GDPR Pt. 2: The Right to be Forgotten and Processing Data
October 23rd 2017 | By Sarah McInerney
In our last post we took a look at the topic of the moment, GDPR, from the point of view of the digital marketer. If you sell or market goods or services online, then the post is a must-read, because like it or not, GDPR is coming, and it WILL apply to your business, whatever its size and regardless of Brexit.
Our focus for the last post was the important subject of consent, in other words, opt-ins and opt-outs. We discussed the fact that GDPR changes everything: from May next year, no business is permitted to send marketing communications to a consumer without first gaining explicit consent. So that means a wave goodbye to pre-ticked boxes and opt-out boxes, because implied consent and soft opt-ins are out.
We looked at a few examples of correct and incorrect practice concerning online consent requests and listed the do’s and don’ts regarding consent, such as ensuring the request is clear, unhidden and definitely NOT mandatory.
Consent – there’s more to talk about
Consent and GDPR is in itself a very broad subject and certainly one we’ll be revisiting in the near future. There are still plenty of areas to cover, such as the control of third party tools and technology including customer relationship management (CRM) platforms and mailing campaign automation, as well as dealing with data capture from non-digital means, such as events and exhibitions.
There is also the task of refreshing opt consent levels, in other words, ensuring your current mailing lists and databases are up to date and that everyone on them consents to hearing from you. This could actually prove to be a golden opportunity for a marketing campaign in itself as well as the chance to learn more about your customers. But let’s talk about that another time.
Our topics for this post are the remaining two key areas under GDPR: the right to be forgotten, and the processing of data.
The right to be forgotten
GDPR has been designed to give consumers back control of how their data is collected, and what it is used for. Come May next year, consumers will have the right to request that their data is removed from any database. This does not mean adding a ‘do not contact’ rule to their entry: it means completely deleting the record.
GDPR does not allow data to be kept for any longer than is necessary or used for anything other than the purpose for which it was intended. Under the new rules, no business is permitted to keep consumer data indefinitely. Any European citizen is able to request that their data is removed once consent has been withdrawn, unless there is a legitimate reason for the business to hold it.
Going back to what we touched on earlier concerning third party platforms, if you do use email marketing software such as Constant Contact or Mailchimp, or a CRM platform such as HubSpot or Salesforce, you will need to ensure that you will be able to have the data stored in them deleted should you stop using the platform, and that you can download your own data when required.
Processing personal data
GDPR will force marketers to polish their methods of collecting data. Every piece of data on customers, both existing and prospective, must only be collected for a legitimate reason and must only be kept for as long as that reason remains valid. Data cannot be collected simply ‘because’.
Returning once more to the subject of CRM, GDPR will require marketers to make it clear to consumers that their data will be maintained in such a platform.
Every business will be required to appoint a data protection officer (DPO) who will be in charge of making sure all customers are aware of what their data is being used for. The DPO will be the main point of contact for the Information Commissioner’s Office (ICO) and will be responsible for dealing with any requests from customers concerning their data.
A note on data security
Security is also crucial in order to protect data. Article 5 of the GDPR states that personal data must be, ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’ And Article 32 states that businesses must, ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
It is therefore imperative for marketers to consult with their IT providers in order to review their current position and ensure they are taking suitable steps towards GDPR compliance in terms of keeping data secure.
More on GDPR?
As we said, there’s definitely more to cover on this broad subject. Next time we’ll take a look specifically at mailing campaigns and how to deal with consent so that you can get your mailing lists in order in time for the May 2018 deadline. As mentioned, GDPR could present the ideal marketing opportunity, so why not make the most of it?
If you’d like any help in putting together a GDPR compliant marketing campaign, why not talk to Figment?