The General Data Protection Regulation (GDPR), effective from 25th of May 2018, is the new golden standard in data privacy legislation which replaces the Data Protection Directive 95/46/EC.
It requires businesses to be transparent and careful when processing personal information in the course of providing services in the EU, regardless of where the data is processed.
The regulation is far reaching, in that it doesn’t only apply to companies registered in an EU member state. Any business that provides a service in the EU has to comply, regardless of whether the service provider has a presence in the EU or the recipient of the service is an EU citizen or resident.
In a simplified view, most businesses send two types of communication – operational communications that are part the service and part marketing communications to cross-sell new services, build brand loyalty and prompt repeat business.
Let’s deal with operational communication first
If the reason for processing an individual’s personal information is part of a contractual or legal obligation, then this is the lawful basis. The regulations recognize various of these instances such, as communication to fulfill a contract, or as required by law, or in the interests of the individual’s safety.
For example – if you notify customers that they will receive essential operational documents, like statements, invoices and policy updates, as part of the service offering, then the lawful basis to process information would be contractual.
Which brings us to marketing communication
If no other legitimate reason exists, then the business must obtain consent to communicate directly with the individual. This includes, for example, people who have subscribed to receive marketing information from you.
Unless you can be sure that your marketing emails will not result in a service being delivered inside the EU, the best approach is to prepare for GDPR as if it does apply.
But … what is the risk if a business doesn’t comply
Business impact
A business that is found to be flouting the law risks a negative impact on revenues and damage to their reputation. The risk of damage to the reputation of a business exists on multiple levels:
- Contravening the regulations in the course of doing business – such as misuse of data
- Not following the required processes in the event of a data breach – such as failing to report the breach to the regulator and the affected data subjects
- Being found to have insufficient processes to secure personal data
It is highly likely that these missteps or non-compliance will be extensively covered in the media and discussed in boardrooms as industries seek to understand the practical application of the regulation. It is also likely that regulators will seek to make an example of infractions that occur in the early days of enforcement to get the right level of attention from business.
Negative sentiment in the marketplace will impact new sales, current customer retention and the ability to attract top talent.
If a data protection authority finds that the business was negligent or wilfully non-compliant, it can suspend the processing of data, shutting down associated revenue streams completely.
Financial sanctions
In addition to the above sanctions, the regulations provide for the imposing of monetary fines. This applies to both controllers and processors. A tiered approach to penalties will be applied based on the seriousness of the infringement. For serious infringements, a business could be fined up to a maximum of 4% of annual global turnover or €20 Million (whichever is greater).
It is worth noting that the UK’s Information Commissioner’s Office (ICO) has publicly stated that they don’t intend to apply the new laws punitively and that maximum fines will not be commonplace, rather a last resort.
Preparing your marketing process for GDPR
1. Consent
Do you have explicit consent from all individuals on record? This means showing when and how they agreed to receive marketing communication from you. You must have on record that it was an explicit agreement (opt in, not opt out) and be able to show when and how they agreed to receive communications, as well as what they specifically agreed to receive. The wording of your consent request must clearly state what they are signing up for and include an explanation of how to unsubscribe.
2. Opt in vs opt out
It is in your best interest to get the user to re-subscribe rather than to un-subscribe. Remember, if you are planning a consent campaign, sending a message that asks the recipient to ‘switch something off’ is not allowed. A subscriber has to actively ‘switch on’ by saying “Yes” or “Confirm” or “Subscribe”, in order for the consent to comply with GDPR.
3. Be careful
Have a good, in-depth look into the database that you have on hand. If you have no record of how a person got onto your marketing base, it is illegal to email them asking for consent, even before the GDPR comes into effect. There are a number of cases of organizations being fined for doing this.
Resources
Document resource: GDPR Commercial Insight
Did you enjoy the read? Then be sure to subscribe to our insight newsletter to receive more great industry insights and trends.