Judy Davis explores some of the implications for marketing with Daff Richardson, partner at Penningtons Manches LLP.
While businesses have benefited from the new technologies that enhance their ability to identify, profile and communicate with prospects and customers at low cost, some unscrupulous ‘cowboy’ marketers have seized the opportunity to bombard consumers with unsolicited telephone calls and spam emails, to share and sell personal data and even to ‘scrape’ social media data to create fake online profiles.
Consumer confidence has suffered as a result. The Chartered Institute of Marketing (CIM) reports that “the values of honesty and integrity have been eroded when it comes to personal data – leaving [consumers] feeling cynical and increasingly unwilling to share their data at all. Among the key reasons for this is that marketers are falling behind when it comes to legal knowledge, best practice, honesty, transparency and listening to customers…Today’s marketers claim to be honest and authentic. But when it comes to personal data we found that they are letting down their customers with some unethical practices”.
In the CIM survey, 41% of marketers reported that they don’t fully understand the laws and best practice around using consumers’ personal data. And yet just 17% felt they would like more training, and only 36% say their organisation is transparent about how it collects data.
Business owners and employers are responsible for ensuring that the people involved in deciding how to use data are trained and fully versed in what you can, and cannot, do with data. So I asked Penningtons Manches lawyer Daff Richardson to shed some light on how the new regulations will impact current marketing practice.
Q: What are the main aspects of the GDPR legislation that impact my marketing?
A: Well, marketing is, of course, already regulated by the Data Protection Act 1998. However, when the GDPR comes automatically into force in May 2018, the protections for individuals will be significantly enhanced.
Things to consider:
Are your privacy notices fit for purpose? Being transparent and providing accessible information to individuals about your use of their personal data is key to the GDPR.
Think about the person or organisation you’re dealing with. If you’re dealing with consumers or individuals, in a B2C business, you’ll be processing personal data, and must do so in accordance with the rules. Note that “processing” includes using, storing and deleting data. You must take people off the database if they withdraw consent, and you must only process the data for the purposes for which consent has been given, and for as long as is necessary for that purpose – no longer. The idea of keeping people’s “useful details on file” is no more. Obtaining proper consent from individuals for the processing of their data will be essential and will require changes in the way in which many businesses operate. Data must always be processed in a manner which is lawful, fair, and transparent.
Q: What does this mean with regards to my existing database of contacts?
A: You really need to assess what data you have, and for what purpose. We’re recommending that all businesses carry out a data audit well before the changes take effect next May. In terms of consent, you’ll need to ensure that explicit opt-in has been obtained by May 2018.
There are four key pillars of consent:
Control – the individual opts in to you being able to process their data, and can opt out. They will also have enhanced rights to be forgotten, and to data portability.
Transparency – be transparent about the purpose for which you are using their data eg “ we would like to use your email address so we can send you tailored offers based on things we know you have bought previously”. Don’t use personal data for a purpose which has not been authorised – this will be a breach, and will expose your organisation to significant penalties.
Notification: keep the data subject informed about how you are using their data; and
Verification: the data has to be accurate, and should be kept up to date.
Q: If someone gives their personal data on a pop-up form on my website, does this mean they have opted in?
A: The answer really depends on what the form says! If it contains an effective privacy notice, and it’s clear how the individual’s data will be used, then it should be fine: that would be an express opt-in. If the privacy notice is buried away elsewhere on the website, and the intended use of the pop-up form isn’t clear, then no – in my view that would not constitute an opt-in.
Q: What are the likely sanctions for misuse of private data?
A: Fines can reach €20 million or 4% of global annual turnover, whichever is greater, for organisations found to be in breach of the Regulations. However, at the Data & Marketing Association Conference, Information Commissioner Graham reassured those taking proactive steps to meet existing and future requirements, distinguishing them from “the cowboys” and advising that his preferred approach to legal enforcement is to “keep the big stick in the cupboard for the people who need spanking”, suggesting that there may be some flexibility in the early days for those who are trying to comply with the new regime.
Organisations which fall foul of the data protection rules are also likely to find that there will be serious adverse publicity: the ICO’s findings are made public and offenders will be named and shamed (as has happened recently to some leading charities).
Q: What are the implications for business owners and employers?
A: Employers are responsible for the actions of their people so they should ensure that they are fully trained to understand the implications of the legislation on their activities. Compliance should be, and be seen to be, driven from the top down.
• be legal, honest and transparent
• seek guidance where it is unclear
• employ people who understand the law
• continuously train your staff as the law and practice develops
For further information, contact Daff Richardson.