The GDPR came into effect well over two years ago, but understanding its finer points still remains a challenge for many marketers. The lawfulness of processing data (covered in great detail in Article 6 of the GDPR) and in particular the appropriate application of consent and legitimate interest, continue to present challenges and questions.
For example, assessing which is the most appropriate basis to apply and how this might impact their marketing activities, including direct marketing, advertising and so on.
While the scare stories of hefty fines and pre-GDPR panic has largely died down, many businesses are still getting to grips with GDPR. It is unlikely that many are fully compliant as they try to interpret the regulations and how best to apply them to marketing activities.
It is important to remember that the GDPR is a principals-based regulation and while the definitions are explicit, they do not provide specific directives of how to apply them when collecting, processing, storing and using data. That means that responsibility for these decisions sits with the data and marketing professionals who are processing the data on behalf of their businesses Because GDPR doesn’t say how to apply the definitions, marketers still need to know how to make informed decisions and justify them.
So, how can marketers ensure their data processing is transparent, compliant and responsible? And how do they align their legal, compliance, governance, IT and marketing teams in order to meet the data protection regulation and educate them on how to use and process data?
It’s a case for education and process. Marketers must now be very well acquainted with data protection law and know how to apply the regulations to their specific activities. But they also need to be able balance their business objectives and KPIs, while not contravening the regulations. Data Controllers and Processors must now be more responsible and accountable when it comes to processing personal data, and they must be able to record processing activities and evidence the rationale for the legal basis they select.
Even experienced marketers and data and compliance professionals are questioning every action and decision regarding customer and prospect communications in the context of the GDPR:
- What is the best lawful basis to use or choose from?
- How do I choose which is the most appropriate?
- Do I need to write an LIA?
- Does my organisation need to be named when purchasing data for prospecting?
- How do we ensure we have protected the consumers’ fundamental rights?
The list goes on….
So it is no wonder that a lot of confusion stills exist around when and how to use the key lawful bases for processing data for marketing purposes: consent and legitimate interest.
Legitimate interest, based on the ICO’s definitions, is the most flexible of the six legal bases for processing personal data, and it can therefore be applied to many different situations. It is, for example, the most appropriate basis when processing data is of a clear benefit to you or others, there is limited privacy impact on the individual, or where an individual would reasonably expect their data to be used in that way. The balance of fundamental rights is of equal measure and transparency is crucial when making these decisions.
GDPR specifically states that direct marketing may be considered a legitimate interest in recital 47, albeit upon the appropriate and thorough application of a balancing test. By balancing the business and marketing objectives with the rights of the individual – and a good dose of common sense – and documenting it in a professional and trackable manner by completing a Legitimate Interest Assessment (LIA) , marketers can use this basis for marketing with more confidence.
Applying a balancing test to a legitimate interest and also applies to prospect data and data sourced from third parties as well as first party data. There is nothing in the GDPR that prohibits the use of third-party data, provided that it is undertaken in accordance with the data protection principles and regulatory guidance.
When it comes to consent, this is what the ICO has to say; “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”
This means that, in many instances, consent may not be required. However, some examples of when it is required involve the use of electronic marketing (including email) and this is where GDPR and the Privacy and Electronic Communication regulation (PECR) dovetail, i.e. email marketing requires consent and the requirements for consent are set out in PECR.
Fundamentally the GDPR is intended to build and maintain trust with consumers. That means applying both rigour and common sense when balancing commercial interests with consumer rights and regularly testing that decision to ensure it is the right approach.
The days of privacy being a box-ticking exercise are well and truly gone. The principles of privacy by design and ‘responsible marketing’ have to be embedded in businesses now. Challenging but necessary – but those business that get these fundamentals right will reap the rewards.