Over the last few months, uncertainties surrounding the potential impact of The General Data Protection Regulation (GDPR) legislation have meant a lot of conversation, speculation and quite frankly confusion for marketers within the B2B space. The piece of EU legislation aims to overhaul data protection law within the EU and will come into force in May 2018, but many in the industry are uncertain as to how this will affect them in practice.
In an attempt to make sense of this new legislation and what it means for B2B marketing activities, we consulted Lecturer in Law at University of Hertfordshire Henry Pearce, who provided us with his take on the implications of the GDPR legislation along with practical recommendations for how to prepare for its full implementation come 2018.
How does this new piece of legislation apply to B2C marketing?
At present, most of the obligations under the DPA apply to firms carrying out B2C marketing related activities. However, there is currently one notable exception to this. At present, the Privacy and Electronic Communications Regulations (PECR), mentioned above, specify that B2C email marketing and similar activities would not have to obtain the express opt-in consent of any individuals whose personal data were involved in said activities to satisfy the individual consent ground for legitimising the processing of personal data under the DPA. Therefore, in the context of B2C marketing activities involving personal data, if individuals are given the option to opt-out this is sufficient to establish consent.
So B2C marketing strategies will not be affected by this legislation?
Broadly speaking, to all intents and purposes the GDPR retains the same definitions of “personal data” and “processing” as contained within the DPA, meaning that all and any uses of any information that can be used to identify an individual person will be subject to the GDPR’s substantive rules and provisions. The GDPR broadly also retains the abovementioned conditions for processing of personal data contained within the DPA, but with some important clarifications, particularly regarding individual consent.
As noted above, under the DPA the processing of an individual’s personal data can be made lawful by way of said individual giving their unambiguous consent. Under the DPA and PECR it appeared that consent could validly be obtained for personal data being used for marketing purposes on an “opt-out” basis (i.e. as long as the individual concerned was given the option to opt-out of their data being used for marketing purposes, this was enough to signify them giving consent).
What can B2C businesses do ahead of May 2018?
To prepare for GDPR coming into force in May 2018, The Eagle and Sun will be making sure that:
- In the event an individual whose personal data is contained within our database contacts you enquiring as to whether you hold any information about them, confirmation will be given to that individual without undue delay.
- If, having received confirmation that their personal data are being held, we will be obliged to make the individual aware of precisely which of their personal data are being held and for what purposes, and that the individual has the right to object to their data being held in the manner specified.
- If an individual asks to access personal data of theirs that is held by us, or wishes to receive a copy of those data, then we will honour this request without undue delay.
- If any of the personal data contained within our database is inaccurate, we will allow any affected individuals to rectify or otherwise correct any erroneous records.
- If an individual objects to their personal data being stored in our database, or asks for their personal data to be deleted, then these too are requests that will be upheld.
The Eagle and Sun will be taking into account best practices as it builds strategies to communicate with clients and prospects. Providing a robust data management system in order to track engagement and honour ‘opt outs’ will be a basic requirement for our programme. Meanwhile, by refining data and ensuring that our messaging is targeted and content is relevant, we will put ourselves in the best position not only to comply with the GDPR legislation, but stand a much better chance of building relationships with prospective clients.