The Impression team have been inundated with requests from clients, friends and partners over the last few weeks as the General Data Protection Regulation (GDPR) deadline looms.
In this blog post, I don’t intend to offer legal advice, but more of a process I’d recommend you consider for your company. As with all new laws, the precedent from case law has not yet been set, so what’s currently considered “best practice” (in April 2018) may not be the case months from now.
We grouped some of the more prevalent questions and have offered up our best (non-legal) advice below;
TL:DR: A GDPR summary for busy marketers
|Area||What you need to do|
|Forms||If ‘legitimate interest’ exists, or data is being gathered out of contractual necessity (i.e. to complete a cart purchase), no further consent is required.
If ‘legitimate interest’ does not exist (i.e. automatically signing someone up to a marketing newsletter when they complete a form), explicit consent is required.
Consider the purpose of a form – a newsletter subscription form doesn’t need separate marketing consent, as that’s its purpose, but a newsletter subscription on a “create an account” form does as that’s a separate purpose.
|Website / CRM data||You must set an expiry date for any data you store – you cannot keep it indefinitely.
You must have a plan in place for dealing with any data breach.
You must be able to show the data subject what information you hold on them, and be able to remove it at their request.
You can store enough information after removal to ensure you do not contact them again, i.e. an email address on a suppression list.
This document will state your business details along with how to communicate with your Data Protection Officer.
This informs data subjects what you do with their data and how they can access or remove it.
|Audience lists and customer match data||You are the data processor, the advertising platform is the data controller, so the onus is on the controller to obtain consent, and for you to use the data according to that consent.
If uploading data sets for custom matches and so on, you need to have gathered that data in a GDPR compliant manner — under a legal basis, which can include ‘legitimate interests’.
|Email marketing lists||Use double opt in to ensure consent and the GDPR deadline as a good reason to cleanse your lists now.
Any lists you buy must have been gathered in a GDPR compliant manner.
|Internal processes||Document all data storage, flows, inputs and outputs. .
Train staff on data protection.
Be prepared for a data breach with a clear plan.
We’ve addressed two main angles of questioning with respect to cookies; cookie notices and the required changes to cookie policies.
The requirement for website cookie notices is widely unchanged since its legal requirement began in May 2012, however its uptake has been low, inconsistent and not actively enforced. Unless a cookie is a functional cookie (such as to update a shopping basket or detect which country a visitor is browsing from), consent is required to place it. Some companies look for a positive opt-in to setting cookies and some show only notifications of their presence.
The GDPR mentions cookies only once in the current literature (Recital 30), and classes them as personal information where they can be combined with unique identifiers or server information that can then identify a person. Cookies classed as personal information (such as as logged in cookies or customer ID cookies) can be processed either with consent or under a “legitimate interest” under the GDPR.
The GDPR gives us the ability to process data under a “legitimate interest” when;
- the processing is not required by law but is of a clear benefit to you or others;
- there’s a limited privacy impact on the individual;
- the individual should reasonably expect you to use their data in that way; and
- you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
To comply, at present, many websites are not setting personally identifiable information in cookies on initial page loads. They they show a clear message or opt-in form depending on their preference, whereby cookies are then set after consent. Until we see better examples of implementation, or case law to set the expectations further, the entire industry is being led by this “best practice”.
Further, EU law gives data subjects the right to be forgotten, so visitors should be able to withdraw consent just as easily as they gave consent. Where possible, signpost your customers to appropriate places to disable marketing and advertising providers from third parties and also ensure your website honors “do not track” browser requests.
Website forms across a website often serve a multitude of purposes – from marketing automation and newsletter subscriptions to simple one-time contact forms. This spectrum is mirrored by the requirements under the GDPR to gain express marketing consent from your customers when they are filling them out.
Any data you collect from a form must be processed lawfully. There are three relevant lawful bases, and you must decide which is most applicable to your form data:
- contractual necessity,
- legitimate interests, or
If a form only collects personal information to conclude a contract, such as in a checkout form, no action is necessary to make it GDPR compliant as the data is processed as a contractual necessity.
If there is neither a contractual necessity or a legitimate interest, consent will be required. For example, a user wouldn’t reasonably expect a contact form to sign them up to weekly marketing emails, so consent, in the form of a tick box which the user must positively tick, would be required.
It’s also good practice to get email data via a double opt-in confirmation which all good email platform providers will offer.
For pre-GDPR data, consider how the data was collected. If it was collected in a method comparable with your GDPR-compliant methods (marketing provider double opt-in, for example), then you might be in the clear.
The safest route for covering your back for previous data where you are unsure as to whether it was collected in accordance with GDPR is to ask for consent prior to May 25th and cleanse your lists before this date for data for which you do not have consent. If you go down the consent route, ensure you have a log of the consent (i.e double opt in date) for your records.
Storing data on your website or CRM
If personal data is to be stored, then you must consider what the average customer might expect you to do with it.
If there is a data breach, you will need to alert the ICO who will then likely investigate your company to test for compliance. At the very least, there are six GDPR data protection principles which you should adhere to, which the ICO has laid out here.
