GDPR is coming – very soon. The EU General Data Protection Regulation, to give it its official name, will come into force on 25th May 2018, heralding one of the most far reaching changes in worldwide privacy law in twenty years.
GDPR affects businesses of all sizes that provide goods and services to, or track or create profiles of, EU citizens. This includes micro-companies and sole traders: basically, any entity that does business with anyone in any country of the EU. So even if you are the tiniest business providing services to a person or other business in the UK only, GDPR will affect you as much as it will a multinational conglomeration.
Contrary to popular belief, Brexit is unlikely to provide a get-out clause for GDPR, as there is quite a degree of certainty that the UK will adopt its own legislation to retain, at very least in part, the GDPR legislation. And of course, it must be remembered that whilst as a nation we remain in the EU, until the divorce is finalised, all EU laws continue to apply.
So, if you are providing goods or services to an EU country, and that means the UK, you’ll need to start making preparations NOW if you want to avoid the significant fines that are to be associated with non-compliance.
What is GDPR?
GDPR has been created with the aim of improving and simplifying data protection for citizens, residents and businesses within the European Union.
At the moment, there are numerous diverse data directives in operation across the member states of the EU. This means that when data crosses EU borders, it becomes unclear as to how it should be treated. This lack of clarity is risky for consumers and businesses.
GDPR is all about standardising the current hotchpotch of directives, bringing them together into one streamlined set of rules that will strengthen the rights of the consumer, and make it easier for businesses to know how they should be controlling the data (i.e. everything from a name and telephone number to an IP address, date of birth and photograph) they hold on them.
Do Not Panic!
Due to the extent of the changes that will come in on the back of GDPR, many businesses seem to have gone into a state of panic over it, and in many cases, the Regulation has been widely reported in a negative light.
However, we believe that anything designed to protect personal data and keep people safe online (and offline) has to be a good thing and, if we approach it from a positive stance and take time to properly prepare, it could actually prove advantageous.
So, precisely what does GDPR mean for the digital marketer?
There are three main areas that we need to look at in terms of GDPR and digital marketing: consent, the right to be forgotten and the processing of personal data. Each area is fairly extensive in its own right, so let’s start by taking a look at consent now, and we’ll save the others for their own dedicated posts.
Consent – Opt-in and Opt-out
Under current data protection legislation, a consumer is automatically opted in to receive communications from any business it has transacted with unless it notifies the business that it wishes to opt out. Under GDPR however, this is turned on its head, meaning that without express consent from the consumer, a business will not be allowed to assume consent. Such consent must be freely given, informed, specific and unambiguous and can only be provided by a ‘clear, affirmative action’.
So that’s the official line. But what does it mean in layman’s terms? Basically, as a marketer, you can no longer use pre-ticked or opt-out boxes to acquire consent to use your customers’ data and to contact them for marketing purposes, neither can you assume silence or inactivity as consent. Here are some examples to further explain.
Non-Compliant with GDPR
Reason: Aside from the fact that Sky is asking customers to opt out, which is no longer permissible under GDPR, the process is confusing because the customer is first being asked to tick a box to agree to something, then another one to disagree.
Compliant with GDPR
Reason: There is no opt-out process, just a simple, clear, affirmative action and a concise and transparent process without ambiguous language.
The Direct Marketing Association (DMA) recommends outlawing the use of tick boxes altogether, which is precisely how The Guardian has played it.
Key Changes Concerning Consent
The Information Commissioner’s Office (ICO) has usefully highlighted the following as key changes concerning consent to receive communications, and we think these are pretty much the Holy Grail of digital marketing in the GDPR age.
Consent must be:
Unbundled – never attempt to hide your consent wording within your terms and conditions and NEVER make consent mandatory as part of the sign-up process for a service, unless it is absolutely necessary for that particular service.
Active – pre-ticked boxes are now outlawed, as are opt-out boxes. Unticked opt-in boxes are the only type that can be used, although other types of active opt-in methods, such as the one in use by The Guardian, are preferred and safer.
Separated – if you are requesting consent for various actions, such as to send marketing communications or to pass details on to third parties offering similar services, etc. then each option should be presented separately.
Options for different types of communication method should also be separated, e.g. by email, post, telephone, text message, etc.
Named – you should name the organisation and any third parties relying on consent. Simply referring to ‘third parties’, or even defining the type of third party, for example ‘home furnishing stores’, is not permissible under GDPR. Naming the organisation requesting consent is particularly important where there are different aspects to the business, for example Tesco Stores Limited, Tesco Clubcard, Tesco Wine Direct, Tesco Direct and Tesco Bank.
Easy to withdraw – it must be made clear that consumers have the right to withdraw their consent at any time, and you need to set out precisely how they can do so. Withdrawal of consent must be a straightforward process, which means you’ll need to put a simple but fool proof structure in place to deal with it.
Front of House – tick. Infrastructure… to do?
Once you have updated your consent wording, you can tick that task off your GDPR to-do list. However, you’re still going to need to get your processes updated so that you do precisely what you say you are going to do and, crucially, ensure that you are not going against the wishes of your customers because to do so could result in fines that would, without doubt, cripple your business.
Record keeping systems and processes by which users are able to migrate their data should be next on your agenda.
In our next post we’re going to look at the remaining two main areas of GDPR: the right to be forgotten, and the processing of personal data.
In the meantime, if you feel lost in the GDPR mist and are unsure as to how to present your consent information, or are looking at interesting yet compliant ways of doing so, then please feel free to get in touch.