What impact will the EU General Data Protection Regulation (GDPR) have upon advertising, media, marketing and social media channels in both the EU and outside?
How important is involvement of IT/web teams, customers, legal, financial, communications and marketing?
European Commission GDPR General Data Protection Regulation (image copyright European Commission)
The European Commission GDPR
According to the European Commission:
The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data.
The new data protection package adopted in May 2016 aims at making Europe fit for the digital age. More than 90% of Europeans say they want the same data protection rights across the EU and regardless of where their data is processed. (European Commission, 2018)
Scope of the GDPR
From the technology consultancy Trunomi (2018):
‘The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.
An overview of the main changes under GDPR and how they differ from the previous directive
- IncreasedTerritorial Scope (extra-territorial applicability)
- Data Subject Rights
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers’
Australian context for the GDPR
From the Office of the Australian Information Commissioner (OAIC 2018):
The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018.
Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
- implement a privacy by design approach to compliance
- be able to demonstrate compliance with privacy principles and obligations
- adopt transparent information handling practices.
There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act.
Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement.
Issues of non-compliance
However, Hern in The Guardian (2018) when observing large personal data using companies states:
Privacy policies from companies including Facebook, Google and Amazon don’t fully meet the requirements of GDPR, according to the pan-European consumer group BEUC.
An analysis of policies from 14 of the largest internet companies shows they use unclear language, claim “potentially problematic” rights, and provide insufficient information for users to judge what they are agreeing to.
“A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law,” said Monique Goyens, BEUC’s director general. “This is very concerning. It is key that enforcement authorities take a close look at this.”
Impact on Email marketing
Email marketing software company MailChimp (2017):
The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors…… relevant to MailChimp…
…..Expansion of scope; definitions of personal and sensitive data; individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability and stricter processing requirements’
However, the most significant issue are the stricter consent requirements:
Stricter consent requirements
Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis, such as those found in number 5 below. The surest route to compliance is to obtain explicit consent. Keep in mind that:
1 Consent must be specific to distinct purposes.
2 Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must
explicitly opt-in to the storage, use and management of their personal data.
3 Separate consent must be obtained for different processing activities, which means
you must be clear about how the data will be used when you obtain consent. (MailChimp 2017).
Consent would appear to be both central to compliance and rights of privacy yet problematic for much existing practice in ‘marketing’.
Best Practice Marketing
Meanwhile in Australia Hanson (2018) argues in ‘Mumbrella’ that it’s best practice for both business and customers:
For Australian businesses that want to better serve their customers, the GDPR signals the end of activities that marketers should have abandoned long ago. This means that it’s no longer good enough to buy a mailing list, nor is it appropriate to send cold-call emails or, heaven forbid, actually send spam.
Under the new rules, customers have to explicitly opt-in to getting your communications. In the old days, it was fine to pre-tick boxes on a web form allowing you to send a customer marketing emails. Now you can’t do that. Instead, customers have to give consent to you communicating with them, and that consent needs to be clear, in plain English, as well as informed, specific, unambiguous and revocable.
How to implement GDPR?
What does this mean for marketing in a digital environment or system? According to the Digital Marketing Institute (2018):
Step 2. Audit your current databases for opt-in consent
Step 3. Re-opt-in campaigns for current databases
Step 4. Create a process for opt-in consent
Step 5. Get the sales team on board
Step 6. Review third-parties who have access to your databases
Step 7. Have a streamlined process for information requests
Step 8. Prepare for a security breach.
In the short term the direct impact is neither selling nor buying of client email lists, but clear or voluntary consent or opting-in, through organic collection of prospective and existing clients’ details, how?
Using digital marketing techniques for organic inbound SEO search engine optimisation traffic as not just strategy but a living system to attract prospective clients over time. This will ensure compliance and allow prospective clients to opt-in voluntarily for newsletters, follow up etc. with the peace of mind their data will be private and not be shared.
However, organic inbound SEO requires cooperation and input across departments to share inter disciplinary expertise whether strategic management, IT, legal, finance, logistics, marketing, communications and importantly, customers or clients.
Digital Marketing Institute, 2018, ‘Trends & Insights: The Definitive GDPR Checklist for Marketers’, 5 April, viewed 7 July 2018, < https://digitalmarketinginstitute.com/en-au/blog/05-04-2018-the-definitive-gdpr-checklist-for-marketers >
European Commission, 2018, ‘Data protection in the EU’, viewed 7 July 2018, < https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en >
Hanson, G 2018, GDPR is a great thing for Aussie marketers, Blog, 13 June, viewed 7 July 2018, < https://mumbrella.com.au/gdpr-is-a-great-thing-for-aussie-marketers-522988 >
Hern, A 2018, ‘Privacy policies of tech giants ‘still not GDPR-compliant’’, The Guardian, 5 July, viewed 7 July 2018, < https://www.theguardian.com/technology/2018/jul/05/privacy-policies-facebook-amazon-google-not-gdpr-compliant >
MailChimp, 2017, Getting ready for the GDPR, MailChimp Blog, 9 Oct 2017, viewed 7 July 2018, < https://blog.mailchimp.com/getting-ready-for-the-gdpr/ >
OAIC Office of the Australian Information Commissioner, 2018, ‘Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation’ < https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation > 7 July 2018.
Trunomi, 2018, ‘EU GDPR key changes’, viewed 7 July 2018, < https://www.eugdpr.org/key-changes.html >