At Napier, we’re not offering a service to magically guarantee GDPR compliance. It’s just too complex a topic to be able to offer any kind of standard solution that will work for more than one client. The regulation is also so wide-ranging that as a marketing agency, we can’t tell you what to do, or even whether you are compliant or not. We are, however, keen to help our clients ensure compliance with this important new regulation, and have had some great conversations where we’ve been able to give both advice and support that simplified the work imposed by this new regulation.

In a nutshell, the new regulations will come into force on 25 May 2018. Between now and then it is therefore crucial for companies – and their marketing teams – to change the way ‘personal data’ is obtained, stored and secured, to ensure compliance. GDPR, of course, extends well beyond marketing, but we will focus on the impact on marketing activities as this is where your agency should be able to give advice.

As every company has a slightly different situation, we thought it would be worth listing the questions you should be asking your agency – they should be able to give you answers that are informed and helpful, but if they can’t help you can take a look at our comments below.

Is there an easy way to ensure GDPR compliance?

Some very small organisations probably will be able to achieve compliance without much effort, but large organisations will need to spend a considerable amount of time. A recent survey by Trustarc found that 1 in four companies with over 5000 employees expect the cost of GDPR to exceed $1M. Even companies in the 1000-5000 range are budgeting eyewatering amounts, with 1 in 5 of them expecting to spend more than $1M.

Does GDPR affect me?

GDPR is a very wide-ranging regulation. It affects any organisation processing (or gathering) data about EU citizens, whether or not the organisation has servers, offices or employees in the EU. This “extraterritoriality” of the law may prove difficult to enforce for organisations that have absolutely no presence in the EU, but it means that almost every large organisation is going to be impacted by GDPR.

What are you doing about GDPR?

Your agency should have a good GDPR compliance plan, otherwise how can you trust them to advise you? The work the agency has done might also save you a little time too!

Another factor is that data processors have specific legal obligations. If your agency isn’t going to meet those obligations while processing data for your campaigns, it could open you up to prosecution, as the “data controller” (i.e. the client in this case) has a responsibility to ensure processors comply with GDPR.

What are the GDPR rules for how long I can keep data? Does GDPR require opt-in marketing communications?

GDPR doesn’t work by defining timescales, and this is why it’s impossible to provide a straightforward list of requirements that you need to meet. GDPR requires organisations to look at the personal data they hold and determine the right way to handle it. Although there are best practices emerging, organisations need to make decisions for themselves.

GDPR doesn’t even require opt-in for marketing communications, despite what you might have heard. You can claim that direct marketing is a “legitimate interest” for your organisation, allowing you to use an opt-out policy, but you must make sure that the justification is documented clearly.

Are my marketing activities compliant? If not, how do they need to change?

Your agency should have a good idea of whether your current campaigns would need to change to be compliant. They should, at least be giving you advice on where they can see potential issues.

Do I need to delete contacts from my database?

This really depends on how you have used your database. For example, if you’ve not conducted direct marketing to a contact for some considerable period, it’s going to be hard to claim that there is any relationship to justify direct marketing in the future. Although there was some talk about grandfathering existing databases (i.e. you can keep anyone who was in your database before GDPR came into force), the final regulations did NOT include this provision. So, you must consider whether your current databases are compliant.

Does GDPR mean I have to stop email marketing, unless a contact explicitly opts-in?

There is a common misconception that email marketing is going to be decimated by GDPR. In fact, you can claim that direct marketing is a “legitimate interest” of the business, justifying sending emails to a contact without explicit consent. Yes, the regulations really do say, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

However, it’s not quite that simple. Firstly, data subjects have the absolute right to object to processing (to opt out), and if you are using direct marketing as a legitimate interest, you’d better make sure that this is very easy to do. Furthermore, you must balance the right to privacy of the data subject with your legitimate interest of direct marketing to decide whether claiming the legitimate interest is reasonable. And this is where things can get very tricky!

How do I know if I can claim direct marketing as a legitimate interest?

The simple answer is to refer to the GDPR text, which says:

At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.

There is no hard and fast rule! It does mean that organisations will decide to interpret this part of GDPR differently, depending upon their perspective and the level of legal risk they are prepared to take. Whatever happens, if you want to claim a legitimate interest, then you need to have clearly documented rational for doing so.

What’s all the talk about transparency?

One of the key elements of GDPR is the need for transparency. If you collect data, you need to be absolutely clear about how you will use that data, and you can’t use the data for any other purposes. This means that your privacy policy better be up to date, and you cannot get away with catch-all uses of personal data such as “any other business purposes”: we’ve seen this sort of clause on privacy policies, and it clearly fails the requirement for transparency. So, although it’s not the most exciting page on your website, you should be reviewing your privacy policy now!

