How will GDPR legislation affect B2C digital marketing?

Similar documents
GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

WE ARE COMMITTED TO PROTECTING YOUR PERSONAL DATA

PS Mailing Services Ltd Data Protection Policy May 2018

GDPR AND WHAT IT MEANS FOR CRM AND CUSTOMER ENGAGEMENT MAY. A 7-step practical guide to achieving and maintaining GDPR compliance by 25 May 2018

PRIVACY NOTICE Olenex Sarl

About Us. Privacy Policy v1.3 Released 11/08/2017

Cellular Solutions and Services Limited and Cellular Solutions and Network Services Privacy Policy

If you start the process of wanting to purchase a property or unit from us, we may also collect the following information from you:

Getting your ducks in a row

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

CEM Benchmarking Privacy Policy

Website Privacy Notice

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

DCCVITAL GDPR Privacy Statement. This privacy statement sets out

PRIVACY POLICY. 1. Introduction

The GDPR: what it is and what it means for Freelance Dietitians

Privacy and Data Protection Policy

ATHLETICS WORLD CUP PRIVACY NOTICE

Privacy Notice Website/ Electronic Mailing List

General Data Protection Regulation (GDPR) - A CANDDi perspective

PRIVACY NOTICE. This policy may be updated from time to time so please check back occasionally to make sure you re happy with any changes.

2. The Information we collect and how we use it: Individuals and Organisations: We collect and process personal data from individuals and organisation

The isalon GDPR Guide Helping you understand and prepare for the legislation

PRIVACY POLICY. What personal data we collect and why we collect it IN ORDER TO: (Date of last update: 1 st January 2019)

BELLISSIMA BEAUTY SALON PRIVACY NOTICE

EIT Health UK-Ireland Privacy Policy

When you provide personal information to us it will only be used in the ways described in this privacy policy.

What kind of information do you collect, when and how?

center Guide to GDPR

TIA. Privacy Policy and Cookie Policy 5/25/18

Website Privacy Statement

Privacy Policy. Full name and contact details (including your contact number, and postal address).

We may change the privacy notice from time to time by amending this page.

Privacy Notice For Ghana International Bank Plc customers

DLB Privacy Policy. Why we require your information

SCHOOL SUPPLIERS. What schools should be asking!

When do we collect information about you? What type of information is collected from you?

Contract Services Europe

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Europe s General Data Protection Regulation (GDPR) and Your Marketing Efforts

Privacy Notice For Our Customers And Contacts

General Data Protection Regulation (GDPR) Key Facts & FAQ s

We may change the privacy notice from time to time by amending this page.

PRIVACY. YOUR DATA. YOUR TRUST.

Data Protection Policy

Privacy Policy: Data & Information Security Policy Last revised: 9 May 2018

NHS R&D Forum Privacy Policy: FINAL v0.1 May 25 th 2018

Privacy Policy. About Us

Depending on the Services or information you request from us, we may ask you to provide the following personal information:

Rights of Individuals under the General Data Protection Regulation

Privacy Notices under #GDPR: Have you noticed my notice?

CITY SECURITY MAGAZINE

OBTAINING CONSENT IN PREPARATION FOR GDPR

Privacy Policy. Information about us. What personal data do we collect and how do we use it?

Website Privacy Policy

Wonde may collect personal information directly from You when You:

GENERAL DATA PROTECTION REGULATION (GDPR)

To help customers achieve GDPR compliance, Freshchat has introduced the following new features:

Our Data Privacy Statement Scope Responsibilities

Data Subject Access Request Form

Privacy Policy of

DATA PROTECTION POLICY THE HOLST GROUP

Adtech and GDPR What to consider when choosing your partner

Hallmark Solutions Limited PRIVACY NOTICE

SCALA FUND ADVISORY PRIVACY POLICY

Information you give us when you sign up to the World Merit Hub. In addition, when you sign up to the World Merit Hub, we will usually ask for:

Privacy Policy: North East Contemporary Arts Network (NECVAN)

Data Warehouse Risk Assessment (GDPR)

In this Policy the following terms shall have the following meanings:

Kährs Group s Privacy Policy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

