Few professionals will be more affected by GDPR than marketers. They handle the personal data of thousands of potential customers for a living, and GDPR is going to require new measures for even the most capable marketers to achieve compliance.

But Simon Fryer, CEO of marketing strategists, Kiss, says focusing on compliance “sees GDPR as something that has to be survived… Such an attitude overlooks the potential for GDPR to improve how agencies communicate. It’s an opportunity to ensure you’re communicating with an engaged audience, and that your message is going to resonate with them.”

Handled correctly, GDPR should mean new vistas of opportunity for marketers to engage with audiences in a more aligned fashion. But how can we jump the compliance hurdle first?

To assist, we enlisted John Haggis, a Consultant Solicitor at Keystone Law. John specialises in commercial, intellectual property, and technology law, particularly in the advertising and creative industries. Keystone Law appears in the Legal 500, won the Legal Innovation Awards in 2015 and has just quoted on the AIM market.

The advice he offers applies both to marketers in organisations and marketers working in the agencies that service those organisations as clients.

1. GDPR means evolution, not revolution.

"Don’t panic. The Information Commissioner’s Office (ICO) has described GDPR as an evolution of existing laws rather than revolution.

I think a lot of businesses are worried about the impact it could have on them, but if you’ve been complying with the current Data Protection Act and working on good practice in terms of marketing consents from your customer list, IT Security etc, then moving up to GDPR shouldn’t be an earthquake moment.

But it will take time and effort. It’s an opportunity also for marketing agencies to ensure that personal data is used in the most efficient manner as opposed to a scattergun approach of targeting people.

Compliance with the new GDPR principles governing the processing of personal data should mean a better experience and quality to data marketing, for brands and data subjects."

2. GDPR is not a one-off event – and two questions will keep you straight.

"The most important thing to understand is that GDPR compliance is an ongoing process, and not a one off event.  Every time marketers touch personal data, whether it’s their own database, their employee database or a customer database, they should stop and ask two fundamental questions:

  • What is the lawful basis by which we can process this personal data?
  • And are we satisfied that we can demonstrate that we are fulfilling the principles governing the processing of personal data in compliance with GDPR (and the ePrivacy regulations), to process it?

This will form the starting position for best practice in marketing campaigns.

3. Data management is not just a marketer’s job.

"Businesses must put in place a framework to ensure ongoing compliance, and marketers can’t do that alone. Data protection should be up there with the finance and legal functions at board level, especially if you’re a large brand where your bread-and-butter is marketing with personal data.

There is typically no one-off answer during the course of business that can be applied for each campaign to issues like:

  • Understanding where and how the company gets the lawful basis to process the personal data of their data subjects
  • How customer data is processed and used
  • Sending customer data to the cloud
  • …which almost certainly also means sending data to other jurisdictions, often non-EEA.

Every campaign can, and likely will, be different. So data management must be at the centre of the business and marketers therefore need the support of the board to ensure their business follows best practice under GDPR. GDPR should be an opportunity to have really effective uses of personal data, and which the data subject is happy to receive.

Getting ready for GDPR should be handled by a team which includes stakeholders from across the company. There should also be a designated data protection officer if the company is involved in the automated processing of personal data; but even if the role is not mandated by law, good practice dictates that someone in the business at board level should take responsibility for the business decisions affecting personal data, whether it is the business’ own personal data or a customer’s; someone who knows what the left and right hands of the business are doing."

4. An embryonic checklist for effective GDPR compliance

“Every business is different because every business has different requirements for the acquisition and processing of personal data. A very straightforward methodology to begin your compliance journey is: audit what your business currently processes, find the gaps under GDPR compliance, introduce fixes in time for 25 May 2018, and then educate and train your workforce:

Find the gaps

All businesses should conduct an audit - a gap analysis in conjunction with Article 5 of GDPR. Ask questions like:

  • What personal data do we process?
  • Where are we getting it from and under what contract/sign up form?
  • On what legal basis can we process it under GDPR?
  • Where do we store data?
  • How long do we store data?
  • What are our IT security measures?
  • Do we send personal data outside the EEA?
  • What agreements do we have with our customers and our suppliers of data storage services?
  • What plans do we have to respond to requests from data subjects?
  • What plans to we have to respond to a IT security breach?

