The deadline is imminent, and by now, most organisations should have their houses in order when it comes to GDPR.
It’s likely you’ve recently received a flurry of "can we still contact you" emails from B2C companies that you’ve previously bought from, or shown some interest in. You may have even heard of some companies deleting all their contacts in a fit of panic, fearful of falling foul of the new compliance measures. When it comes to B2B marketers, many are taking a more systematic and considered approach to how they use and handle data sensibly.
Businesses across the piece rely on high quality data acquisition, namely processing and keeping safe the data of those with whom you need to interact to provide a service and likewise capturing that of those you'd like to engage with, yet doing so in a measured way. And for those adopting an inbound approach, GDPR bodes well since the new regulations resonate with the inbound belief system.
It is hoped that post-GDPR, while our lists may reduce in size, they will increase in quality.
Any personal data generated or used as a part of a nurturing campaign could be underpinned, for example, by the reassurance that the recipient has affirmatively opted in and chosen to receive your communications, with a genuine interest and intention of doing business with you. Great!
But with one more week to go, it’s not quite time to put your feet up and relax.
This time should be spent wisely, running your final checks.
Tweak and amend all processes and procedures where necessary; check and proof all documentation and download forms; raise awareness and educate your staff.
At this stage, any guidance should be welcomed. Which is why we've put together these recommendations on where to focus as we head into the final countdown.
Your lawful basis
By now, you should have a firm idea of your chosen lawful bases for processing the data you hold.
Whatever lawful basis applies, the individual should always have the right to object, or in the case of direct marketing, unsubscribe.
The lawful bases for processing are set out in Article 6 of GDPR. Any future processing of personal data by your organisation should abide by one of the following:
- Consent: the individual has given clear, affirmative consent for the processing of their personal data for a specific purpose.
- Contract: processing of data is necessary for a contract you have with the individual because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law
- Vital interests: the processing is necessary to protect someone’s life
- Public task: the processing is necessary for you to perform a task in the public interest
- Legitimate interests: the processing is necessary for your legitimate interest or the legitimate interest of a third party
Perhaps the most pertinent to inbound marketing methodology are consent and legitimate interest. "Consent" obviously meaning that the individual has given their permission to be contacted by you, affirmatively, in a way specified by you. And "legitimate interest" meaning that it is in your businesses legitimate interest to process the data in question, in a way that the individual might reasonably expect, whilst at the same time not impinging on their rights around privacy.
What does that mean specifically?
Well, in the words of the ICO: "legitimate interests is the most flexible lawful basis... [and] is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact". For instance, Recital 47 of GDPR states: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
You'll need to think about whether the processing of the individual's data is necessary to achieve the desired outcome, whilst maintaining that the processing is fair and within reasonable expectation of the individual. In other words, does the processing add value, with minimial impact on the subject's privacy? This is what the ICO refer to as the Legitimate Interest Assessment (LIA)
Your privacy policy
Your privacy policy is a publicly available statement which discloses some or all of the ways a party gathers, uses, discloses, and manages an individual's data.
Have you updated your privacy policy in line with the GDPR’s requirements?
Your privacy policy should be written in clear, plain english, (simple enough to be understood by a 12 year old!). Be sure to include any information logged by your server such as with regards to cookies, IP addresses, hostnames, etc.
Under GDPR, a privacy policy will essentially act as a map of your information processing. What journey will the individual’s data take as soon as it enters your organisation, and for what purposes?
The ICO provides this very useful guide on how to map and what to include in your privacy policy.
Ultimately, you should aim to be as clear and transparent as possible. For some, it may be appropriate to consider a layered approach, including icons and symbols, videos, or notices, to be sure that it is easily understood
If you have time, you can always test a draft of your privacy policy and amend as necessary.
Your staff
One of the key elements of any organisation’s GDPR compliance framework is your staff’s awareness. Are you employees prepared for a post-GDPR world?
Have you taken the necessary steps to education your staff on responsible handling of data? And are your staff aware of the GDPR’s commencement and what is involved. Startlingly, 20% of IT decision-makers are still unaware that GDPR even exists.
GDPR is ultimately the responsibility of every employee, so education is a priority. In the event that the company suffers a data breach, your workforce should be aware of what to do if things go wrong. For example, the ICO should be informed within no less that 72 hours if your organisation suffers a breach, and your staff need to be aware of this.
For larger organisations, the recruitment of a data protection officer may be necessary to protect their post-GDPR business. They can take on the onus of ensuring staff are continually aware and educated on responsible data management, as well as updating policies and maintaining your compliance.
Your transparency
In light of GDPR, companies should be transparent about how they collect and process data illustrating this by taking a layered approach to how they make people aware of their approach to privacy.
Customers need to be absolutely clear what they’re subscribing to, how their data will be processed, and how they can opt out.
Are you being transparent enough in your communications moving forward, and are individuals fully aware and informed of how and why you need to/want to process their data?
This layered approach might be demonstrated through the language you use on opt-in forms, or on the provision of regular reminders and opportunities to view your privacy policy. Clarity should be given around the frequency of your communications, and re-informing individuals or their opportunities to unsubscribe, as well as their rights to access.
Ultimately, GDPR starts and ends with giving control back to the data subject, and if your efforts can demonstrate that, you’re in a good place.
Preparation is key when it comes to GDPR, and as Information Commissioner, Elizabeth Denham assures us, the GDPR is “not about fines, it’s about putting the consumer and citizen first. We can’t lose sight of that.”
There’s a lot of misinformation out there, but at the same time, there'll be no tolerance for a complete disregard of the new regulations.
The chances are, if businesses are proactively seeking to adhere to the new procedures and putting the privacy of their subjects first, the ICO will prefer to offer a steer on how to completely satisfy GDPR, as opposed to quickly imposing crippling fines.
Remember, be prepared, be transparent, be honest, be consistent, and above all, be compliant.
Good luck!
