GDPR is fast approaching and as expected (with the threat of a potential €20 million fine for non-compliance hanging over our heads) organisations are in a mild state of panic. 95% of businesses now believe that meeting the compliance requirements of the GDPR will be challenging or extremely challenging. With all the information out there it can often be difficult to know where to start.
For this reason, over the next few months we will be addressing some of your most pressing GDPR questions. To avoid information overload we will be delivering these in easily digestible, bite size chunks. GDPR may represent one of the biggest shake ups of data protection law in over 20 years, but ensuring that your company avoids those costly penalties is far from impossible.
As always it is important to note that GDPR does not only impact those businesses who are situated within the EU, it too concerns those who conduct business within the EU but may not have a physical presence here. Simply put, if you are dealing with clients/ customers within the EU but are operating out of the US or some other non-EU location, you are still required to be GDPR complaint.
How your marketing opt-ins are affected by GDPR
This week we will be looking at how your marketing opt-ins may be affected by GDPR. A recent report by the cybersecurity company, Symantec, found that 41% of marketers admit to not fully understanding both the law and best practice around the use of consumer’s personal data. With GDPR coming into effect in less than 5 months it is essential for individuals at all levels of an organisation to ensure that their practices and procedures be compliant. It is no longer sufficient to leave matters relating to data protection in the hands of the compliance department, individual accountability needs to be taken.
One of the most effective ways to ensure compliance at an individual level is to read up on both current & proposed legislation. But with over 88 pages on the topic in the Official Journal of the EU alone, it’s easy to see why most might want to by-pass that riveting read! So to make things that bit more manageable we have summarised the key aspects to consider when it comes to ensuring compliance of marketing opt-ins below.
Consent must be freely given
Data subjects must be afforded real choice and control over data concerning them.
Consent is not considered to be freely given if;
The data subject feels compelled to consent due to a real or perceived imbalance of power.
They believe they will face negative consequences if they don’t consent (Detriment).
Consent is bundled up as a non-negotiable part of the T’s & C’s (Conditionality).
They are unable to refuse or withdraw their consent.
As a controller you need to ensure that data subjects can freely refuse to the processing of their data without fear of detriment. On top of this subjects must have the ability to withdraw consent without fear of the same. Withdrawing consent shouldn’t lead to any negative consequences or costs for the data subject involved. So, for example, if your customer is a member of your loyalty programme, he or she should be able to opt out of marketing communications from that programme, while still being able to benefit from all the great perks of the programme.
Under GDPR it is a big no-go for you, as a data controller, to intentionally disguise the purpose of personal data processing, or, bundle it in alongside the provision of a contract for which the data is not necessary for the performance of the service (ie whether you’re selling something which requires you to take the customer’s name / address / mobile number / email etc., you can’t add these details to your marketing database without letting the customer know). In short, consent and contract is not to be merged & blurred! Below is an example of what will no longer be permitted under GDPR as should the data subject refuse to consent to this processing activity they will be unable to sign up to the service.
A service may involve multiple processing operations for more than one purpose. In such cases, the data subject should be free to choose which purpose they accept. Consent must be given separately for each method of processing. So if you are looking to contact your customers with digital marketing communications and wish to share details with other companies within your group, you must provide opt-in options for each (see example below). It is also necessary to be specific as to who you will be sharing this data with and the type of communications they can expect to receive from you.
Consent must be Specific
The reason for which data is being processed must be specified in a clear and concise manner. This aims to ensure a degree of user control and transparency for the data subject. It is therefore important to ensure data subjects are informed as to how the data you are collecting is to be processed & for what purpose. They must also be afforded the opportunity to consent to the various forms of processing in line with the requirement for ‘granularity’.
If you have previously acquired consent with regard to a particular processing activity you must then seek additional consent should you wish to process the data in a manner which was not previously consented to.
Consent must be Informed
In addition to being specific as to the purpose for processing you must ensure that data subjects are informed as to what they are consenting to. Data subjects must understand what it is that they are agreeing to so leave your jargon at the door. Be clear and specific about what is it you intend to use the data for and you should be in the clear when it comes to auditing.
In order for consent to be considered informed particular information needs to be provided to the data subject. As a basic checklist for your own data both current & future consider the following;
Who the controller is, aka your identity
the purpose of each of the processing operation (see specific above)
what data will be collected and used
the existence of the right to withdraw consent
More info on this can be accessed in the Working Party paper on Consent.
Consent must be Unambiguous
Consumers must provide their consent in a clear affirmative manner that discernibly indicates their agreement to the processing of their personal data. Consent should be freely given. It can be done so in a number of ways, such as a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting a website or by providing a statement which clearly indicates acceptance of the proposed processing. Pre-ticked boxes or inactivity do not constitute consent so if you currently employ this method you should consider addressing this or risk penalisation.
One way to ensure explicit consent particularly when dealing with data that is considered highly sensitive is to employ the use of a Double Opt-In. Double opt-ins essentially involve obtaining consent on two separate occasions as a precautionary measure, a sort of “are you sure you’re sure” which provide a clear paper trail in case of an audit. A number of companies have already implemented this mechanism. Double opt-in itself is a pretty simple process. You provide your consent by ticking a box, filling out a form etc. Then you get sent an email asking you to confirm your interest in receiving further communications from the processor. Although not required under GDPR using this method is generally seen as best practice particularly when dealing with sensitive data.
Where to from here?
Collecting consent is not enough. Particularly if you cannot provide proof that you collected it to begin with. Once GDPR comes into effect in May you will need to be able to show reasonable evidence that you have complied with GDPR if you are challenged. However, there is no clear definition yet on what exactly this entails… we’ll keep you posted though.
It’s now time to get existing data up to the new standards. So if you can’t prove consent then you no longer have the right to contact the data subject in question. Deploying a re-permissioning campaign can help alleviate this concern, as can looking at the “legitimate interest” aspect of the GDPR legislation. At Dataconversion we’ve always worked with our clients to ensure their data and marketing communications are compliant with data protection regulations. If you’d like a second opinion on the health of your data or how you engage with your customers, get in touch. We’d be happy to help!