done a data audit?
“The first thing that we would recommend would be to examine your data flows,” says John Mitchison, director of policy and compliance at the DMA. “This kind of data audit is often a bit of an eye-opener to organisations because there are always third parties, legacy systems or bits of data whizzing around that not everybody knows about.”
This is also key for Steffan Aquarone, trainer at Marketing Week’s sister brand Econsultancy, who is running online training sessions in February and Marchexplaining the fundamentals of the new law.
He says: “I would look at all those different touchpoints where you are gathering personally identifiable information and map them out in a flow diagram. Even IP addresses are identifiable data, so it’s basically anywhere a customer is identifiable to you.”
Once this map is drawn out, brands need to decide which data processing activities they intend to carry out, and which legal basis they will use to justify them. For most marketing, there are two relevant legal bases specified by GDPR – consent and legitimate interests – and whichever you choose, you need to document and be able to justify your reasons for processing data on a customer-by-customer basis.
The decision of which legal basis to use is fundamental. Once you have made it, it is highly unlikely it can be changed, and Mitchison even suggests that “if you have been using consent up until now, you are going to have to continue going down that route”.
2. Is consent the right course?
“Everyone thinks about GDPR as being about consent and processing,” says Aquarone, but in his opinion there are two priorities in this area, should you choose it as your basis for using consumers’ data. “The specific places you should be thinking about are the consent on your website upon loading and the consent on any forms, including those that people fill in in the real world.”
Ensuring these are compliant now – in advance of GDPR coming into force – will mean any new user data acquired in the next three months should be compliant with the regulation.
GDPR requires that the consent given for data processing – including for marketing purposes – be “freely given, specific, informed and unambiguous”. This means many brands will have to be more detailed in their explanations of what they plan to do with personal data, and that consent must be signalled by a clear, affirmative action rather than simply not opting out.
According to Mitchison: “If your consent is of a good quality and a high standard – if what you have been collecting over time fulfils the requirements of GDPR – then that’s fine. You can pretty much continue doing what you are doing. If it doesn’t, you may have to go through a refresh process to bring that data up to the right standard.”
However, Aquarone believes there is no need to contact everyone in a database and request new consent. “I would not bother doing reconsenting at all – of anything, anywhere. I would bin a certain category of data that you know is a bit iffy,” he says, referring particularly to third-party lists of unknown origin.
Beyond that, if your recent data is compliant, you can then take a view on whether previously collected data has adequate permissions attached. If not, there could be value and justification in recontacting older customers to ask if they are willing for their data still to be used.
3. What are your ‘legitimate interests’?
Consent may not always be the best legal basis for data processing; indeed Mitchison goes so far as to say “legitimate interests should be your first choice, and only if you decide you can’t really use legitimate interests should you move to consent”. Essentially, this is a business’s right to carry out commercial activities such as direct marketing.
The requirements of using this legal basis are that you have a relationship with the consumer, and that they would reasonably expect you to carry out the specific kinds of data processing you are employing. “That doesn’t necessarily mean they’re a customer – they might just have an account on your website or entered into negotiations,” says Mitchison.
However, legitimate interests are not a “get out of jail free card”, Mitchison adds. Businesses must perform a balancing test, weighing their rights with those of the consumer, and legitimate interests can be relied upon only if you haven’t already asked consumers for consent. The data processing also has to be necessary – in other words, you can’t achieve the same result in a less intrusive way.
Aquarone warns: “I would be cautious about this because it’s not good for people to think ‘why am I getting this [piece of marketing]?’ That’s always worth avoiding. It doesn’t ingratiate a brand with anyone.”
4. How sensitive is your consumer profiling?
As with other kinds of processing, the data-driven automated profiling of individuals can be justified under one of the two legal bases above. Mitchison suggests legitimate interests are the most likely basis, and for run-of-the-mill activities, such as segmentation, he sees few problems in this.
“If you’re doing something straightforward like segmenting your file based on the consumer’s age, what they have bought in the past or where they live in the country, that’s fine – you can explain that very simply.”
Aquarone’s more specific suggestion is that, “if the number of buckets of customers you’re segmenting is equal to or less than the number of different product permutations you offer, then you don’t need to worry too much” about getting consent.
However, Mitchison warns: “If you were doing something much more intrusive – maybe you’re going out to third parties and getting additional data about the income of the household or the car they drive – while you may have a very good reason for collecting that data, it might be more difficult to pass the balancing test to be able to do that under legitimate interests. If you’re doing particularly sensitive profiling, you might have to ask for consent.”
Key to determining this is whether the automated profiling has any “significant or legal effect”, in GDPR’s wording. This might include personalised pricing, for example, or the denial of a particular service. In such instances, the consumer must give consent before they can be profiled.
Aquarone says: “Because a lot of automated profiling and targeting stuff that happens is not generally known about in the public domain – it’s still a bit ‘black ops’ – you shouldn’t rely upon reasonable expectation to justify doing it.” He doesn’t include retargeting in this, however, which he suggests is better understood by consumers.
In any event, as with the choice to receive communications from brands, if you ask consumers for consent to profile them, you have to be specific and also allow them the ability to opt out at any time.
Aquarone says: “Now we really need to be able to go into much more detail about each customer and say what they have consented to and what they haven’t, both in terms of data collection and data processing, and then allow them to change it at that level of detail.”
Specificity also extends to privacy policies – particularly as these are likely to be the primary means of informing consumers what will happen to their data. But this area requires a delicate balancing act.
“It’s almost a paradox,” Mitchison points out. “You have got to tell people everything, and you’ve got to make it really easy.”
“In the past, privacy policies were written for the benefit of the company – they were there to protect the business – but now they’re intended to inform the consumer,” says Mitchison. “Of course, that means you have to take a completely different stance. The language has to be written for people to understand.”
This principle of consumer empowerment underlies all of GDPR. Businesses that adapt and offer consumers real choice around their data stand a good chance of being seen favourably – both by consumers and the ICO.
There are few certainties yet about how the regulator will interpret GDPR, but those brands that take the proactive steps outlined above and – most importantly – can demonstrate their justifications for doing so, should avoid nasty surprises.