GDPR: Do’s and Don’ts for Marketeers

The General Data Protection Regulation is here! Although the GDPR will not be the end of web analytics , it will definitely change the landscape in which marketeers and analysts can collect personal data. Here are the do’s and don’ts to make your marketing operations ‘GDPR-proof’.

The first step in becoming GDPR compliant is a data inventory. You need to know what data you are collecting, where the data is coming from, and stipulate a purpose for collecting it. If defining a purpose proves difficult, you’re better off not collecting it. Some are using ‘analytical purposes’ as a last resort, which can cover almost anything.

Next, you need to check the applicable legal ground for collecting the data. The GDPR specifies six possible legal grounds, of which consent is your safest choice. The other legal grounds are situational, such as a contractual agreement or being exempted as a particular public institution. The most curious legal ground of them all is the ‘legitimate interest’, which is quite a wild card.

Legitimate Interest

The requirements for having a legitimate interest for collecting data are not specifically defined by the GDPR. If you read the considerations of the GDPR, you’ll find that direct marketing “may be regarded as carried out for a legitimate interest”. This simple passage has been the beacon of hope for many desperate marketeers. Alas, it might be a false hope. First, the word “may” implies that direct marketing is not excluded from being a ‘legitimate interest’, but gives no guarantee it will be considered as such. Secondly, the passage is taken from the GDPR preamble (considerations), not a legal article you can actually rely on. Third, a legitimate interest requires that the user can reasonably expect processing of their data takes place for a particular purpose, although that is usually not the working method of direct marketing. You can see why this makes the legitimate interest a wild card! If you are risk-averse or rather wish to be transparent with your customers, I would recommend acquiring consent.

Consent

Your safest legal ground is to acquire the consent of the person whose data you are collecting. The most straightforward method is inserting an opt-in box to your forms where the user consents to the collection and processing of their personal data for a particular purpose. Make it a clear sentence, avoid ambiguous or excessive legal jargon, and don’t suffice by referring to the terms of use or privacy policy. Never automatically opt-in these checkboxes that specify consent. It’s not only a devious move that will irk most users, but the GDPR requires consent to be given ‘affirmatively’. You need to store the consents of users and be able to demonstrate obtaining them. If you have collected personal data without a legal ground, e.g. a mailing list, you can try to obtain consent. You need to delete the personal data of those that didn’t give their consent.

Data Management

The GDPR also regulates how you manage personal data. Compose a privacy policy in which you inform visitors about their rights, e.g. their right to modify, correct or delete their personal data. Provide a link to the privacy policy in the footer, and remind visitors with an additional link at your forms. The only feasible method to comply with these rights is implementing a single source of data. Don’t store data in different silos across your companies (e.g. marketing, development, sales) or on local devices. Never send personal data (e.g. resumes) to colleagues, but simply send a link to the online source instead. If you receive a request to delete someone’s personal data, you can simply delete it in the single source of truth and avoid a company-wide inquiry to locate all duplicates.

A New Era

All these rules and regulations may seem daunting and tiresome. You can check the checklists, insert the opt-in checkboxes and sign the processor agreements, but the GDPR is only the beginning. Next year the ePrivacy Regulation will likely come in effect and will also require consent for the use of non-technical cookies. Moreover, the Cambridge Analytica scandal puts privacy high on the political agenda, which may lead to even stricter privacy regulations.

However, these strict privacy regulations will not be the downfall of direct marketing, just of privacy negligent marketing. Marketeers should concern themselves with serving their clients to the best of their ability. This should comprise transparent and honest communication with clients. Privacy becomes progressively important for customers, so don’t consider it a hassle, but an opportunity to create customer value. Organizations that rise to this challenge by integrating privacy within their product offerings, will be the digital leaders of tomorrow.