The digital marketing guide to GDPR

People receiving marketing emails from their smart phones

How to make your digital marketing GDPR compliant:

Due to the requirements under GDPR for obtaining consent to collect and process data, one of the departments in your organisation most likely to be affected by the reguations are marketing professionals. 

Four years into GDPR, GDPR fines are bigger than ever before and always growing: there was a 113% increase in GDPR fines between July 2020 to July 2021, and penalties have grown as well, from 130.69 million in July 2020 to 293.96 million in July 20201. Many of the biggest fines were marketing related, including a €746m fine doled out to Amazon for compiling data on customers and a €225m fine to WhatsApp for failing to provide information in clear and plain language. 

Using information that is publicly available doesn’t mean you’re off the hook: agricultural conglomerate Monsanto were fined €4,000,000 for maintaining records of activists, since they were essentially tracking them in an ongoing way without informing them.

As a marketer who collects information, whether it’s information that’s publicly available or not, it’s more important than ever to make sure you’re doing so in a GDPR-compliant way. The guidance given in this blog will help your marketing team fully comply with GDPR.

Read: GDPR: 10 things to do now

Assessment: how ready are you for GDPR?

Marketing lists

In June 2017, JD Weatherspoons felt the best way for its digital marketing to become compliant with GDPR was to delete its entire marketing list. While this may be the favourable approach for the pub chain, GDPR certainly does not require businesses to delete their entire marketing list.

Organisations can provide customer details to third parties only if they made this clear when the information was being collected. Records of how consent was obtained must be clear if the list is being used for making marketing calls, texts, or emails.

A third party marketing list must be checked and steps taken to ensure the person’s wishes are taken into account. Names and numbers on a purchased list must also have the right to opt out. Rigorous checks must be made on a purchased list to ensure the details were obtained fairly and lawfully.

Did you know: if a business is being made insolvent, being closed down or sold, then the customer database can be passed on without consent, but those on it can only be contacted for the same purpose. If the buyer wishes to use that data for a new purpose, it must obtain consent.

Marketing list conditions

  • The seller of the marketing list is a member of a professional body
  • The seller is tied to a contract confirming the reliability of the list and enabling the company to audit it
  • Purchased lists are not used for text, emails, or recorded calls unless proof of opt-in obtained in the last six months is clearly there
  • The product or service is similar to what the individuals originally consented to receive marketing for
  • The information on the list is only what is used for marketing purposes
  • Irrelevant or excessive personal information is deleted
  • Names on the purchased list are screened against our own list of people who have opted-out
  • A small sampling is carried out to assess how accurate the purchased list is
  • There are procedures for correcting inaccurate data and dealing with complaints
  • The company name, address, and telephone number is included in marketing content sent by post, fax, or email
  • We tell people where we obtained their details
  • A privacy notice is provided where practical

Marketing by text and email

Marketing emails and texts should only be sent to people who have consented or people who are or have been customers provided you are marketing similar products and services. The sender’s identity cannot be concealed, and a way to opt-out or unsubscribe such as by replying to the message or clicking an unsubscribe link must be supplied.

The following procedures must be followed to for your digital marketing to be GDPR compliant:

  • People receiving texts or emails have given their consent
  • If there is no consent, the marketing is to current or past customers about similar products and an opt-out was offered when they gave their details
  • An opt-out option is offered on every marketing communication
  • Email addresses and numbers are screened against your opt-out list

Automated marketing

GDPR provides protections for people against the risk of damaging decisions being taken without human intervention. People have the right not to be subject to a decision if it is based on automated processing and produces a legal or similarly significant effect on the person. There is an exemption for entering into a contract, processing authorised by law, or based on their explicit consent. However, protections are required including the ability to obtain human intervention, have the data subject express their point of view and have the decision explained to them.

The following procedures must be followed:

  • People are informed if their information will be used to make automated decisions about them
  • People have the right to object to, or opt out of, automated decision making
  • People have the option to appeal an automated decision made about them
  • People have the option to express their point of view in automated decision making
  • People can request an automated decision be explained to them

Consent

To rely on the condition of consent to use personal data, the consent must be freely given and specific. The individual must not be coerced or penalised if consent is refused. If consent is taken as a condition of subscribing to a service, then the organisation must demonstrate how this consent was freely given. Consent must be specific to the way that the organisation will use the data. It must be explicit and it cannot be bundled with anything else.

To be valid under GDPR, consent must be:

  • Freely given
  • Specific to the purpose
  • Given without coercion or penalty
  • Able to be withdrawn at any time

Will old consent still be valid?

Personal data that has been collected before GDPR comes into force will still be valid only if it meets GDPR requirements. This could be hard to check and perhaps new consent will have to be secured or a different condition for processing identified.

Opt-in

Organisations should obtain consent for marketing purposes by offering an opt-in box that confirms the person wishes to receive marketing information via the specified channels.

Did you know: if consent was given when signing up for a specific service, then this consent will likely expire when the subscription to the service does.

Pre-ticked boxes or non-action does not count as consent as it does not demonstrate that the person is making an informed, positive choice. Remember that consent is not always required to use data for marketing purposes, and you may be able to rely on a different condition such as to fulfil a contract, or because you have identified a legitimate interest.

Opt-out

If someone has opted-out of receiving marketing communications, they cannot be contacted again for marketing purposes. Opting-out must be made as simple as possible, and further barriers cannot be put in place like being asked to confirm in writing. The customer’s details should not simply be removed, rather steps should be taken to make sure the person will not be contacted in the future.

VinciWorks’ GDPR for Digital Marketing Knowledge Check

VinciWorks has also created a GDPR knowledge check for marketing professionals. This knowledge check tests users’ ability to manage marketing strategies, consent, email marketing and more under GDPR. You can demo the knowledge check here and view our GDPR training suite here.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.