The Impression team have been inundated with requests from clients, friends and partners over the last few weeks as the General Data Protection Regulation (GDPR) deadline looms.

In this blog post, I don’t intend to offer legal advice, but more of a process I’d recommend you consider for your company. As with all new laws, the precedent from case law has not yet been set, so what’s currently considered “best practice” (in April 2018) may not be the case months from now.

We grouped some of the more prevalent questions and have offered up our best (non-legal) advice below;

TL:DR: A GDPR summary for busy marketers

AreaWhat you need to do
CookiesIf ‘legitimate interest’ exists, simply note this in your privacy policy, no further consent required.

If ‘legitimate interest’ does not exist, you need explicit consent. Either way, document this in your privacy policy.

FormsIf ‘legitimate interest’ exists, or data is being gathered out of contractual necessity (i.e. to complete a cart purchase), no further consent is required.

If ‘legitimate interest’ does not exist (i.e. automatically signing someone up to a marketing newsletter when they complete a form), explicit consent is required.

Consider the purpose of a form – a newsletter subscription form doesn’t need separate marketing consent, as that’s its purpose, but a newsletter subscription on a “create an account” form does as that’s a separate purpose.

Website / CRM dataYou must set an expiry date for any data you store – you cannot keep it indefinitely.

You must have a plan in place for dealing with any data breach.

You must be able to show the data subject what information you hold on them, and be able to remove it at their request.

You can store enough information after removal to ensure you do not contact them again, i.e. an email address on a suppression list.

Privacy policyA must for all businesses documenting their compliance with GDPR and other laws.

This document will state your business details along with how to communicate with your Data Protection Officer.

This informs data subjects what you do with their data and how they can access or remove it.

Audience lists and customer match dataYou are the data processor, the advertising platform is the data controller, so the onus is on the controller to obtain consent, and for you to use the data according to that consent.

If uploading data sets for custom matches and so on, you need to have gathered that data in a GDPR compliant manner — under a legal basis, which can include ‘legitimate interests’.

Email marketing listsUse double opt in to ensure consent and the GDPR deadline as a good reason to cleanse your lists now.

Any lists you buy must have been gathered in a GDPR compliant manner.

Internal processesDocument all data storage, flows, inputs and outputs. .

Train staff on data protection.

Be prepared for a data breach with a clear plan.

Cookies

We’ve addressed two main angles of questioning with respect to cookies; cookie notices and the required changes to cookie policies.

The requirement for website cookie notices is widely unchanged since its legal requirement began in May 2012, however its uptake has been low, inconsistent and not actively enforced. Unless a cookie is a functional cookie (such as to update a shopping basket or detect which country a visitor is browsing from), consent is required to place it. Some companies look for a positive opt-in to setting cookies and some show only notifications of their presence.

The GDPR mentions cookies only once in the current literature (Recital 30), and classes them as personal information where they can be combined with unique identifiers or server information that can then identify a person. Cookies classed as personal information (such as as logged in cookies or customer ID cookies) can be processed either with consent or under a “legitimate interest” under the GDPR.

The GDPR gives us the ability to process data under a “legitimate interest” when;

  • the processing is not required by law but is of a clear benefit to you or others;
  • there’s a limited privacy impact on the individual;
  • the individual should reasonably expect you to use their data in that way; and
  • you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.

A number of large companies are clearly already processing at least functional and marketing analytics cookies under this “legitimate interest” approach and it may be that this is the route the majority of companies will choose to take. If you are collecting any information under legitimate interests then be sure to include this in full in your privacy policy.

To comply, at present, many websites are not setting personally identifiable information in cookies on initial page loads. They they show a clear message or opt-in form depending on their preference, whereby cookies are then set after consent. Until we see better examples of implementation, or case law to set the expectations further, the entire industry is being led by this “best practice”.

For those companies currently without a cookie policy, it’s definitely advisable to generate one from a reliable template, and then to audit and write up the origin and purpose of each cookie set by your website within the policy.

Further, EU law gives data subjects the right to be forgotten, so visitors should be able to withdraw consent just as easily as they gave consent. Where possible, signpost your customers to appropriate places to disable marketing and advertising providers from third parties and also ensure your website honors “do not track” browser requests.

