Will Growth Marketing Survive GDPR? [Guest Post by The Jurists]
There is no escaping it, the General Data Protection Regulation (GDPR) will come into force on the 25th of May 2018. Since data is ‘the new gold’, marketing agencies depend on the personal data they process to do their jobs and make profit.
Some people used to say GDPR will be the death of marketing, but this is the furthest thing from true. The new regulation will reform marketing to a certain level, but it will not make it impossible. Even more, it mentions (direct) marketing explicitly in Recital 47, stating that ‘legitimate interest’ can be a ground for processing.
Data Controller or Data Processor?
The GDPR distinguishes two kinds of organisations: a data processor and a data controller. The data controller is whoever chooses what data will be collected, by what means and for which purposes. The data processor is the company that processes data to do something commissioned by the data controller. This means that a marketing agency will be data controller most of the time. Although the in-house marketing department of a company will be seen as (part of) the data controller.
The qualification as data controller or data processor is very important, because it will determine what responsibilities you have and how far they reach. If you are a data controller you will be responsible for data breach notification within 72 hours and your obligations in terms of a data register are a lot stricter when you are a data controller.
The GDPR states that a company may only collect data from an individual if this individual gave his consent. This consent must be free, specific, informed, and unambiguous. GDPR will thus be the end of the opt-out and the soft opt-in, because of the unambiguous consent. No more pre-ticked boxes.
There are, however, five more grounds for processing in the GDPR that everyone has somehow forgotten about. These can be interesting when someone chooses to retract their permission.
That’s right. You do not always have to comply to the request of a data subject. If you need the data to perform a certain agreement, or because you need to comply to a legal obligation, or even if you can show legitimate interest, you do not have to erase the personal data. Be sure to use these other grounds for processing, because consent has a lot of conditions and is the most volatile.
What about personal data already in your database? The question is whether or not you really have to get the consent of everyone in your current database. The answer is neither yes nor no. In December the Article 29 Working Party stated that you need to (re-)ask a GDPR-compliant consent of every one of whom you cannot prove that the consent was given according to the principles of the GDPR. This is a huge burden for a lot of companies. Luckily they also said that you can also try to use another ground for processing.
Legitimate interest is the way to go here. You should try to get as much GDPR-compliant opt-ins as you can, but for all those who did not read your message or did not respond to you ‘call to action’, you can use legitimate interest to continue processing their personal data. Of course you will have to do a balancing test and show that your interest outweighs the privacy rights of the data subject.
The GDPR is not the only important legal text for the marketer right now. 2018 will also be the year of the ePrivacy Regulation (EPR). The EPR will replace the ePrivacy Directive and aims to simplify the rules regarding cookies an electronic communication for the purposes of marketing.
It foresees various rules on spam and (unsolicited) electronic communications by other means such as SMS. What the correlation with the GDPR will be is not yet clear, but the huge fines of the GDPR will be adopted in the EPR as well.
The sanctions in the GDPR are very severe. It can be up to 20 million Euros or 4% of your annual worldwide turnover. Do not worry, not all of us will have to file for bankruptcy on the 25th of May. The sanctions were set so high to have a deterrent effect. According to current interpretation, we can state that the sanctions will be proportionate to the infringement.
If you take adequate measures on a technical and organisational level, you are not likely to face sanctions. However, you do have to take those measures. That means a lot of work for some companies.
Need help getting your company GDPR-ready?Talk to an expert
GDPR introduces a change of management, top down. If you follow a few simple rules and change the way you process data, the GDPR will not be a burden for your company. Try to get consent where possible, but always try to go for another ground for processing as well. This is especially important in marketing, because we all know you like the ‘nice to haves’ and will probably want to process as much data as possible rather than comply to the principle of data minimisation.
The GDPR does not mean that marketing will become impossible, it does mean however, that marketers will have to rethink the way they obtain and process personal data.