*this blog will take approx. 15 minutes to read
The GDPR (which stands for General Data Protection Regulation) will be enforced from 25 May 2018. It will impact the way every firm offering a product or service to an EU person operates. All organisations will be required to develop clear and transparent policies and procedures to protect personal data; adopting appropriate technical and organisational measures which support it.
What does that actually mean in laymen’s terms?
Over the past 5 years, EU officials have been working to craft regulation which will better protect the privacy of ‘personal data’ by organisations, both internally (employees) and externally (clients and consumers). The necessity of these new regulations has come about as digital advances have made it easier to carry out illegal and immoral personal data transactions.
Personal data is defined as any information relating to an identified or identifiable natural person (Source: B2B Marketing).
In practise, the new regulations mean all firms will need to seriously look at 4 key things. These are:
- What data they hold
- Where they store data
- How data is protected and managed
- Who can access the data
The focus of this blog post is on the effect of GDPR on business-to-business marketing, specifically in the professional services sectors.
After reading it, you will understand:
- The purpose and aim of GDPR
- What you’re risking if you choose not to adopt the necessary GDPR protocols, or you adopt them too late
- How Brexit will affect this EU regulation
- How your firm’s marketing efforts will need to change to comply with GDPR
- Changes to what’s considered ‘valid consent’ to process or collect someone’s data
- Changes to the use of ‘Cookies’ both in online advertising and analytics
Appropriate legal grounds for data processing
As of May 2018, there will be 6 legal grounds which justify the processing of personal data. When collecting personal data, firms will need to clearly outline (to prospects and employees) which of the 6 grounds they are using to process the data.
Any reason outside of those outlined below will not be deemed acceptable.
The 6 grounds are explained more intricately in the full report however, in summary, they are:
- The data subject has given consent (see ‘Changes to valid consent’ later in this blog)
- It’s necessary for the performance of a contract e.g if the individual owes a business (like their gas or electricity provider) money and the business needs to reclaim monies owed
- It’s necessary for the controller to comply with a legal obligation e.g if a firm’s data controller is approached by a government body, like the Serious Fraud Office, requesting data necessary for a legal case
- It’s necessary to protect the vital interest of the data subject or other natural person e.g if the British Transport Police requests the information of a potential suspect or at-risk individual
- It’s necessary to perform a task in the public interest e.g in the case of a police officer seeking an individual’s address for an arrest
- It’s necessary for the purposes of the legitimate interest pursued by the controller or third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.)
GDPR in post-Brexit Britain
GDPR will come into effect in May 2018, most likely before Britain exits the European Union, which means businesses will have to comply at least in the short-term.
In the longer term, despite GDPR being a European regulation (which would theoretically not apply when the UK is no longer in the EU), the British government has announced plans to adopt the legislation UK-wide.
The risks of a GDPR breach
The new regulation is grounded in the premise that personal privacy (in this instance, data privacy) is a basic human right. Therefore, organisations whose practises are seen to breach these rights, will face business-crippling consequences.
Firms who breach GDPR could be faced with a maximum fine of 4% of their annual global turnover of the preceding financial year, or 20 million euros–whichever is greater.
A lesser fine of 2% of global annual revenue or 10 million euros has also been discussed, which could be imposed on smaller-businesses or less serious cases.
However, understanding that GDPR compliance will require a significant amount of change to current processes, the European Commission may choose to give formal warning, in instances of unintentional noncompliance or first breaches. Firms that experience this will likely be subject to more regular audits thereafter.
Other reprimands include suspensions of all data processing.
The effect of GDPR on professional services marketing
GDPR and lead generation
GDPR will affect the way professional services marketers—both agency and in-house—will be able to collect information on prospects. This will have the greatest impact on lead generating initiatives.
Firms leveraging initiatives such as events, online assessments or calculators, gated content, etc. now need to take a closer look at 6 key elements of their marketing:
- Opt-in processes (including Changes To Valid Consent): unambiguous opt-in processes will be a minimum requirement.
For valid consent to be given, the individual needs to actively and affirmatively specify they are happy for the organisation to process their personal information in the way they have outlined. Firms will not be able to get around this by bundling terms together, for example saying ‘by checking this box you’re agreeing to receive this download plus any additional marketing communications.’
Not opposing to receive marketing messages, e.g firms offering ‘if you don’t want to receive marketing messages from us, check this box’ will no longer count as valid consent.
To protect your firm against opt-in grey areas, we recommend adopting a double opt-in policy. Double opt-ins work by first asking the individual to give their contact details and then confirming the information they provided, and the consent they’d given, was correct. This is done by getting them to take a second action only possible if the contact details provided were, in fact, correct. E.g if an individual inputs their email address to sign up to a newsletter (first opt-in), they would then be required to click a link that is emailed to them, to activate their signup (second opt-in).
- Outlining data intent: B2B brands will need to be transparent about what they will be using their contacts’ personal data for.
Businesses will have to outline clearly what they will be using an individual’s personal data for. For example, whether it’s to send information about their services, invitations to events or they plan sell it to 3rd parties.
To receive marketing tips, industry insight, and notifications about our upcoming marketing training tailored to professional services firms sign up for our newsletter.
- 3rd party marketing data: if firms are collecting data on behalf of 3rd parties, each individual 3rd party company receiving the personal information must be named.