Forms

Website forms across a website often serve a multitude of purposes – from marketing automation and newsletter subscriptions to simple one-time contact forms. This spectrum is mirrored by the requirements under the GDPR to gain express marketing consent from your customers when they are filling them out.

Any data you collect from a form must be processed lawfully. There are three relevant lawful bases, and you must decide which is most applicable to your form data:

  • contractual necessity,
  • legitimate interests, or
  • consent.

If a form only collects personal information to conclude a contract, such as in a checkout form, no action is necessary to make it GDPR compliant as the data is processed as a contractual necessity.

Alternatively, if a form carries out actions which could be reasonably expected, such as a contact form sending an email to your business and recording the form data in a CRM system, it is likely that the data is processed with a legitimate interest (such as to carry out marketing activities). If this is the case, your privacy policy should record this.

If there is neither a contractual necessity or a legitimate interest, consent will be required. For example, a user wouldn’t reasonably expect a contact form to sign them up to weekly marketing emails, so consent, in the form of a tick box which the user must positively tick, would be required.

It’s also good practice to get email data via a double opt-in confirmation which all good email platform providers will offer.

If you want to market to your lapsed or previous customers, you need either explicit consent or a good argument under legitimate interests, and again these should be detailed in your privacy policy.

For pre-GDPR data, consider how the data was collected. If it was collected in a method comparable with your GDPR-compliant methods (marketing provider double opt-in, for example), then you might be in the clear.

The safest route for covering your back for previous data where you are unsure as to whether it was collected in accordance with GDPR is to ask for consent prior to May 25th and cleanse your lists before this date for data for which you do not have consent. If you go down the consent route, ensure you have a log of the consent (i.e double opt in date) for your records.

Storing data on your website or CRM

If personal data is to be stored, then you must consider what the average customer might expect you to do with it.

You cannot store this information indefinitely so an expiry data must be decided. If it is to be stored then this should also be clearly explained in your privacy policy, along with instructions on how a data subject may perform a data access request and/or request its permanent deletion. With GDPR, transparency is key.

If there is a data breach, you will need to alert the ICO who will then likely investigate your company to test for compliance. At the very least, there are six GDPR data protection principles which you should adhere to, which the ICO has laid out here.

If at present you are not storing information in a secure CRM, then this should be a key consideration going forward, as there are plenty of GDPR and other great reasons for doing so;

  • Centralised lead storage,
  • Controlled lead access,
  • Availability and simplicity of website integrations,
  • Ease of appending marketing source/medium information,
  • Overall improved data quality, and
  • Easier GDPR compliance through process

If you receive website leads via email only, it’s best practise to permanently delete these once you have dealt with them or moved them to a more secure service, like a CRM. If you cannot change this process, detail it in your privacy policy under a legitimate interest or gain consent at the point of data creation – and keep a record of this consent date.

To save digging around in your email inboxes and website databases, it’s worth the investment of a CRM to ensure future data subject access requests are painless.

Privacy policy

Cookie and privacy policies are sometimes intertwined, though the real requirement under the GDPR legislation is your privacy policy. Your privacy policy is one of the most important public facing documents you will need to create to achieve GDPR compliance as this details to your customers and users what you store and for how long, as well as how they may perform a data access request.

Privacy policies may take a number of forms and be based on a number of templates, but the ICO have helpfully created a checklist, which if followed, will ensure you’re compliant come May 25th. Access the ICO checklist here. 

As with many legal documents, complexity grows with the size and complexity of your business, so if you know you store data in silos across your organisations, for different purposes, then it’s definitely worth seeking legal advice to ensure every eventuality is covered.

Audience lists and customer match data

Most advertisers in 2018 will be processing audience data through large aggregate data controllers/processors like Google Analytics, AdWords or Facebook Ads for the purpose of remarketing and retargeting.

The advertising giants, led by Facebook and Google, have recently asked users to affirm their consent for using personal data to shape advertising preferences (this was required on Facebook, for example) which means the data they are “controlling” is collected in a GDPR compliant way.

Advertisers are then data processors in this relationship, as Facebook explains further on its GDPR advisory page here. This covers the use of tracking scripts and tracking pixels as the individual users would have consented to providing this information to the controllers and it’s the controller, not the advertiser, who is using that information within their platform to operate the advertising function.

