Loading...

The GDPR and marketing: FAQs & useful resources

Over the past few months, we’ve done a lot of research into the GDPR to ensure that we get it right for ourselves and our clients.

Rather than keeping all of this useful information to ourselves, we’ve condensed it into this blog post, to provide you with the key highlights of the GDPR and signpost you to further information and resources.

It’s important to note that the GDPR doesn’t just apply to marketing, however this is what we’ll be focusing on in this post.

What is the GDPR?

The General Data Protection Regulation (GDPR) is the most significant change to data privacy regulations in 20 years and will replace the current Data Protection Act (DPA). It will come into force on 25th May 2018, so if you haven’t begun preparing for it, now is the time to act.

The GDPR has several purposes:

  • To harmonise data privacy laws.
  • To protect and empower individual’s data privacy.
  • To reshape the way organisations approach data privacy.

Will the GDPR affect my business?

If your business works with any kind of personal data (see the next section for more details), then yes.

The GDPR applies to both data ‘controllers’ and data ‘processors,’ both of which have different responsibilities. As a business, you could be both a data controller and a data processor.

LEARN MORE ABOUT THE RESPONSIBILITIES OF A CONTROLLER AND A PROCESSOR »

What types of data does the GDPR apply to?

The GDPR applies to ‘personal data’, which is any information that relates to an identifiable person who can be directly or indirectly identified by their data.

This definition covers a wide range of personal identifiers, including name, identification number, location data or online identifier. This reflects the changes in technology and the way organisations collect information about people.

READ FULL DETAILS OF THE TYPES OF DATA THAT THE GDPR APPLIES TO »

What happens if I don’t comply?

Non-compliance with the GDPR can result in hefty fines of up to 4% of annual global turnover or a maximum of €20 Million for breaching GDPR.

The ICO’s (Information Commissioners Office) Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now guide states that:

‘Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.’

How do I comply with the GDPR?

The ICO provide detailed information on the GDPR and how to comply. Below are some of the key points – click on them to read further information on the ICO’s website:

Once you’re clear on what the GDPR is all about and your responsibilities, the ICO have also produced self-assessment checklists to help your business prepare for GDPR.

GO TO THE GETTING READY FOR GDPR CHECKLISTS »

How does GDPR affect marketing?

Direct Marketing, such as emails, direct mail, text messages etc. must be compliant with the ICO’s guidelines. Along with GDPR, other rules may also apply, for example the PECR (Privacy and Electronic Communication Regulations 2003).

What are the Privacy and Electronic Communication Regulations (PECR)?

PECR restricts the circumstances in which you can market to people and other organisations by phone, text, email or other electronic means. When sending electronic marketing messages you have to comply with both the data protection law and PECR.

LEARN MORE ABOUT THE PECR »

Electronic marketing (e.g. email, phone, text)

PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message, and there are different rules for different types of communication.

Most of the rules in PECR only apply to unsolicited marketing messages – a message that has not been specifically requested, and so you will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you.

Follow the links below for specific information on the PECR relating to different types of marketing:

Using marketing contact lists & purchased data

You should check the origin and accuracy of bought-in lists. You should screen call lists against the TPS, and only use bought-in lists for email, text or recorded calls with very specific consent.

For in-house marketing lists, use opt-in boxes wherever possible. Specify consent to marketing by email, by text, by fax, by phone or by recorded call. Ask for specific consent also if you want to pass details to other companies, and make sure you name or describe those companies.

Keep clear records of consent, and keep a ‘do not contact’ list of anyone who objects or opts out.

READ MORE ABOUT MARKETING LISTS AND HOW TO ENSURE YOUR LISTS ARE COMPLIANT »

B2B marketing

The PECR rules are generally stricter for marketing to individuals than for marketing to companies. For more information, see the ‘Business-to-business’ sections within the ICO’s Direct Marketing guide »

GDPR and your website

We have prepared a quick guide to help you learn about several steps that you must take in order to prepare your website for GDPR.

READ THE GUIDE TO GDPR & YOUR WEBSITE »
2018-05-08T21:13:31+00:00