How will GDPR impact marketing?

The much talked about European Union (EU) General Data Protection Regulation (GDPR) is coming into effect on 25 May 2018 and will apply to the UK, despite Brexit. It marks a milestone in data protection laws in the EU and will have a huge impact on business processes. What effect will it have on marketing?

GDPR has been designed to strengthen data privacy and protection for all EU citizens, and gives individuals back control over their own data and how it is used. It is already sending tremors through digital marketing departments who aren’t prepared for the legislation.

GDPR is probably the most important change in data privacy protection in twenty years. It will require any organization that stores, process or handles the personal data of EU citizens, regardless of organization size or global location, to abide by its ruling. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU. This legislation is backed up by some very sharp teeth. Organizations that are non-compliant will face heavy fines.

Currently data controllers who “own” data are responsible for the safe keeping of personal data. GDPR extends this to internal and external data processors who may be using technologies such as email marketing platforms or customer relationship management (CRM) technologies for example. This essentially means anywhere where an individual’s data is processed.

Anyone involved in digital marketing who hasn’t familiarized themselves with GDPR should do so as a matter of urgency to check where it affects them and what action to take. In particular the following:

  1. Take control of your data, if you haven’t already. Review how you see, obtain and record consent and check your data privacy policies are compliant. Both permissions and the sources of your data will need to be rigorously checked. This may require a data audit.
  2. Conditions of consent have strengthened. Requests for consent must be given in “an intelligible and easily accessible form, with the purpose for data processing attached to the consent”. This consent must be in clear, plain language and distinguishable from other matters in a written document. Importantly, it must be as easy to withdraw consent as to give it. There is a higher level of consent, called “explicit consent” for special categories of personal data “that are particularly sensitive to fundamental rights and freedoms”. Children will require parental consent, so it is prudent to put systems in place to verify individual’s ages.
  3. Understand “right of access” and make sure this is achievable in your organization. Under GDPR, data subjects will have the right to obtain information from the data controllers confirming whether their personal data is being processed, where and for what purpose. The data subject can request a digital copy free of charge from the data controller.
  4. Check your procedures can cover the individual’s rights. This is especially important in the “right to be forgotten” – also known as “data erasure”. The right to be forgotten entitles the data subject to have the controller erase their personal data, cease further dissemination and, potentially, halt third parties processing the data.
  5. Ensure that you can address data portability. Here the data subject has the right to receive data concerning them, which they have previously provided, in commonly used and machine-readable format. They have the right to transmit this data to another controller.
  6. Familiarize yourself with regulations on cookies and other tools that track and capture personal data, such as online behaviour tracking. A data subject must provide specific, informed consent to the use of cookies or comparable tracking technology. GDPR provides an exception where cookies are “strictly necessary for the legitimate purpose of enabling the use of a specific service requested by the subscriber or user.”

Get up to speed on data breach reporting

You must make sure you have the right procedures in place to detect, report and investigate a personal data breach.

Under GDPR, breach notification is mandatory where data breach is likely to “result in a risk for the rights and freedoms of individuals”. The breach must be reported within 72 hours of your organization being aware of the breach. Data processors will have to notify their customers, the controllers, “without undue delay” after becoming aware of the breach.

Make sure you can demonstrate compliance

The clock is ticking. May 2018 isn’t that far away now. These changes are sweeping and marketers will need to ensure they can adapt to and work within the regulations. On the positive side, it will give them a chance to look at new, creative ways of reaching out to their target audiences.

Here at Futurity Media we have an experienced and knowledgeable content creation team who can work side by side with your marketing and sales teams to create highly creative content. Contact us for an informal chat today.

Get in touch

Futurity Media Ltd
46A Church Street, London, EN2 6JU

Telephone (UK):  +44 (0) 20 8819 3212

Email: info@futuritymedia.com

Contact Form