When GDPR comes into effect, all individuals will legally be entitled to access information about their data, including how it was obtained. All firms buying and supplying 3rd party data will be responsible for ensuring it was collected in a legitimate way—that the end user was aware, and confirmed they were happy for their personal data to be collected and shared with specified third parties.
- Pre-ticked consent boxes: default pre-checked consent boxes can no longer be used.
‘Opt-out’ consent (when companies claim the individual “didn’t say they didn’t want to receive communications”) will no longer cut it. Firms will need to be able to demonstrate that individuals took clear and affirmative action, when giving consent.
This means soft opt-ins (where an individual gives their personal information, such as their email address, for one reason and then the business uses it for another purpose) will also be outside of new regulations.
- Withheld services: brands will be required to provide clients with a service regardless of whether they are willing to give their personal data.
Gated content—content which is released in exchange for personal data—can still be used, however, the provision of personal data can only be compulsory if it’s necessary to fulfil an obligation e.g sending a download to an email address.
If a firm then wishes to use that personal data for other purposes (e.g adding an email address to a newsletter list) this needs to be agreed to by the individual. The content cannot be withheld if the individual wishes not to allow their data to be processed for the non-immediate need.
- Record keeping:
All personal data collection processes will have to be ‘provable’, which means companies will need to keep a record of exactly how they are collecting data, what data they’re collecting and how they’re storing it.
Concerned about how your current marketing will be affected by GDPR? Call the Propero team on 020 3369 6844 or email firstname.lastname@example.org where one of the senior team will happily advise you.
Direct marketing with purchased data lists
Professional services firms will still be able to leverage direct email marketing using purchased data from 3rd parties, however there will be one key change:
Buying lists of data from 3rd parties such as Experian and Book Your Data will likely still be legal, however, because collecting the data will cost data providers more time and money, it may become more expensive per contact and less will be available.
*At this time, it’s unclear how purchased data will be affected. Propero has reached out to these data providers and will update this blog accordingly.
In professional services, we know that a lot of the time, personal data isn’t collected online, for example at networking events. To safeguard your business against possible GDPR infringements, your firm should agree on a standardised script which covers everyone, should there be any questions about how your data was collected.
It doesn’t have to be extensive–a sentence, if worded appropriately, will suffice.
If you’re wondering whether a script is really necessary, remember, your firm needs to be able to prove that it legally obtained a person’s data with their consent. A short script that everyone in the business can familiarise themselves with will cover you, should the worst happen.
At every instance where personal information is being collected, the consent document should be available to view. This document should have, laid out in simple terms, exactly what the individual’s data will be used for.
Some of the information that must be included in the document is:
- Identity and contact details of the firm’s data controller
- The lawful basis for the processing
- Retention period (how long the data will be stored for)
- The right to lodge a complaint with a supervisory authority
- The right to withdraw consent at any time
Having a water-tight and transparent consent document available for the individual to view will mean that if you ever run into a discrepancy, you will have provable evidence to support your right to processing their data.
What data records do I need to keep?
Under new GDPR, firms will only be allowed to keep personal data for as long as is relevant. Meaning, once a firm no longer requires the individual’s data, it should be destroyed.
To understand more about what constitutes “retaining data for as long as it is relevant” consult the ICO.
- Clear and affirmative action: similar to what was mentioned when handling lead generating initiatives, implied consent is no longer good enough when it comes to Cookies. Individuals must be presented with an option of whether or not they’re happy for tracking Cookies to collect their data. This means no more pre-checked tick boxes or banners only showing ‘I accept.’ Individuals will need to be given the option to browse your website with or without a Cookie being dropped on their browser.
- Opt-out options: Individuals should have the opportunity to opt in or out of each Cookie, both when they land on a site and for the length of their time spent on the site. Whilst browsing a site, ‘Cookie-opt-out’ options should always be visible. Under new GDPR, the European Commission makes it clear to businesses that it should be as easy to opt out of Cookies as it is to opt in. Your firm will need to specify all the ways the Cookies will be used and allow them to opt in or out of each one.
Data Protection Officers: Does my firm need one?
The EU has identified that larger firms have the resources to be able to cope with these new data protection standards better than smaller firms. Therefore, a dedicated Data Protection Officer (DPO) will only be required in certain firms. These firms are:
- Public authorities
- Firms which carry out large-scale systematic monitoring of individuals
- Firms which carry out large-scale processing of ‘special’ categories of data
Your next steps…
Although May 2018 marks the official start date for GDPR, Propero has already started putting the wheels in motion for its clients. It may seem far-off, however, firms will need to spend a significant amount of time putting appropriate regulations in place.
Not only will firms embracing GDPR now benefit from being ahead of the curve, but they will also have a competitive advantage when the new regulations come into effect. Firms that demonstrate an understanding of and respect for personal data usage and processing, will be preferential choices when it comes to service selection—especially as the risks of businesses embroiling themselves with inappropriate data processing are crippling.
Keep up to date
We’re keeping tabs on GDPR updates so you don’t have to. Sign up to receive summaries of changes and developments to GDPR, with helpful advice on what it means—in a practical sense—for your firm, and how to make sure your marketing is GDPR compliant.
Disclaimer: This blog aims to give you a general overview of the most important elements of GDPR in regard to marketing to individuals in the EU. It is not legal advice. If you would like legal information or advice on how GDPR applies to your specific circumstances then you should consult a legal professional.
Official information on GDPR can be found here. The ICO have announced they will be releasing further information on GDPR at a later date and therefore the above details are subject to change.