Advertisers can continue to submit additional data to these controllers through the use of “Custom Audiences” or “Customer match” data sets by appointing them as a data processor — for which you need a legal basis to do so.

Again, this depends on your own legal interpretation of legitimate interest vs. the requirement for consent for sharing this data and this will almost always come back to the method in which the data was collected in the first place and the expectations of a reasonable/average customer.

Email marketing lists

Email marketing has been governed in the UK by separate legislation since 2003. The GDPR does not change the requirements considerably, but again affirms the need to collect “freely given, specific, informed and unambiguous consent” for the collection and storage of personal data (Article 32).

Therefore, if you have been collecting information under a double opt-in method and your customers or users are expecting to receive marketing messages from you, you may already be fully compliant.

Your specific actions for full GDPR compliance may vary but in order to determine this, you should first audit the geographic spread of your email marketing database (looking for all EU member state countries) and ensure you have a clear audit trail of double opt-ins, appropriate marketing consent and importantly a method for consumers to easily withdraw their consent.

Importantly, the GDPR legislation applies to all data whether or not it was collected before or after the May 25th deadline, so this full audit process is important for compliance.

It’s still possible to purchase email marketing lists from reputable suppliers after the GDPR deadline but a lot of care should be taken to ensure list data was collected in a GDPR compliant way. Your obligation to allow the easy withdrawal of consent still applies.

Also – it’s worth bearing in mind that just because purchased lists may be compliant, they may not be the best route forward for marketing efforts and your email marketing strategy; as many email service providers have advised for some time — just because it’s legal doesn’t mean it’s best for your business.

For simple applications, like an email newsletter signup, you should ensure that customers go through a double opt-in process and store the date of their consent to receive your email marketing messages. Double opt-in is not required, but it is a handy way of recording the date of consent — all good email providers and CRMs will provide this.

For more complex uses, or when there are multiple outcomes associated with the action – for example creating an account AND subscribing to a newsletter, separate consent is required for sending customers marketing messages (Privacy and Electronic Communications Regulations will exist alongside the GDPR).

Internal processes

Aside from making technical changes to your website or internal software, the largest burden created by the GDPR is the internal processes you will need to follow after the May 25th deadline.

The UK ICO have released a simple infographic checklist which can be found here to get you started so this is a good starting point.  You should make your staff aware of some key changes to data processing and storage – namely;

  • The right to be forgotten
  • Data subject access request rights of data subjects
  • Data portability
  • Data breach reporting obligations
  • Cross-border data processing prohibitions

You should also be addressing many of these new concerns with a new Privacy Policy as well as updating your cookie policy to ensure cookie information is transparent. Your privacy policy should state the use of cookies and digital marketing tracking services you’re using and detail how users can opt out of this.

If you do not yet use a CRM for marketing and sales purposes, but instead rely on (for example) an email inbox for dealing with enquiries, it is definitely worth considering this now. There are plenty of simple, free, integration solutions available to get you started. A CRM will ensure safe storage, permissioned access, and easy deletion/removal of data at the very least.

You should create a document in preparation for use should you be in the unfortunate position of reporting a data breach. The ICO offer a checklist to get you started here.

Internally you should map the data flows in and out of your organisation, along with the data stores in order to create a data audit/map. This useful exercise will identify permanent data stores, as well as insecure or less preferable processing/controlling methods. For each, check your GDPR compliance.

Simply put, as a controller, you need to:

  • Make sure you process the data lawfully,
  • Make sure you have a privacy policy in place, and
  • Demonstrate compliance with regulations via your audits and documentation

If you are only a processor, you must:

  • Ensure you are acting within the bounds of what your data controller allows you to do.

If you are storing information in any way which isn’t fully secure, then you should address this immediately.

As with all new legislation, we look forward to case law developing a more refined “best practice” for some more trivial SME issues listed above. But until then, acting lawfully and being prudent is your best bet. For any complexities not broadly discussed in this post, separate legal advice will be required.

If you have any queries, check out my colleague Jamie’s blog post GDPR: an action plan for businesses and marketers.

Resources

If you want to run the ICO’s test on legitimate interest vs. consent, click here.

Aaron Dicks

Managing Director

Managing Director of Impression. Search engine optimisation consultant, web developer/engineer and digital all-rounder. @aarondicks

Leave a Reply

Your email address will not be published. Required fields are marked *