You also need to make sure that it’s very clear how the data will be used when you collect it. We anticipate most companies will choose the use of an opt-in check box when collecting data to enable documentation of consent by the data subject, but stronger approaches such as double-opt in are also likely to be popular.

What rights do the contacts on my database have?

These contacts (data subjects in the language of GDPR) have eight specific rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

So, this means that any contact on your database can ask for the information you hold on them, demand errors are corrected, tell you to delete their data (have you thought about what you do with backups?), stop you processing their data or even ask for their data in a format that allows them to transfer the data to another system!

This has huge implications for marketing and CRM databases: not only must you be able meet the technical challenge of ensuring personal data is erased completely, but you also need to remember that anything on your database might have to be shown to that individual. If you don’t think this is a problem, are you sure that no sales person has documented their challenges in dealing with a difficult person at one of your major accounts in your CRM?

What about data security?

This is something that has been widely discussed: GDPR puts a lot of requirements on organisations to keep personal data private. If you’re hacked, or carelessly leave a USB drive on the train, you must report the data breech. You also must think about controlling access to your data through individual accounts and passwords.

How do I show I’m compliant?

The regulations are pretty clear about this. To show compliance, you must:

  • Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
  • Maintain relevant documentation on processing activities.
  • Where appropriate, appoint a data protection officer.
  • Implement measures that meet the principles of data protection by design and data protection by default.

Why can’t you just sort out compliance for me?

We’d love to be able to ensure our clients are compliant, but there are several reasons why this isn’t usually possible. So perhaps this isn’t really a question you should ask, although we understand many clients will want to ask it!

As a marketing agency, however, we simply don’t have enough visibility into our clients’ activities. Of course, we can review the marketing automation system to see whether there is clear documentation about the source and consent of a contact, but what about the excel sheets that the sales team have been emailing? A marketing agency is unlikely to be able to track this, let alone determine if it’s possible to remove someone from the email backup system (honestly, would you want your marketing agency messing with your IT systems?).

What about the lead sheets and business cards from the show last year that are sitting with the sales team? GDPR includes paper records, and an agency is unlikely to know what sheets of paper have been distributed.

So, it’s hard for a marketing agency to know everything that needs to be done, or for a client to give access to all the systems that contain personal data – which includes any folder containing files with contact details!

Some aspects of GDPR involve weighing the data subjects’ rights against a legitimate interest: we’re confident there will be many companies claiming direct marketing as a legitimate interest. Although we can give our opinions on how to balance these rights, so our clients are fully informed, in the end it’s a decision we believe they must make based on advice from their legal counsel, and one that should never be outsourced to a marketing agency.

What can you do to help me?

If you’ve read down to this question, you might be feeling a little depressed: there’s so much to do in just a few months, and we’ve said that you’re going to have to do the work yourself!

But don’t worry, your agency should be able to help you and take most of the hard work away. They should:

  • Give advice and information, although we’d always recommend using your company’s legal counsel as the highest authority on this (and any other legal matter).
  • Support analysis of the current situation. A data protection impact assessment (DPIA) is one process for helping organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy, and involving your agency in this process could save you a significant amount of work.
  • Provide a perspective on what policies you should adopt. The agency should be able to talk through things such as what your policy on retention of existing contacts will be, whether you will seek explicit consent from existing contacts, how you will ensure the number of databases is manageable and what your privacy policy should include.
  • Review the data collection processes and data that is visible to them. Although there will be some data that the agency can’t be aware of, they probably see a significant proportion of your marketing systems, and can review whether they are likely to be compliant.
  • Crunch the data. Your agency should be able to process data based on policies you’ve decided, or to ensure things like opt-out data is synchronised between systems (although really this should be happening already). We’ve crunched databases of 1M+ contacts for our clients: it’s really not that hard when you know how!
  • Help you to design-in privacy to your marketing campaigns. One of the principles of GDPR is that privacy should be designed-in, and there are a lot of ways to ensure this can be achieved.

In Summary

The bad news: GDPR is coming, and if you’re reading this blog post, it almost certainly affects your organisation. There is a lot of work for you to do before the legislation comes into force, and it’s highly unlikely that you can just call in a company to make you compliant.

The good news: although GDPR does place some onerous demands on marketing & information technology, as well as limiting what can be done with personal data, it is possible to comply and continue proactive and effective database marketing/marketing automation activities that drive revenue for your company. Although your marketing agency can’t do it for you there are many different points in the process at which they can help. There’s still time to meet the deadline if you’re able to call in knowledgeable help and support.

 

Request our Guide ‘The New GDPR Regulations – A Study by Napier’ 

Request our guide to find out how you and your marketing teams should be changing the way your personal data is obtained, stored and secured. Click here to request your copy.

Technology and Marketing Legislation