GDPR stands for General Data Protection Regulations and is a new regulation coming out of the EU that affects the way we collect and manage data.

From a marketing perspective, GDPR has huge ramifications. That’s because, as we move toward a more personalised marketing world, we’re making greater use of personal data than ever before. Whether you’re running simple email marketing campaigns, postal campaigns or SMS campaigns, right through to more complex data use such as Facebook lookalike audiences, you’ll need to be compliant. We’re heading quickly toward an opt-in world – where the opt-in must be explicit and not inferred (which isn’t too much of a departure from what we have now anyway).

Successful data compliance is essentially going to be about culture. Often, data breaches are a result of a genuine mistake, where someone hasn’t had data compliance in mind when they were organising they data or using it. By educating your team, you can help to improve data protection in your business across all areas.

The deadline for GDPR is the 25th May 2018. That means your business needs to be ready and fully compliant by then. It’s not likely to be a quick task, but is is essential… here are some tips to help you get there.

The legal side of GDPR

Essentially, GDPR is not too different to the Data Protection Act (DPA) – but unlike many regulations, which can be adapted by the country in question, the GDPR regulations have to be complied with as is across all member countries (note: even after Brexit, the UK will continue to be an ‘adequate representative’ so we can continue to trade in the EU).

The reasons that GDPR is being implemented are around the advances in the way we’re able to gather and use data and changes in the way we use and share information. This could be for all sorts of reasons, including marketing, insurance, service provision, HR and lots more. GDPR is therefore something that’s going to affect all businesses in the UK and EU, and businesses outside of those areas who carry EU data.

There have also been significant advances in the way we’re able to identify personal data, which has led to a need for a harmonised approach.

The key concepts and changes within GDPR are:

  • Increased fines and enforcement powers
  • Consent will be harder to obtain
  • Binding corporate rules for the lawful transfer of data
  • Pseudonymisation – changes to data so it can’t be personally identified

Holding data under the new GDPR regulations

Moving forward, any business that holds data will need to document what personal data they hold, where it came from and who it is/has been shared with. The main way to do this is through your privacy policy, where you need to ensure you state everything you’re doing and how you’re using it.

This means you need to let people know:

  • The lawful bases upon which the data is being processed
  • Your data retention periods
  • The person’s right to complain to the ICO if they feel their information is misused

The data subject (this being the person who’s data you have kept) has various rights as part of the new regulations too, including the right to be forgotten (where you have to remove their data), right to object to processing (where they object to data being held) and right to data portability (choice over where their data can be sent).

There are pretty hefty fines for those companies who don’t comply, so now’s the time to get things right.

What we need to do as marketers in light of the new GDPR regulations

  1. Create a privacy policy that outlines what data you’re collecting and why; you can see an example of ours here
  2. Create a welcome email that welcomes new subscribers to your list and that includes an ‘opt in’. Alternatively, add an opt in tick box on your data capture form
  3. Make it possible for users to opt out at any time. Piwik have implemented this with an ‘opt out‘ link in their footer

The ICO have created a 12 step plan, which you can find in full here.

gdpr tips ico

Image credit: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

GDPR and Digital Marketing

From a specific digital marketing perspective, GDPR gets a little more complex.

GDPR and Google Analytics

The important thing to understand here is the term ‘personal data’. While you might think this only relates to anything personally identifiable, such as a name or email address, unfortunately you’d be wrong.

Cookies and tracking codes fall into the scope of GDPR.

Cookie tracking is done by the vast majority of websites.

Some cookies enable certain functionalities within the site and make it possible for us to surface content in a way that will best suit that particular user’s needs – such as showing the correct currency for the user’s country, for example. If these cookies aren’t used, the website won’t work in the way it’s meant to – to the best of our knowledge, this kind of cookie isn’t within the GDPR remit.

Other cookies are used for marketing purposes. For example, Google Analytics uses cookies to track user information that informs marketing strategies, such as demographics, device information and information on which pages are being visited and where conversions are being made. Google AdWords uses cookies to track the effects of campaigns. Google’s data can be used to create adverts such as those known as ‘remarketing’ which ‘follow’ you around the web. Cookies can also be used in social media advertising.

As a user, you can change your settings to not allow this tracking, by turning on ‘do not track’.

