The EU General Data Protection Regulation (GDPR) has big implications for marketing departments and how they can advertise products and services. Marketing personnel will be pleased that direct marketing comes under “legitimate interest”, one of the six lawful bases for processing. But how does this, and other aspects of the GDPR, apply in the real world of marketing? Keep reading for our marketing for GDPR checklist:
You can market directly to past clients and prospects if the “way you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing – but only if you don’t need consent under PECR [the Privacy and Electronic Communications Regulations]”. You must let them object to you processing their data for marketing purposes, however, and if they do object, you must stop processing straightaway.
Personal data is anything that can identify a natural person, including in a professional capacity – someone’s work email address counts as personal data, for example. This means any business-to-business marketing will come under the scope of the GDPR.
You can email or text any corporate body, but it is prudent to keep a “do not contact” list for those who object to the processing, and screen any future marketing lists against it. You can also call any business that has consented or is not registered on the Telephone Preference Service (TPS) or the Corporate TPS, as long as it hasn’t objected to your calls in the past.
Marketing based on consent
If you are relying on consent as your lawful basis for processing, this must be freely given in a clear affirmative action (no pre-ticked boxes) and specifically for the processing in question. If you plan to send someone the latest offers by email, they must have consented.
It is also important to keep a record of when and how consent was given, in case this ever comes into question, and people must be able to withdraw consent as easily as they gave it.
Finally, as mentioned above, you will need to comply with both the GDPR and the PECR. The ePrivacy Regulation, which will replace the PECR, is yet to be agreed. More information about the PECR can be found here.
Under one of the data processing principles (“personal data should be adequate, relevant and limited to what is necessary”) you should ensure personal data processing is adequate, relevant and limited to what is necessary. This final point has caused many to research data minimisation, which simply means not processing data that you don’t need. For example, if you ask for ‘job title’ as part of the checkout process, you’ll need to ask yourself if you actually need this. What purpose does that information serve, or are you keeping it ‘just in case’? You should ensure you only collect what is absolutely necessary to fulfil the purpose of the processing. Delete anything else, and stop asking for it in future.
According to the GDPR, profiling is “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. Data subjects have rights in relation to automated decision-making including profiling – organisations can only do this when it is:
- Necessary for the entry into or performance of a contract;
- Authorised by a Union or Member State law applicable to the controller; or
- Based on the individual’s explicit consent.
If you carry out profiling as part of your marketing efforts, it’s important to understand whether or not you’re allowed to continue to do so under the GDPR.
Learn more about personal data and the lawful bases for processing by attending the Certified EU GDPR Foundation and Practitioner Combination Course. This five-day course offers a practical understanding of the methods and tools for complying with the GDPR in the workplace.