GDPR and marketing: Here’s what your business needs to know

When the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, it will affect all areas of your business. However, one area to especially be aware of is marketing. Preparing a plan for the GDPR and marketing will be important as this is one area where your business comes into contact with a lot of personal data – from both potential customers and existing ones too.

When thinking about the GDPR and marketing, consider the fact that changes to your processes will probably need to be made across all areas, including email marketing and direct marketing. When planning for the GDPR, marketing consent – and your processes around it – is important to look at too.

Read on for more details on how the new legislation will affect your marketing operations and what you need to do to be compliant with the GDPR.

How GDPR affects marketing

There are three key areas that GDPR will affect marketing: the personal data that is asked for by marketers; individuals having more control over their personal data and how it is used; and marketers asking individuals for permission as to how they contact them rather than working by assumption. Here, we go into more detail in each area.

1. Data requests can’t be generic

Rather than asking individuals for lots of data in the hope that some of it can be used for a future, unrelated task, you will have to be more specific in what you ask for. The GDPR requires you to justify the processing of the personal data that you are getting from individuals. What this change should lead to is marketers only collecting and processing relevant data.

2. Individuals having access to their data

With the GDPR allowing individuals to access or have their data removed, as a marketer, you need to make sure that your prospective and existing customers can access their data easily. And if they want to remove consent for their data to be used, this should be easy for them to do to. This comes under the right to be forgotten.

3. Permission is required, assumptions are out

This covers opt-ins, opt-outs and consent when communicating with individuals. When managing opt-ins with your prospective and existing customers, assumptions have to go out of the window and gaining permission is vital.

As part of the GDPR, consent must be “freely given, specific, informed and unambiguous” and done in a way that offers a “clear affirmative action”.  It’s also worth realising that silence or inactivity from your customers, alongside pre-ticked boxes on forms, no longer constitute valid consent.

How GDPR affects email marketing

When it comes to GDPR, email marketing will have to change where the management of email opt-ins and opt-outs are concerned. As highlighted above, you can’t make an assumption that someone wants to receive your new email newsletter and feature a pre-ticked box.

You need give people an option to opt-in to get your newsletter. Under the GDPR, you can’t have a box that is already ticked and requires a user to opt-out if they don’t want to have an email sent to their inbox.

If people on your email list want their personal information to be removed, there should be a method in place for them to easily do so. A simple option would be to add an unsubscribe link within the emails that go out to your prospective and existing customers.

Another form of good practice could be to create a user profile that allows people to manage their email preferences – it could let them select which emails they would like to receive from your business and ones they don’t want to get.

What do you need to do with existing marketing data?

When it comes to existing databases for marketing leads, there are two tasks that need to be undertaken, at least, prior to the GDPR’s implementation:

1. Legally review the consent that was used originally and see if it’s compatible with the GDPR’s requirements.
2. If your existing consent isn’t sufficient and your team doesn’t have another lawful basis for the processing of the data, you will have to contact each and every one of the individuals in the database to seek new consent or refrain from processing the data.

If after that you don’t receive fresh and specific consent for the purposes that you want to process the data, then you need to suppress or delete the individual’s data.

Estimates suggest the requirements highlighted above could reduce marketing databases by as much as 75%. However, on the positive side, that means the individuals who do respond with fresh consent to your requests will prove to be more valuable to your businesses as they are willing to have you engage with them.

However, it’s worth remembering that consent is only one possible requirement for lawful processing. If you have an ongoing contract in existence between your business and a customer or client – or it is likely to do so soon – you don’t necessarily have to get consent.

One example of this could be where that processing is required for the performance of a contract or in the legitimate interests of your business and/or the customer. 

GDPR and marketing consent

When it comes to GDPR marketing consent, you will need to create new processes that are compatible with the legislation. They will be required for when it comes to dealing with personal data from individuals and it may involve getting consent.

Remember, assuming consent or using a single consent across all processing activities will not be allowed. The same goes for using a pre-ticked box on a website or email form to assume an individual is giving you consent.

When it comes to purchasing marketing leads, you’ll have to make sure that the consent of each individual complies with the GDPR. That means they have been given clear and individual consent for their details to be sold on like this. However, as most people are unlikely to agree to this happening, the transfer, sale or purchase or marketing leads will probably become a rare activity. 

Marketing and dealing with customer enquiries

Under the GDPR, customers and clients will have rights allowing them to know what your business is doing with their data. It’s worth realising that individuals will also have the right to withdraw consent, which is subject to certain exemptions. And in some cases, they will have to absolute right to withdraw consent from certain uses of it – one such example is direct marketing.

Your business will need to put procedures in place to deal with this – and perhaps staff too, such as a data protection officer. Then your employees will have to perform certain tasks, such as clearing future marketing lists or documenting requests against your internal suppression list.

GDPR and data minimisation

The days of the “fishing expedition” side of marketing, where a checkbox or questionnaire is presented with a view to somehow using the data that’s collected in the future are coming to an end. According to the GDPR, you won’t be allowed to get lots of data from an individual without having the justification to do so.

Your new processes will require your business – and your marketing team – to show what data you are collecting and explain what it is that you intend to do with it. As part of those processes, you might need to get consent for using the data in a specific way. And remember, you should document when you intend to suppress or remove the data. 

How your marketing team can prepare for the GDPR

There are three things you can do to make sure your team is ready for the GDPR:

• Educate your team – let them know what is happening with the GDPR and why your firm’s processes will need to be changed. Work with them on the new processes that will be implemented and make sure everyone is clear on the steps they need to take within their roles as far as dealing with personal data is concerned.

• Adjust your systems – by getting your processes working in the right way and dealing with the admin side of that now – contacting your existing clients for consent to keep contacting them by email, for example – in the future you will be able to work efficiently and in the knowledge that you’re abiding to the GDPR.

• Get the right financial resources in place – implementing the GDPR will mean there are costs to pay, whether that’s due to using external resources to prepare for the legislation or the requirement to adapt your processes. Put a plan together so you know what is required then action it.

Four things your business should do to prepare for the GDPR

Glenn Pearson is a director of business support firm Augmentum Business Solutions, which is helping businesses prepare for the GDPR. He and three of our Sage Business Experts have some useful advice to help your business so you are ready for the GDPR when it comes into force. Here’s what they have to say:

Glenn Pearson: “Communicate what you are doing with your staff [with regards to the GDPR]. Make sure you develop a plan and document it with timescales, then implement it.”

Nicky Larkin, founder and managing director of Goringe Accountants: “If you realise GDPR is going to be a big requirement for your business – and obviously it’s tight now because of the deadline – use an external consultant.”

Keith Tully, a partner at Real Business Rescue: “The main thing is to act now and demonstrate that you are actively doing something.”

Steve Johnson, owner of Graphite Web Solutions: “Don’t panic but also don’t ignore it. There is plenty of information out there on the internet – probably too much so.”

Three articles you should read now to prepare for the GDPR

We have written a series of articles that will help you and your business to prepare for the GDPR.

• A guide for small businesses: https://www.sage.com/en-gb/blog/gdpr-guide-small-businesses/

• A GDPR checklist: https://www.sage.com/en-gb/blog/gdpr-12-important-things/

• What employers need to know: https://www.sage.com/en-gb/blog/gdpr-what-employers-need-to-know/