De Montfort Students Union Student Data Privacy Statement

M T BUCKLEY & Co Chartered Accountants

Privacy & Cookie Policy

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

SYDNEY FESTIVAL PRIVACY POLICY

CommuniGator. Your GDPR. Compliance Checklist

GDPR. + Sales & Marketing A Practical Guide

MAID2CLEAN (FRANCHISE) LIMITED

DATA PROTECTION POLICY

Harvard Technology Ltd - Privacy Statement (Customers)

PRIVACY POLICY. 1. Definitions and Interpretation In this Policy the following terms shall have the following meanings:

For our services, the data controller (the company that s responsible for your privacy), is Rent a Van 365 Limited. Registered address:

Bend Mailing Services, LLC, dba BMS Technologies ( us, we, or our ) operates the website (the Service ).

Privacy Policy. Effective date: 21 May 2018

Privacy and Cookies Policy

volcanic Better People Technology Setting up your website to help you achieve GDPR compliance

Valley Blinds GDPR Privacy Policy. Introduction. What kind of personal data do we collect?

A Homeopath Registered Homeopath

PRIVACY POLICY. 1. Definitions and Interpretation In this Policy the following terms shall have the following meanings:

ALMAS INDUSTRIES PRIVACY POLICY

Helping you to be GDPR compliant

How to get your subscription account ready for the GDPR. Step-guide for getting the consent you may need from your subscribers.

Care Recruitment Matters Limited Privacy Notice

One Sector Community Limited ACN ( OSC ) Privacy Policy

Privacy & Cookie Statement

Privacy Information - Privacy and Cookies Policy In Full

It is the policy of DMNS Networks PTE LTD (the Company ) to protect the privacy of the users of our Website and Services.

Transcription:

How will GDPR legislation affect B2C digital marketing?

GENERAL DATA PROTECTION REGULATION GDPR READY How will GDPR legislation affect B2C digital marketing? From May 2018 when GDPR legally applies it will be important to re-think the way in which you not only collect customer data but also use and retain it too. There are a number of key legislation changes which will affect the way in which you market to your customers, and all of your campaigns will need to be re-evaluated to ensure that you are compliant. Audit your existing campaigns to see where there are revisions required and implement in good time before the May deadline. Overview Consent Management Opt-in Legitimate Interest Sign up statements The right to be forgotten, portability, rectification Profiling Auditing Data Minimisation 2 www.intilery.com 2

Consent Management No option but to opt-in In general, you will only be allowed to market to individuals who have given unambiguous consent on an informed basis for one or more specific purpose. This means when an organisation requests an email address, by whatever device used at the point of collection they must: Ask the customer to pro-actively opt in rather than opt-out which means you can t have pre-ticked opt-in boxes. Consent also needs to be purpose specific - you cannot simply create an "I agree to all future use of my personal data" consent phrase. Providing an explanation at point of collection to clearly explain what they are signing up to and how the data will be used. This information can be served via a link within the copy. Once opted in there must be clear, signposted and easy to access ways to unsubscribe at any point. There must be auditable ways of tracking how consent was requested, captured and stored. What does this mean for my existing database? If you want to continue to market to your existing database you will need to be able to prove that you lawfully gained consent originally. This means if requested, you ll need to be able to provide clear evidence that consent was gained in a GDPR compliant way, even before GDPR was legislation. Post May 2018 you won t be able to retrospectively request consent without facing fines and cannot under any circumstances email customers and ask for email consent. Legitimate Interest "Legitimate interest" as a concept means there will be times where you don t need to ask for consent to collect, store, use, disclose, process, destroy or otherwise "process" personal information. Marketers can contact previous customers about other products and services which they deem to be of relevance under the banner of legitimate interest without specific marketing consent. Ensure that content is relevant and appropriate based on past purchase or contact. It s also advisable to provide easy access to a marketing preference centre to enable customers to choose the types of marketing communications they would like to be sent, and clear options to unsubscribe are important too. If you are unable to rely on Legitimate Interest as a lawful basis for marketing, e.g. marketing to a list of non-customer contacts, then you require valid consent. Sign up statements The legal consent method is yet to be determined. However, at point of email sign up, a statement should be presented to the individual clearly outlining what they are signing up to and what their data is going to be used for, here are some examples for you to consider: - I would like to receive future communications from COMPANY. Privacy Policy. Cookie Policy. Terms & Conditions. Sign me up for personalised emails from COMPANY. By signing up, I agree to company s Privacy & Cookie Policy, as well as their Terms and Conditions. I would like COMPANY to send me relevant material. You can withdraw your consent at any time. I agree to my personal data to be used for marketing purposes in line with COMPANY s policies Privacy Policy. Cookie Policy. Terms & Conditions. You must present adequate information on how the individuals data will be explicitly used via a number of updated statements which can be stored online. 3 www.intilery.com 3