To do this in Chrome, simply navigate to your settings, choose ‘advanced’ and check ‘do not track’:

cookies do not track

 

If a user does choose to set their browser to ‘do not track’, it’s worth noting that data will not be provided in the form of reports or be identifiable – e.g. user’s location won’t be tracked – but this doesn’t mean the cookie source won’t still store the data and it would be up to their own policies to explain how that data is used. E.g. as a marketer, you aren’t responsible for the way Google manages its data.

As a marketer, your responsibility is to make people aware of your use of cookies on your website. You must:

  • State your use of such tools within your privacy policy
  • Explain the use of cookies and other tracking, e.g. for advertising purposes, clearly within your privacy policy
  • Allow users to explicitly state that they agree to your use of cookies and tracking
  • Require users to opt in
  • Allow users to opt out at any time

PayPal have done this on their cookie policy page. Note how they’d explicitly stated all the ways they intend to use cookies and tracking, and also the natural (not legal jargon) language they use – this is all essential within the new regulations.

Cookie Law have written a comprehensive post on cookie law and how it’s affected by GDPR here.

GDPR and remarketing ads

Remarketing ads are those ads that follow you around the web and encourage you to convert. They work really well, and many of our clients use them very successfully.

You’ll need to let your users know you may use their cookie data for this purpose, within your privacy policy.

GDPR and Facebook

Now let’s say you’re using email addresses for the purposes of creating Facebook lookalike audiences, or to target people whose details you have.

Under the new regulations, you’ll need to tell users about this too – asking them to opt in, and giving them the option to opt out.

If you do upload email address to Facebook to create new audiences, and you’ve got the consent of your users to do this, the onus is then on Facebook to protect that information once they have it.

GDPR and email marketing

If you have an email subscribe box on your website, you should make the user aware of the way their information will be used if they do sign up.

Take this example from Findawealthmanager.com. They’ve added text to their form which explains how data will be used, with a link to their privacy policy. They’ve also made it possible to view an archive of previous emails. This is all important for GDPR, with the added benefit that it adds trust factors to the site to enhance the user experience, too.

gdpr email marketing

What to do if you’re not sure about GDPR

If you’re not sure about how your activities relate to GDPR and whether or not you’re compliant, it’s more important than ever that you do find out.

While we’re more than happy to talk to you about your specific problem, it’s better if you can find a legal partner to advise. Feel free to leave any comments below and we’ll be happy to help you where we can.

Big thanks to Jemma, Hilary and the team at Vformation who organised a seminar on the topic of GDPR, and to Ed Wright from Shakespeare Martineau, Simon McNidder from Database First Aid and Neale Maude from Arena Group who spoke to us about the new regulations. We’d also like to thank Joe Burns from Pyranet for his further insights into cyber security. This blog is based on their insights as well as our own research.

Laura Hampton

Digital Marketing Manager

Digital marketer @impressiontalk specialising in user-centred SEO, PR, content marketing, social media and digital strategy. In my spare time, I jump out of planes.

  • Natasha A

    Surely with Facebook retargeting, the responsibility is on Facebook to get opt-in. When we enter our emails it will only market to people who have opted in on their Facebook settings?

    • My understanding is that we also need to get permission from our contacts to be able to use their data on Facebook – to even be able to upload it in the first place. Facebook also has its own Ts and Cs around use of that data, but as I understand, that’s separate to this.

      • Natasha A

        Can still get around this with pixel tracking n cookies instead of using lookalike audience email address uploads? Facebook will have to change the product i suppose to account for these factors. Asking for opt-in for personalised marketing is LONG because there is no easy way to hook consent up to the tools. Loads of added manual processes coming.

        • Our solution is to update our privacy policy to let people know that we may use their data for these purposes, and to make it even more clear in email sign up.

          Our understanding is that management of that data by third parties such as Facebook will be down to their own policies. So if we did upload email addresses, or use pixel tracking (which can be used instead, but is often used as well), once the data is on Facebook’s platform, it’s subject to their own processes.

          In theory, simply updating your privacy policy and making it possible for people to opt in and out should be enough. But I agree, there’s lots to be ironed out here – and not much time to do it!

          Would appreciate any further feedback people have…

  • Iain MacGillivray

    Great article, thanks… re Facebook, you don’t cover the Facebook Pixel and how that can be used on sites to track and retarget though the marketing funnel. I think there has to be a way for an individual to switch that off and hopefully that can be controlled by Facebook. I have yet to find anything more tangible than that. Also, re Chrome and Do not track, that is a browser related opt-out, but individuals are tracked across devices, so that is not a full solution is it..