Fix the gaps

This can include:

  • Designing new contracts with suppliers and customers
  • Getting new consents from data subjects
  • Mapping internal processes"

5. Can we still send out marketing emails?

“Yes. But there needs to be someone on every marketing or campaign team who understands on what basis everyone on the list has opted in to receive the particular type of email that is going to be sent or what the legitimate interest is. It’s important to note that GDPR will be working in conjunction with the ePrivacy rules of direct marketing.

Whilst GDPR says that the lawful basis for processing personal data for direct marketing can be a “legitimate interest” (meaning you don’t need consent for GDPR compliance), you still need to ensure consent or soft opt-in under ePrivacy depending on the nature of the email.  Databases will need to ensure marketers are aware of:

  • When the consent was obtained
  • What the consent was for
  • Who it came from;
  • Or in the alternative, what ‘soft opt-in’ scenario can apply.

…and also that the database to record how the data can be used is continuously kept up to date.

If you have a database of 100,000 emails and you can’t track back when or where you got their details or what they gave consent to or signed up to, then you’ve got a problem under GDPR and ePrivacy that needs fixing.

Moving forward, technology solutions will be central to making sure that we are targeting the right people, with the right content and with the right lawful basis."

 6. Agencies face a new customer challenge

“Marketing agencies need to be sure, before sending out an email to a million addresses obtained from a client, that appropriate permissions have been obtained and there is sufficient lawful basis for the processing.

Under GDPR, a data processor is liable to a data subject if they breach their obligations to the data controller or their data processor obligations generally under GDPR. If the agency is responsible for deciding how the personal data is used, then they could become a data controller under GDPR.

If I was advising an agency and they were worried in any way in regards to their processing of a customer’s database, I would suggest that agencies could help with the creation of the content, but that they should take a step back from processing the personal data and leave the client to be responsible.

But GDPR should be seen as an opportunity to step up to a higher level of data processing services by agencies.

Equally, if a company appoints a marketing agency or consultant to send out emails, they will still be responsible for the data processing as a data controller. Don’t think that risk can be easily offset to agencies by getting them to do the heavy lifting."

7. Data Controllers and Data Processors are both liable for data breaches

“This is very much an expansion of existing data legislation. Data Processors will join Data Controllers in being liable for data breaches under the GDPR which relate to ensuring appropriate technical and organisational measures are put in place to secure personal data.

If a Marketing agency fails to process the data pursuant to the data controller’s instructions, then both the agency and data controller will be liable for breach of the GDPR. A key change is that a data subject or regulator such as the ICO can take action against the processor directly.

8. The Information Commissioner’s role

“The ICO is the independent body in the UK responsible for upholding information rights. The ICO doesn’t have to wait for a complaint from a ‘data subject’ or member of the public. Take recent examples like Uber or TalkTalk: a high-profile case will see proactive involvement from the ICO.

“There has been a lot of talk around the new level of fines that can be awarded against a party that is in breach of GDPR. Whilst fines under GDPR are clearly punitive, the ICO has looked to calm the talk that everyone will face a huge fine if they breach GDPR, and instead have made clear that they will look to see what steps companies took to try and be compliant, and whether companies take steps to rectify data breaches, before bringing out the proverbial baseball bat and issue fines.

There is also a world of difference between breaches because a business tried to be compliant but failed and is seeking to fix the problem, vs. a business that is grossly negligent, perhaps even criminal.

Even so, the loss of brand trust with customers is a risk that will always apply when a GDPR breach occurs, so even if there is no fine from the ICO, the loss of brand reputation will be of equal, even perhaps greater, damage."

For more details and to find the course package that best suits your organisation, click here.