The ticking of the GDPR clock is getting louder, and eye-watering fines for non-compliance have captured the attention of business leaders operating in the EU. But with data playing a critical role in the revenue-generating activity, it’s important to ensure both data protection and data use requirements are met. With a considered approach, it’s possible to create a compliant environment that doesn’t put a stranglehold on marketing.
What is GDPR?
The General Data Protection Regulation is the most significant development in data protection for EU citizens for decades. It sets out rules for the handling and processing of personal data – or personally identifiable information (PII) – whether it is stored in the EU or overseas. Any organization marketing to individuals in Europe will need to comply, both in B2B and B2C scenarios. Data related to company decision makers is considered PII, so it falls squarely under the GDPR remit. And, despite Brexit, marketing in the UK is also covered.
A major implication is the requirement for individuals to actively ‘opt-in’ to receive business communications and for their data to be processed. This poses a challenge for marketers, and in many cases has led to conflict between in-house legal and marketing teams. Legal professionals insist on full, unambiguous opt-in, while marketers fear that this will compromise growth-driving initiatives. However, there are ways to overcome this deadlock as distinct sets of data can be treated differently.
One size does not fit all
When it comes to the active processing of personal data of EU subjects, there will be six legal grounds post-GDPR. Of these, two apply to marketers: unambiguous consent and legitimate interest.
Unambiguous consent – or full opt-in – is the gold standard. For maximum effect, both digital engagement and live calling need to be deployed to proactively request opt-ins. For a pan-European opt-in campaign, this necessitates a multilingual approach. And for prospective customers, identifying prime targets with a high propensity to use your company is an important first step, focusing activity to deliver more tangible benefits. This approach requires significant investment to comprehensively cover existing customers and prospects.
However, the regulation stipulates that companies can process and profile personal data under legitimate interests in place of unambiguous consent in some circumstances. A robust 3-stage assessment must be carried out and documented to ensure transparency and accountability. UK-based joint industry group the Data Protection Network has published detailed guidance on this topic. For instance, here at Aberdeen, for data that doesn’t have full opt-in, we conduct a balancing test to ascertain that:
- We have legitimate business interests in processing the personal data
- Processing is necessary in pursuit of these interests
- The rights of the individuals who are the subjects of the personal data we process have been taken into account and do not override our interests.
Any organization wanting to process personal data in the absence of unambiguous opt-in needs to follow the same steps. If you obtain data from a third-party provider, it is important to understand whether the subjects have given unambiguous consent or if legitimate interests have been properly observed. Should the data have been processed under the legitimate interests provision, any future processing will require a further balancing test.
Also Read: Is GDPR Really Changing Ad Tech?
Striving for a frictionless outcome
The May deadline for GDPR is fast approaching, but it’s vital that businesses don’t lose sight of why they need data in the first place. In-house legal teams may be predisposed to insist on unambiguous consent. But understanding the more complex legitimate interest provision, and applying it when appropriate, will be a major facilitator for insight-led business processes.
Introducing policies for the way different classes of data are handled is a good starting point. Business leaders, legal teams and marketers need to collaborate to ensure GDPR rules are satisfied without posing an undue threat to business growth. After all, investing in ways to safeguard data is counterintuitive if the teams requiring that data are no longer able to function.
Recommended Read: GDPR: Take a Long, Hard Look at Yourselves in 2018