Almost two years since the GDPR came into effect, understanding its finer points remains a challenge to marketers. In particular, the lawfulness of processing data (Article 6), especially consent and legitimate interest, pose the greatest challenge. Marketers need to assess what lawful basis can be used, which is the most appropriate when processing data for marketing processes, and how this might affect their marketing activities, including direct marketing, advertising and so on.
Are you GDPR compliant?
While the scare stories of hefty fines and the general sense of pre-GDPR panic has now died down, many businesses are still getting to grips with GDPR. It’s unlikely, though, that they are fully compliant as they try to interpret the regulations and how best to apply them to marketing activities.
The GDPR is principals-based, and while the definitions are explicit, they do not provide specific directives of how to apply them when collecting, processing, storing and using data. That means that these daily decisions are the responsibility of the marketers processing the data. Because GDPR doesn’t say how to apply the definitions, marketers still need to know how to make a decision and justify it, but this leaves them open to the risk of breaking them where regulations are not explicit.
When it comes to the lawful bases for processing data, how can marketers ensure their data is transparent, compliant and responsible and that they ensure the purpose limitation principles of the GDPR are met. And how do they align their legal, compliance, governance, IT and marketing teams in order to meet the data protection regulation and educate them on how to use and process data?
Data protection law
Marketers must now be more acquainted with data protection law and know how to apply the regulations to their activities. But they also need to be able to balance their business objectives and KPIs, while not contravening the regulations where they are not explicit. Data Controllers and Processors are now more responsible and accountable when it comes to processing personal data, and they must be able to record processing activities and evidence the rationale and legal basis for those decisions.
Even experienced marketers and data and compliance professionals are questioning every action and decision regarding customer and prospect communications in the context of the GDPR. What is the best lawful basis to use or choose from? How do I choose which is the most appropriate? Do I need to write a LIA or DPIA? Does my organisation need to be named when purchasing data for prospecting? How do we ensure we have protected the consumers’ fundamental rights? The list goes on.
It is no wonder, therefore, that a lot of confusion stills exist around when and how to use the key lawful bases for processing data for marketing purposes: consent and legitimate interest.
Legitimate interest, based on the ICO’s definitions, is the most flexible of the six legal bases for processing personal data, and it can therefore be applied to many different situations. It is, for example, the most appropriate basis when processing data is of a clear benefit to you or others, there is limited privacy impact on the individual, or where an individual would reasonably expect their data to be used in that way. The balance of fundamental rights is of equal measure and transparency is crucial when making these decisions.
GDPR specifically states that direct marketing may be considered a legitimate interest in recital 47, albeit upon the appropriate and thorough application of a balancing test. By balancing the business and marketing objectives with the rights of the individual – and a good dose of common sense – and documenting it in a professional and trackable manner, marketers can use this basis for marketing with more confidence.
Applying a balancing test to a legitimate interest also applies to prospect data and data sourced from third parties as well as first party data. There is nothing in the GDPR that prohibits the use of third party data, provided that it is collected and processed in accordance with the data protection principles and regulatory guidance.
When it comes to consent, this is what the ICO has to say; “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”
This means that, in a number of cases, consent may not be required. However, some examples of when it is required involve the use of electronic marketing (namely email) and this is where GDPR and the Privacy & Electronic Communication regulation (PECR) dovetail, i.e. email marketing requires consent and the requirements for consent are set out in PECR.
Trust is paramount
At the heart of the GDPR is building and maintaining trust and transparency with consumers: that means applying rigour and common sense to balancing commercial interests with consumer rights and testing that decision to ensure it is the right approach.
The days of privacy being a box-ticking exercise are far behind us. The concept of privacy by design and ‘responsible marketing’ requires a cultural shift to achieve and maintain. Being genuinely GDPR-ready is a work in progress, but it can only be a good thing as it helps to implement alignment, accountability and education across marketing, IT, legal and compliance departments.
Andy Bridges is Data Quality and Governance Manager at REaD Group.