General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. At its core, GDPR aims to provide a pan-European set of standards for gathering, processing and securely storing personal data. Crucially, the regulations place particular importance on giving citizens a direct say (and indeed, control) over how their personal data is handled.
The regulation was adopted on 27 April 2016 but becomes enforceable from 25 May 2018. It does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
GDPR and digital marketing
In a nutshell, it is the responsibility of businesses and organisations to properly manage the personal information they gather, monitor, process and store for marketing purposes. Businesses must be very transparent, not only about the personal data people freely provide (like names, addresses and personal preferences) but also that which is derived through behavioural tracking and profiling.
Post May 2018, marketing databases should only contain the details of individuals who have explicitly opted-in to being marketed to, whether that’s by phone, direct mail or through digital channels like email or retargeted advertising. With this in mind, businesses who want to ensure they are on the right side of the law, should take immediate steps to gain explicit consent from all business contacts, customers (existing and past) and prospects. The easiest way of achieving consent between now and May 2018 is to email or write to each of your database contacts/customers and request they visit an online form where they can specify the information they are happy to share and can explicitly choose whether to opt-in to receiving marketing communications in future.
Finally, it’s our view that websites, e-commerce stores and mobile apps also update their small print – paying particular attention to privacy and cookie policies. These should detail exactly what information is gathered, processed and stored (including by whom and where), as well what tracking, profiling and cookie technologies used.
In the UK, compliance is policed by the Information Commissioner’s Office, and the indications suggest that organisations and companies breaching the regulations will face particularly stiff penalties. Helpfully, the ICO have published a useful guide for preparing for GDPR, which includes a 12 step guide and a general checklist.
What they think – some further (marketing related) views: