GDPR is no longer a surprise to anyone, but there is plenty of evidence that there is confusion in how to implement it within an organisation.
Marketing is a key area that has been targeted to improve the use of personal data to protect the individual. So, regardless of whether you have a dedicated marketing function or this is activity is delivered by someone else, are you sure that your marketing communications are GDPR compliant?
The best practice approach to GDPR compliance in marketing is to embrace the legislation and to consider how to incorporate permission-based marketing into everything you do. Marketing done well will deliver higher consent or opt-in rates. However, if you’re delivering irrelevant, poor quality marketing then you can expect a high number of unsubscribes.
The challenge to delivering best practice is that it can take a corporate mind shift in your approach to marketing. For example, if you have a database of 25,000 contacts and you ask them all to consent to receiving marketing communications, then what happens if you only get 1,500 consents. Have you lost a huge proportion of your database and in essence your ability to build a sales pipeline?
If this does make you nervous, then how good is your marketing communications? That’s a big question and one we’ll look at later. For now, and with the compliance deadline of 25 May just around the corner, let’s look at where you should be as a minimum by then:
First, what is the basis for processing data?
The best practice answer is ‘consent’ ie the individual has given clear consent for you to process their personal data for a specific purpose.
An alternative (one of five alternatives) is you may be processing data for your ‘legitimate interests’ and your reason for processing that data doesn’t override the legitimate interests of the individual.
The ICO has stated that direct marketing is a legitimate interest.
Update your Privacy Policy
Many Privacy Policies are complex and full of legalese.
One of the principles of GDPR is that it should be easy for someone to understand their rights, how you use their data and that it is easy and possible to object.
Therefore, your Privacy Policy should be written in plain English, easily accessible, concise and transparent.
Inform your database
If you are seeking consent, then you should have emailed your entire database asking for them to consent to receiving information from your organisation.
However, if you are processing data under legitimate interests then you do not need to seek consent but you will need to inform your database that you have updated your Privacy Policy and that they have the right to unsubscribe or be removed from your database.
You could do this via a specific email or within an existing newsletter.
Update your email footer
Whether using an email system such as Mailchimp, Oracle or Outlook, your email footer should have an option to unsubscribe or object to receiving emails.
This has been in force for several years under the Privacy and Electronic Communications Regulations (PECR).
Review your website contact forms
If your website uses forms to request visitor information, you should include a line of text that includes a link to your Privacy Policy.
Visitors providing their personal data have the right to know how that data will be used, and you have an obligation to make this clear.
Buying in or adding contacts to your database
New contacts are often found through networking, searching LinkedIn, buying in databases and countless other means.
If processing data under consent, you would need to prove the contacts have consented to receiving marketing communications from your organisation.
Under legitimate interests you would need to communicate with the new data within 30 days of receiving it to inform them that you have their data, where it came from and to offer them the opportunity to object to receiving marketing communications from you.
Planning for permission-based marketing
This is the epitome for marketing communications. This necessitates a strategic approach, not just tactical steps to meet a legal requirement.
Starting with a clear business plan, a well-defined value proposition, distinct segmentation of your audience and the creation of highly relevant messages.
Using this backdrop to define your channels and marketing mix will ensure that every contact and touchpoint with your target market is relevant and they will want to hear more from you, thereby increasing your database of quality, engaged people.
Then deploying permission-based marketing is hugely successful, reducing wasted time and money.
There is much more to this new legislation than outlined here.
The ICO has advised that there will be no grace period, so please check that you are compliant.
CIM, the Chartered Institute of Marketing, has developed an online course: GDPR for the Marketer. Developed by professional marketers alongside solicitors, it is worth doing the course if you are responsible for marketing in your organisation and would like further advice to achieve compliance.
Further reading:
DISCLAIMER
This article is for advisory purposes only. It is not legal advice on the GDPR and the author cannot be held responsible for GDPR compliance of your organisation; it is the responsibility of each business to ensure their own compliance with GDPR. If you have any need for legal advice, please contact a solicitor or visit the ICO website for further information www.ico.org.uk
Leigh Hopwood is Marketing Consultant at Redd Marketing and Chair of the Chartered Institute of Marketing