If at present you are not storing information in a secure CRM, then this should be a key consideration going forward, as there are plenty of GDPR and other great reasons for doing so;
- Centralised lead storage,
- Controlled lead access,
- Availability and simplicity of website integrations,
- Ease of appending marketing source/medium information,
- Overall improved data quality, and
- Easier GDPR compliance through process
To save digging around in your email inboxes and website databases, it’s worth the investment of a CRM to ensure future data subject access requests are painless.
Privacy policies may take a number of forms and be based on a number of templates, but the ICO have helpfully created a checklist, which if followed, will ensure you’re compliant come May 25th. Access the ICO checklist here.
As with many legal documents, complexity grows with the size and complexity of your business, so if you know you store data in silos across your organisations, for different purposes, then it’s definitely worth seeking legal advice to ensure every eventuality is covered.
Audience lists and customer match data
Most advertisers in 2018 will be processing audience data through large aggregate data controllers/processors like Google Analytics, AdWords or Facebook Ads for the purpose of remarketing and retargeting.
The advertising giants, led by Facebook and Google, have recently asked users to affirm their consent for using personal data to shape advertising preferences (this was required on Facebook, for example) which means the data they are “controlling” is collected in a GDPR compliant way.
Advertisers are then data processors in this relationship, as Facebook explains further on its GDPR advisory page here. This covers the use of tracking scripts and tracking pixels as the individual users would have consented to providing this information to the controllers and it’s the controller, not the advertiser, who is using that information within their platform to operate the advertising function.
Advertisers can continue to submit additional data to these controllers through the use of “Custom Audiences” or “Customer match” data sets by appointing them as a data processor — for which you need a legal basis to do so.
Again, this depends on your own legal interpretation of legitimate interest vs. the requirement for consent for sharing this data and this will almost always come back to the method in which the data was collected in the first place and the expectations of a reasonable/average customer.
Email marketing lists
Email marketing has been governed in the UK by separate legislation since 2003. The GDPR does not change the requirements considerably, but again affirms the need to collect “freely given, specific, informed and unambiguous consent” for the collection and storage of personal data (Article 32).
Therefore, if you have been collecting information under a double opt-in method and your customers or users are expecting to receive marketing messages from you, you may already be fully compliant.
Your specific actions for full GDPR compliance may vary but in order to determine this, you should first audit the geographic spread of your email marketing database (looking for all EU member state countries) and ensure you have a clear audit trail of double opt-ins, appropriate marketing consent and importantly a method for consumers to easily withdraw their consent.
Importantly, the GDPR legislation applies to all data whether or not it was collected before or after the May 25th deadline, so this full audit process is important for compliance.
It’s still possible to purchase email marketing lists from reputable suppliers after the GDPR deadline but a lot of care should be taken to ensure list data was collected in a GDPR compliant way. Your obligation to allow the easy withdrawal of consent still applies.
Also – it’s worth bearing in mind that just because purchased lists may be compliant, they may not be the best route forward for marketing efforts and your email marketing strategy; as many email service providers have advised for some time — just because it’s legal doesn’t mean it’s best for your business.
For simple applications, like an email newsletter signup, you should ensure that customers go through a double opt-in process and store the date of their consent to receive your email marketing messages. Double opt-in is not required, but it is a handy way of recording the date of consent — all good email providers and CRMs will provide this.
For more complex uses, or when there are multiple outcomes associated with the action – for example creating an account AND subscribing to a newsletter, separate consent is required for sending customers marketing messages (Privacy and Electronic Communications Regulations will exist alongside the GDPR).
Aside from making technical changes to your website or internal software, the largest burden created by the GDPR is the internal processes you will need to follow after the May 25th deadline.
The UK ICO have released a simple infographic checklist which can be found here to get you started so this is a good starting point. You should make your staff aware of some key changes to data processing and storage – namely;
- The right to be forgotten
- Data subject access request rights of data subjects
- Data portability
- Data breach reporting obligations
- Cross-border data processing prohibitions
If you do not yet use a CRM for marketing and sales purposes, but instead rely on (for example) an email inbox for dealing with enquiries, it is definitely worth considering this now. There are plenty of simple, free, integration solutions available to get you started. A CRM will ensure safe storage, permissioned access, and easy deletion/removal of data at the very least.
You should create a document in preparation for use should you be in the unfortunate position of reporting a data breach. The ICO offer a checklist to get you started here.
Internally you should map the data flows in and out of your organisation, along with the data stores in order to create a data audit/map. This useful exercise will identify permanent data stores, as well as insecure or less preferable processing/controlling methods. For each, check your GDPR compliance.
Simply put, as a controller, you need to:
- Make sure you process the data lawfully,
- Demonstrate compliance with regulations via your audits and documentation
If you are only a processor, you must:
- Ensure you are acting within the bounds of what your data controller allows you to do.
If you are storing information in any way which isn’t fully secure, then you should address this immediately.
As with all new legislation, we look forward to case law developing a more refined “best practice” for some more trivial SME issues listed above. But until then, acting lawfully and being prudent is your best bet. For any complexities not broadly discussed in this post, separate legal advice will be required.
If you have any queries, check out my colleague Jamie’s blog post GDPR: an action plan for businesses and marketers.
If you want to run the ICO’s test on legitimate interest vs. consent, click here.