The right to be forgotten, portability, rectification The right to object to profiling Customers have the right to "control their own personal data." This extends to those times when the consumer has "loaned" data to a business for processing. GDPR allows any individual to contact any organisation that controls their data and request that their data be: 1) Rectified - corrected or updated if it contains errors. 2) Erased - meaning that every piece of personal data about that person must be erased from all systems, ensuring there is no link from the data to personally identify the individual. An option could be to pseudonymise, or delete altogether. 3) Portable - Provided to them in a human readable format and/or an easily machine readable format for transferring to a third party for importing. The right to erasure does not provide an absolute right to be forgotten. Individuals have a right to have their personal data erased and prevented from further processing where the controller does not have an overriding case to keep it. Examples of cases where data will not be erased include contractual, legal, research or public interests trumping those interests of the individual data subject. Individuals have "the right to object." which means they have the right to say no to profiling for instance to having their buying patterns stored, analysed and used for promotional purposes. If an individual objects to their data being processed for marketing, it can no longer be used for marketing purposes. Remember, that any marketing communication needs to offer the right to object. The GDPR s focus on consent carries through into online marketing, detailed separately in the eprivacy Regulation (currently in draft) which will replace the UK s existing PECR regulations. Individuals will need to provide consent for online profiling for instance to having their buying patterns stored, analysed and used for promotional purposes. This means if you ve lawfully collected data and want to use that data analytically to derive shopping habits then you need to have consent to do so. The same goes for chat tools and other online tools that collect personal data, even if you use pseudonymous identifiers. Consent must be gained inside apps and websites for the purposes of third parties delivering tracking, profile and inserting cookies. This will either take the form of pop-ups requesting consent or more likely browser/system default settings which instruct the app/website of the individual s consent preferences. This technology will be finalised once the eprivacy Regulation is complete, however you will need to update your privacy statement and cookie policy accordingly. Ensure you have the technology solution to enable simple deletion or export of customer data if requested. 4 www.intilery.com 4

Audit trail Data Minimisation - How much data can I collect? GDPR makes explicitly clear that consent must be provable. Organisations must keep a record of its optedin subscribers so that they ll be able to provide the proof of consent needed to avoid penalties. This means you ll need to be able to provide a clear audit trail, depicting what time, date and method was used to acquire consent, what the input form looked like and the subscribe message. One solution that supports this audit trail is the "double opt-in" method which verifies each individual is indeed the person that gave the initial consent. Despite some organisations advising that GDPR requires double optin, the UK s ICO does not deem this as mandatory and will be providing updated marketing guidance later in 2017. Double opt-in is ideal, but can be problematic in some situations, such as with pre-existing customer databases. From May 2018, all existing and new marketing contacts must have been provided in a GDPR compliant fashion. Companies must be able to demonstrate that any business process touching personal data uses as little data as possible, for the shortest possible period, and deletes it as quickly as possible all while exposing it to the fewest number of people. "The personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." Source: ICO Ultimately, data controllers are responsible for justifying why each piece of personal data is collected. As you document all the personal data that you currently collect, consider anything that cannot be tied directly to an explicit business requirement, and plan to remove it. If you cannot justify why you need a piece of data then you should not collect it, process it or retain it. Intilery can limit whatever data parameters you provide to avoid keeping and storing data unnecessarily as well as providing the means of deleting where necessary. If you cannot justify why you need a piece of data then you should not collect it, process it or retain it. 5 www.intilery.com 5

Chester Office Beech House Park West Business Park, Sealand Road Chester CH1 4RJ Sales & General Enquiries: +44 (0) 844 802 4581 www.intilery.com 6 www.intilery.com 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback