Data Protection in a Marketing World

Following the introduction of the GDPR in May of last year many of us were inundated with emails asking us to review new privacy statements from retailers or to reconfirm whether we wanted to update our existing contact preferences for marketing. While some of these were indeed required and good practice others were unnecessary so today let’s take a quick look at the basics of data protection in the marketing world.

Get the basics right: for marketing (or any data processing purpose) the amount of personal data you have should not be excessive. Therefore, process what you need only. If you have been recording every piece of information on a customer from their health to their shopping preference and you have no need to be, it will probably be deemed excessive as you won’t be able to prove a lawful purpose for keeping it. Review why you need the data, how you intend to use it and for how long you could reasonably expect to use it.

Have a legal basis for processing: this is a given but in the marketing context this will most likely be only under the legal bases of either Consent or Legitimate Interest. Consent, as a legal basis for processing, can be very clear cut for marketing purposes; for example potential customer comes onto your site and you ask them to opt into future contact and you follow on from there contacting until they opt out using the method they selected.

Bear in mind if you use consent, it must be freely given (if you are coercing someone to consent or they don’t know what they are consenting to then this will not be deemed “freely given” consent). With Consent, you should always provide an opt-out option in all marketing communications (consent must be as easy to remove as it is to receive) and that you should record on your database what their preference is and market accordingly. And remember once they ask for no further contact by any method then you can’t contact them again except in all but extraordinary circumstances – i.e. data breach has occurred their data has been compromised, they are at risk and you must tell them under legal obligation.

If you are processing marketing data under a ‘legitimate interest’ basis to existing customers on your database, bear in mind the following – is this the original, understood and agreed basis from the data subject’s (customer, donor) point of view. You can’t change processing basis mid-stream just because you feel like it. A good exercise can be the ‘legitimate interest balancing test’ if you are planning on a new way of marketing and would like to see how this will impact the rights and freedoms of the data subjects, to test if its reasonable, legal, in line with their expectations and low risk to their privacy. If the balancing text shows that your proposed action has legal basis, is reasonable/expected and wont impact their rights and freedoms then you may choose to go ahead. Like with Consent, Legitimate Interest also means the data subject should be able to remove their permission for their data to be processed in in line with the GDPR rights.

Also note that if processing data solely for marketing data subjects have more rights to object, have their data erased and to restrict processing.

Be secure: You must always keep data safe, have procedures for handling data, limit access to those who need access only and use encryption to reduce risk. With all suppliers in the marketing chain be they printers, designers, web agency or other, have Data Processor Agreements in place to regulate and limit the data’s use so that personal data is not used in unauthorised ways or breached by them. Informing the data subject: with both the legal bases of Consent and Legitimate Interest you need to tell the data subject the ‘what, where, why and how’ on the processing of their personal data at the start. This, in my opinion, is at the core of good data protection compliance in a marketing context.

As mentioned in earlier articles nobody likes a bad surprise. If you are holding data for excessive periods, the data subject is unaware that your company is processing it and it is breached it will damage your company’s reputation and leave you vulnerable to fines by a national supervisory authority and/or legal action from the individuals affected. When collecting data, inform the data subject how you intend to use their information and what they can expect. Let them know where your privacy statement is. In the privacy statement be clear on why you are processing, retention, data transfers, processors, their rights and your organisation’s approach to GDPR compliance. Let the know who you are and how they can contact you.

On your website have web and cookies statement and give visitors a clear informed choice on whether to opt in for cookies. If you are changing your privacy statement or policies let your customers know. Marketing must deliver in any organisation but not at any cost. Make sure your web visitors, customers, donors (or whoever your data subjects are) know that you are accountable transparent and secure when processing their personal data and it may lead not only to the avoidance of hefty penalties but also foster greater trust and longevity in their relationship with your product or service.

Enguard can assist with the issues which GDPR raises from audit, security, staff training to drafting policies and procedure. For further details please call us at Enguard on 0818 252052 or email info@enguard.ie. We would love to hear from you!

Disclaimer: Please note the above article is an opinion piece based on current sources of information available at time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing

Kenneth Baker