Tuesday, 27th March 2018

GDPR – the clock is ticking but it may not be as bad as you fear

Like many companies, we’ve been grappling with the issues in and around the General Data Protection Regulations (GPDR) which come into force in May.

As a marcoms business, we not only hold and process data on our own account, but also manage data on behalf of a number of clients. So, it is important that we understand the details of the new regulations so that we can advise clients accordingly.

Like many of you out there, we’ve read various articles and guidance papers, attended the odd free-to attend seminar but, so far at least, have avoided investing in external training courses or subscribing to online portals with downloaded resources.

If the whole subject of GDPR is a massive turn off, here’s the executive summary from the viewpoint of a CEO of an SME marketing communications agency: -

  • It’s happening, doing nothing is not an option and the clock is ticking
  • Don’t panic – in reality it isn’t as bad as many would have you believe
  • It will require some work to understand fully how it impacts your organisation and to get a compliance action plan in place
  • Businesses who already take a responsible approach to issues such as Data Protection and security have little to fear from GDPR
  • There may be broader benefits if you don’t just regard it as an additional compliance burden
  • From a marketing perspective, we are here to help you if you lack the time or resources to handle things on your own

If I still have your attention, here’s a little more detail behind that summary.


GPDR - What is it?
GDPR is a new European-wide General Data Protection Regulation – effective 25th May 2018. It harmonises data protection laws across Europe (it will still be valid in the UK post BREXIT), replacing the 1998 Data Protection Act.

It imposes new regulations for organisations to protect consumers around data control, access and security, plus tougher enforcement for breaches. However, many principles of the GDPR are similar to existing UK DPA (six principles replace the previous eight).


What is all the fuss about?
It mainly revolves around the issue of Personal Data, which - in essence - means any information that could relate to an identifiable, living being. In practice, for many businesses or organisations this could cover anything from names, email addresses (business and private), phone numbers, bank details and also photographic or video images of that ‘data subject’.

Under the incoming GDPR regulations, personal data should be:-

  • Processed lawfully, fairly and in a transparent manner in relation to individuals
  • Collected for specified, explicit and legitimate purposes and not processed beyond those
  • Adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed
  • Accurate and, where necessary kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security of personal data
  • Organisations (over a certain size) should appoint a Data Controller who is responsible for, and needs to be able to demonstrate, compliance with all these principles


Can we ignore it?
Not really. Breaches can trigger significant fines (the higher of 20m Euros or 4% of an organisation’s global turnover) – this compares to the maximum fine previously under UK GDP which was £0.5m

There are six legal grounds for processing data under GDPR. These range from the data subject giving consent, it being necessary for the performance of a contract or to comply with a legal obligation, through to protecting the vital interests of the data subject or to perform a public task in the public interest. Importantly, it can also be necessary for the purposes of legitimate interest.

At the same time, the GDPR introduces and strengthens a number of rights for individuals, including the right of access (now specifically within one month and replacing Subject Access Requests) and the right to erasure (AKA the right to be forgotten).


Isn’t this just more red tape?
The burden of compliance will vary significantly across different organisations, with size, amount and complexity of personal data stored/processed and the frequency of such processing all factors in the approach to be taken.

Time will tell, but it is our view that smaller entities who already take a responsible and systematic approach to data management and deploy a pragmatic, risk-based approach to the introduction of the GDPR, fundamentally have little to fear.

Reviewing the way things are done in any organisation often provides the spark for innovation and finding ways to do things more efficiently and effectively, which is seldom a bad thing.


How will it impact our marketing activities?
The biggest shake up – at least from marketing perspective - is around how personal data can be used for marketing purposes and how it is stored and protected, at the same time strengthening the rights of data subjects.

The good news is that Direct Marketing (DM) is specifically referred to as a legitimate interest in the GDPR. However, for such an interest to exist there should be ‘a relevant and appropriate’ relationship between the data controller and subject and, it should be assessed whether the individual would ‘reasonably’ expect their data to be processed at the time and context in which the data is collected. Also, the use of ‘legitimate interest’ must be a balance between the company’s interest and the rights of the individual.

Many companies, in reality, will continue to rely on the legitimate interest legal ground for their DM activities. A more ‘belt and braces’ approach is to add consent into the mix. However, if this route, is chosen, there are a number of considerations to take into account.

Most importantly, so called opt out consent (which puts the onus on recipient of DM to request to unsubscribe) will no longer wash. Under the GDPR, you can only send marketing communications to customers if they have opted-in to receive them.

Not only this, but you will also need to prove that an individual has done so by recording the who, when and hows and also tracking if that consent has been withdrawn. This will have significant implications for existing CRM systems.


What do we need to do to comply?
Well first of all, don’t panic. Like most projects, breaking things down into bite-sized chunks with task-oriented actions with clear responsibilities/timescales is likely to be highly beneficial.

You will need to undertake a review of your existing data processing and storage routines and procedures, understanding where the key risks lie.

It is also important to ensure that everyone in your organisation understands the scope and on-going requirements contained in the GDPR. This will involve assigning responsibilities at a Group Data Controller (if applicable or necessary), department heads and individual employee levels.

You will also certainly need to upgrade your Privacy Policy and, from an HR perspective, you may also need to update or revise Employment Contracts and Employment Manuals where references to how personal data is stored and processed are made.

If you rely on data provided by third parties you will want to get GDPR compliance statements in place with all relevant suppliers, while any data processing done on behalf of clients should be covered by data processing agreements.

It is also worth checking Standard Terms & Conditions/Service Level Agreements to ensure any provisions relating to data processing and storage reflect the requirements now stipulated by the new regulations.


What approach should we take on our direct marketing activities?
Clearly one of the major decisions will hinge around whether gaining consent is deemed to be the appropriate basis on which DM activities will be conducted post 25th May.

If this is the case, our current advice to clients is to: -

  • Review current data and consent provisions – if you can’t prove consent you won’t be able to use this data post GDPR
  • Revise Privacy Policy and Data Capture Forms in line with GDPR
  • Examine record management/CRM systems to ensure data capture/proof of consent
  • Establish a preference centre or privacy dashboard (which is likely to be best practice in this area)
  • Start building a new database of individuals with proven consent (using existing database as a starting point)
  • Define appropriate length of consent and build that in to your planning
  • Consider alternatives to email marketing campaigns


Where can I get help or assistance?
Every business or organisation is unique, so a good starting point is the Information Commissioner’s Office (ICO) www.ico.org.uk , who are the relevant independent authority in the UK.

B2B Marketing (www.b2bmarketing.net ) have also put together an excellent guide for practitioners in this area.

NC Creative Group can also offer advice and guidance to current and prospective clients alike – email me at richard@nccreativegroup.com or call (+44) (0)121 711 6510 to find out how we can help.

Richard Smith

CEO, NC Creative Group

Article written 1st March 2018

Add a comment


Thank you for your contribution

Your comment will appear on the site once approved.

Sorry something has happen! Please try again.

Back to blog