GDPR and the Marketing Manager

Written on 15 May 2019.

This Month: The Marketing Manager…

Welcome to the fifth article in our series of professionally-themed insights for 2019.

Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.

This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you Marketing Managers out there.

We hope it makes your GDPR life that little bit easier.

Dear Marketing Manager…

Happy 1^st birthday!

No, not you – the General Data Protection Regulation. That’s right, it was around this time last year the new guidelines took effect.

How could we ever forget being bombarded with all those unnecessary marketing consent emails? Thankfully, they tailed off. Eventually.

And while it did little real harm (other than being tiresome and seeing some people unsubscribe), the underlying message remains hugely important: are your reasons for contacting people and marketing to them legitimate?

Because get it right and people will look forward to hearing from you. Get it wrong, though, and you may have the ICO to contend with.

Here’s some basic guidance and gentle reminders on how best to manage your GDPR marketing role with clients…

GDPR Tips for the Marketing Manager

The GDPR is there for good reason. And, whilst protecting people’s data remains paramount, respecting their rights and privacy – and avoiding unsolicited marketing contact – is now the next big thing.

No one wants to be the Digital Marketing Agency that was recently fined €220k because it had indirectly acquired people’s data and not informed them of it. Not good!

So, regardless of whether your marketing is handled internally or you’ve chosen to outsource it, the buck stops with you. And that’s why, in GDPR terms, not only do you need to be completely transparent about what you’re doing, you also need to be able to accurately justify why you’re doing it.

Here are some things to consider:

1. Every individual has the Right to be Informed

Under the GDPR, every person on your database has the right to be informed about how their data is being processed and why. Usually, this should happen when you first ask them to give their consent – and so that they know what it is they’re actually agreeing to.

It’s worth remembering too that they also have the right to remain informed after they’ve consented; even to the point of knowing how their data is specifically used at every step of your processing.

What systems do you have in place to monitor and record consent?

2. Your reasons for processing people’s data must be valid

Even though you may have obtained a person’s consent, it’s rendered completely redundant unless you can demonstrate a lawful basis for processing their data and a clear purpose as to why. Doing so shows compliance with the GDPR and reinforces transparency; it also helps to promote trust and build credibility.

As well as clearly documenting this, you should also ensure that you’re only using someone’s information for the specific reason for which they signed up, such as a newsletter. (This was why all those emails last year were so unnecessary – because they were needlessly asking people to reconsent to something they’d already agreed to.)

How confidently can you justify your lawful basis for processing?

3. Bought-in lists need to be legit!

Selling people’s data is big business – just look at Facebook! Unfortunately, though, it isn’t always acquired in the right way. So, if you’re buying or have bought a list from a third-party data broker, beware of potential caveats…

As a data controller, for any personal data you’ve obtained indirectly (either from bought-in marketing lists or information that’s been scraped from the internet), you have an obligation to let those individuals know you have it along with how you’re going to use it.

Just as importantly, if you’ve purchased a marketing/data list you also need to ensure that the seller obtained that data fairly and legitimately (i.e. that they made clear to customers their details would be passed on for marketing purposes and that they obtained their consent to do so. Moreover, they should have done this in an unambiguous, transparent and informed way, involving a clear opt-in affirmative option for the customer (such as ticking a consent box)).

In short, never buy a list unless you’re certain you can use it legitimately!

How sure are you that your bought-in list data was obtained fairly and legitimately?

4. Bought-in lists still require extra follow up...

Once you’re satisfied that your seller acquired the data legitimately, there’s still more for you to do. As per your GDPR obligations, you need to contact all those individuals within 30 days of receiving their personal data, justifying your reason(s) and basis for using it. (This is despite them already giving their consent for it to be shared.)

It’s also good practice to share your privacy notice with them and include in any marketing messages the name and contact details of the organisation (e.g. data broker, third party, lead generation business) that provided that person’s details.

Again, as before, the list can only be used for the purpose for which it was intended. This means that bought-in lists for emails can only be used for email communication and not, say, for telemarketing purposes. And if it has been bought in to conduct telemarketing, then remember to adhere to the Privacy and Electronic Communications Regulations (PECR) and screen all lists against the Telephone Preference Service (TPS). A fine of up to £500,000 could be waiting for you if you don’t.

Do you know what information you need to provide new prospects with?

5. Regular due diligence and data mapping are essential

Where data’s concerned, you can never go far wrong if you’re on top of all the details and know exactly what’s what. That’s why investing time in some proper due diligence and data mapping is so worthwhile.

And whether you’re sticking with your current data list set-up or thinking of introducing an all-singing, all-dancing direct marketing platform, just be sure to stress-test it so that there are no surprises waiting for you later on.

How well do you know the gaps in your systems?

In-the-Know… Summary

The Need-To-Knows

• Get right the Right to be Informed!
• Your processing must have a lawful basis.
• You must inform people within 30 days if you acquire their data indirectly.

The Good-To-Knows

• Only use data for the purpose for which consent was given.
• Consider whether PECR applies to what you’re doing.
• Practise regular due diligence – it’ll keep you safe!

The No-Nos!

And whatever you do, please…

• Don’t dismiss GDPR or not find time to take it seriously.
• Never buy or use a list that’s not legit!
• Don’t put off asking for help if you need it.

Related Resources

If you enjoyed this article, you may be interested to:

• Watch our webinar "GDPR says no... but does it" where we address common questions such as 'I cannot email prospective clients / donors because of GDPR' and 'GDPR requires us to gain consent to re-contact previous clients.'.
• Read our blog "DER…DUM… DER…DUM… DER…DUM… Just when you thought it was safe to E-market to all and sundry…" we discuss PECR and how it applies to your business.

To be kept informed of future webinars and related blogs, why not subscribe to our newsletter.

Help and support is only a quick email away

If you’re satisfied that your marketing campaign protocols and databases stand up to scrutiny, congratulations!

However, if you’re not quite there yet, want to know more about the Right to be Informed or still a little unsure whether your contact reasons are valid, get in touch. It’s why we’re here and we’ll be only too happy to help!

And yes, you have our permission to do so ?

Next month in GDPR and The Professional: The Estate Agent…