How will GDPR legislation affect B2C digital marketing?
GENERAL DATA PROTECTION REGULATION GDPR READY How will GDPR legislation affect B2C digital marketing? From May 2018 when GDPR legally applies it will be important to re-think the way in which you not only collect customer data but also use and retain it too. There are a number of key legislation changes which will affect the way in which you market to your customers, and all of your campaigns will need to be re-evaluated to ensure that you are compliant. Audit your existing campaigns to see where there are revisions required and implement in good time before the May deadline. Overview Consent Management Opt-in Legitimate Interest Sign up statements The right to be forgotten, portability, rectification Profiling Auditing Data Minimisation 2 www.intilery.com 2
Consent Management No option but to opt-in In general, you will only be allowed to market to individuals who have given unambiguous consent on an informed basis for one or more specific purpose. This means when an organisation requests an email address, by whatever device used at the point of collection they must: Ask the customer to pro-actively opt in rather than opt-out which means you can t have pre-ticked opt-in boxes. Consent also needs to be purpose specific - you cannot simply create an "I agree to all future use of my personal data" consent phrase. Providing an explanation at point of collection to clearly explain what they are signing up to and how the data will be used. This information can be served via a link within the copy. Once opted in there must be clear, signposted and easy to access ways to unsubscribe at any point. There must be auditable ways of tracking how consent was requested, captured and stored. What does this mean for my existing database? If you want to continue to market to your existing database you will need to be able to prove that you lawfully gained consent originally. This means if requested, you ll need to be able to provide clear evidence that consent was gained in a GDPR compliant way, even before GDPR was legislation. Post May 2018 you won t be able to retrospectively request consent without facing fines and cannot under any circumstances email customers and ask for email consent. Legitimate Interest "Legitimate interest" as a concept means there will be times where you don t need to ask for consent to collect, store, use, disclose, process, destroy or otherwise "process" personal information. Marketers can contact previous customers about other products and services which they deem to be of relevance under the banner of legitimate interest without specific marketing consent. Ensure that content is relevant and appropriate based on past purchase or contact. It s also advisable to provide easy access to a marketing preference centre to enable customers to choose the types of marketing communications they would like to be sent, and clear options to unsubscribe are important too. If you are unable to rely on Legitimate Interest as a lawful basis for marketing, e.g. marketing to a list of non-customer contacts, then you require valid consent. Sign up statements The legal consent method is yet to be determined. However, at point of email sign up, a statement should be presented to the individual clearly outlining what they are signing up to and what their data is going to be used for, here are some examples for you to consider: - I would like to receive future communications from COMPANY. Privacy Policy. Cookie Policy. Terms & Conditions. Sign me up for personalised emails from COMPANY. By signing up, I agree to company s Privacy & Cookie Policy, as well as their Terms and Conditions. I would like COMPANY to send me relevant material. You can withdraw your consent at any time. I agree to my personal data to be used for marketing purposes in line with COMPANY s policies Privacy Policy. Cookie Policy. Terms & Conditions. You must present adequate information on how the individuals data will be explicitly used via a number of updated statements which can be stored online. 3 www.intilery.com 3
The right to be forgotten, portability, rectification The right to object to profiling Customers have the right to "control their own personal data." This extends to those times when the consumer has "loaned" data to a business for processing. GDPR allows any individual to contact any organisation that controls their data and request that their data be: 1) Rectified - corrected or updated if it contains errors. 2) Erased - meaning that every piece of personal data about that person must be erased from all systems, ensuring there is no link from the data to personally identify the individual. An option could be to pseudonymise, or delete altogether. 3) Portable - Provided to them in a human readable format and/or an easily machine readable format for transferring to a third party for importing. The right to erasure does not provide an absolute right to be forgotten. Individuals have a right to have their personal data erased and prevented from further processing where the controller does not have an overriding case to keep it. Examples of cases where data will not be erased include contractual, legal, research or public interests trumping those interests of the individual data subject. Individuals have "the right to object." which means they have the right to say no to profiling for instance to having their buying patterns stored, analysed and used for promotional purposes. If an individual objects to their data being processed for marketing, it can no longer be used for marketing purposes. Remember, that any marketing communication needs to offer the right to object. The GDPR s focus on consent carries through into online marketing, detailed separately in the eprivacy Regulation (currently in draft) which will replace the UK s existing PECR regulations. Individuals will need to provide consent for online profiling for instance to having their buying patterns stored, analysed and used for promotional purposes. This means if you ve lawfully collected data and want to use that data analytically to derive shopping habits then you need to have consent to do so. The same goes for chat tools and other online tools that collect personal data, even if you use pseudonymous identifiers. Consent must be gained inside apps and websites for the purposes of third parties delivering tracking, profile and inserting cookies. This will either take the form of pop-ups requesting consent or more likely browser/system default settings which instruct the app/website of the individual s consent preferences. This technology will be finalised once the eprivacy Regulation is complete, however you will need to update your privacy statement and cookie policy accordingly. Ensure you have the technology solution to enable simple deletion or export of customer data if requested. 4 www.intilery.com 4
Audit trail Data Minimisation - How much data can I collect? GDPR makes explicitly clear that consent must be provable. Organisations must keep a record of its optedin subscribers so that they ll be able to provide the proof of consent needed to avoid penalties. This means you ll need to be able to provide a clear audit trail, depicting what time, date and method was used to acquire consent, what the input form looked like and the subscribe message. One solution that supports this audit trail is the "double opt-in" method which verifies each individual is indeed the person that gave the initial consent. Despite some organisations advising that GDPR requires double optin, the UK s ICO does not deem this as mandatory and will be providing updated marketing guidance later in 2017. Double opt-in is ideal, but can be problematic in some situations, such as with pre-existing customer databases. From May 2018, all existing and new marketing contacts must have been provided in a GDPR compliant fashion. Companies must be able to demonstrate that any business process touching personal data uses as little data as possible, for the shortest possible period, and deletes it as quickly as possible all while exposing it to the fewest number of people. "The personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." Source: ICO Ultimately, data controllers are responsible for justifying why each piece of personal data is collected. As you document all the personal data that you currently collect, consider anything that cannot be tied directly to an explicit business requirement, and plan to remove it. If you cannot justify why you need a piece of data then you should not collect it, process it or retain it. Intilery can limit whatever data parameters you provide to avoid keeping and storing data unnecessarily as well as providing the means of deleting where necessary. If you cannot justify why you need a piece of data then you should not collect it, process it or retain it. 5 www.intilery.com 5
Chester Office Beech House Park West Business Park, Sealand Road Chester CH1 4RJ Sales & General Enquiries: +44 (0) 844 802 4581 www.intilery.com 6 www.intilery.com 6