The new European General Data Protection Regulation (GDPR)

GDPR EU
Adam Kemlo
Lead Consultant - EMEA & APAC

31/3/2017

Inspired by Slaughter and May’s fantastic legal summary for the new GDPR regulation I wanted to break it down a bit to make it easier to digest.

First let’s tackle some jargon which will crop up:

* GDPR – General Data Protection Regulation
* DPA – Data Protection Act
* A29WP – The Article 29 Working Party
* ICO – Information Commissioners Office
* Individual – your existing or prospective clients
* Data Controller – Company who is using the data to market. 


Are you following best practice?

The new GDPR for most of us will be the best practice, actually enforced. However, there are some changes to take not on especially the clarification of what is understood as “consent” and indeed changes to how we process data and whether they are “legitimate interests” of the data owner (potential or existing client).

So what is best practice? There are a few things which we advise clients to do in order to comply with the current DPA, especially those targeting Canada or Germany where double opt-in enforcement is much tougher than other countries.

* Checkbox opt-in with a statement of intent of data.
* Data processing logs, date and time stamping records with consent.
* Preference Centre [see blog] to allow the client to control their communications.
* Ability to pause communications to reduce unsubscribe rates.
* Capture reason on unsubscribes.

Quite simple stuff really, but not always is it in place.


What’s different about the GDPR versus DPA?

There isn’t masses of difference, but rather some significant clarifications which could be heavily enforced. In summary, an individual’s consent must be:

  • For one or more specific purposes.
  • Given and demonstrated through compliance.
  • “Freely given” even in circumstances of existing clients.
  • Applied through social media channels.
  • Must be specific, and not blanket.
  • A written declaration.
  • “Unambiguous” and leave “no doubt” as per the A29WP’s previous guidance. 

Implementation of the new data protection regulation

Companies who decide to act early to implement this new regulation (which is advised) should ensure that the consent is not only crystal clear but is easy to digest and understand. Therefore communications to existing clients should be taken with less haste.

Areas for implementation that remain unambiguous and explicit are:

  • Customer contracts where the customer signs a deceleration for communications. However it should be clearly identified from the contract.
  • Online retailer tick-box opt-in for special offers during checkout process.
  • Event registrations; again remember to be explicit on the use of the data.

The Right to Withdraw Consent

We’ve all had those emails that come through day after day and we keep deleting until one day we unsubscribe, in the world of “best practice” you might want to build an engagement program to re-engage and understand those contacts who never do anything, of course pointing them at a Preference Centre.

But in the interest of the new GDPR, individuals must have an easy way to withdraw any specific consent given, one by one or all at once. Again this must be documented because the GDPR’s requirements state that without proof the process is easy and traceable your consent will be invalidated.


The Legitimate Interest Condition

This is where things get interesting for the new regulation, the condition isn’t fully descriptive, however, it’s clear its intention is on ensuring contact is only made if the product/service is of interest to the individual. Again, compliance and documentation is the key again to prove consideration is taken.

For example: involvement with market research whereby data is transferred from the “data controller” to a third party or data-mining specialist, this could be argued that the client has an interest – however the data controller must perform a balanced assessment – or in the cases of direct mail allowing clients to opt-out and documentation of that, again, is a priority.


The simple truth…

Compliance is the name of the game with the new General Data Protection Regulation (GDPR), and this could be where many organisations may find a challenge especially where marketing technology (MarTech) is not integrated sufficiently. Therefore the available documentation will be limited. It is expected that the European Data Protection Board will issue further advice on what should be recorded, however, the GDPR does indicate that compliance with the regulation may be demonstrated by the adoption of internal policies and measures which promote “data protection by design”.

Companies who have applied a “blanket” approach to consent marketing to ensure processing is covered will now find themselves with a heavy task of implementing these new changes and importantly assessing the grounds which they currently rely upon. Not to mention updating privacy and information notices.