How will GDPR impact your communications?

Lydia Lavender

The impact of General Data Protection Regulation on marketing activity

All Rights Reserved. © NCC Group 2016 GDPR and Marketing 2

There have been a number of discussions recently about the General Data Protection Regulation (GDPR) and the changes it will bring about in 2018, but there seem to be few that provide focus on the areas that will be most affected by the changes.

Regardless of when or how the various negotiations develop with the EU, if the UK wants to trade with the EU on equal terms, UK data protection standards will have to be equivalent to the EU’s GDPR. For the UK to do business with the EU, or any other country for that matter, it is vital that data protection standards and legislation is of the highest order.

One such area is marketing and for many businesses there will be a considerable impact on the way that marketing activity is conducted once the regulation is enforced.

Before we get into the finer details of the changes and how they will affect marketing departments, it is worth noting that the GDPR has broadened the definition of personal data.

The enhanced definition of personal data includes “any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person.”

An aside to this, and something particularly important for those working in marketing, is the fact that the new law makes no distinction between business-to-business (B2B) and business-to-consumer (B2C) marketing. So, to comply with the laws, B2B marketers must treat their business customers’ data as personal data or they risk being penalised.

Our aim is provide you with the information you need to know and what you should be doing now to prepare for the regulation when it comes into force.

All Rights Reserved. © NCC Group 2016 GDPR and Marketing 3

Legitimate interest

• Legitimate interest is where the processing of personal data is fair, lawful and necessary for the legitimate interests of the data controller or any third party to whom the data is disclosed to providing that the interests are not overridden by the fundamental rights or interests of the individual whose data is being processed.

• Direct marketing is recognised by the GDPR as an example of legitimate interest for the data controller.

• To apply legitimate interest it is necessary to pass a balance test where the rights of the business are weighed against the rights of the individual.

• An unsubscribe or opt-out option must be included on all marketing materials that are released under the legitimate interest grounds.

• Legitimate interest cannot be applied by public authorities and does not apply to children.

If the UK does adopt the GDPR, it is expected (and hoped) that the Information Commissioner’s Office (ICO) will release guidance and best practice notes around the use of consent and legitimate interest as well as the impact that GDPR will have on legacy marketing data.

Consent or legitimate interest?

For marketing purposes, there are two key legal grounds (out of the six documented grounds available) - consent or legitimate interest.

It is worth noting here that a decision must be made before any marketing activity is initiated as to which legal ground you are relying on. The decision must be consent or legitimate interest - you cannot use one and then the other if the first fails the test.

Consent

• Consent must be explicitly given for all processing of personal data and data subjects must be fully informed of the purpose for the processing in plain and simple to understand terms.

• Consent can be given in written, electronic or oral format; for example ticking a box, allowing cookies via a browser and/or providing an email address for contact. Each of these forms of consent must be accompanied with the appropriate processing statements.

• Consent must be demonstrated so you would need to retain consent forms (on paper or electronically) and telephone scripts if consent was provided orally.

• Consent cannot be conditional, for example the provision of goods or services linked to acceptance of marketing.

• Individuals have the right to withdraw consent at any time and there must be a simple process to allow them to do this.

All Rights Reserved. © NCC Group 2016 GDPR and Marketing 4

What do you need to do now?

Automation

It’s not too early to seek

consent

Train your teams

Preparation and planning are key to the success of your readiness strategy for compliance. While a lead-in period before the GDPR is enforced may sound like a long time, it will go quicker than you think so thought and effort now will ultimately ease the pain further down the road. Here are the top three things marketing departments should be doing now to prepare for the changes:

NCC Group can provide you with assistance in a number of ways including a current state assessment, gap analysis, roadmap to compliance or a training and awareness programme to help you to continue your journey to compliance.

If you require a more in depth conversation about how the changes will affect you we are happy to provide guidance based on your individual needs.

All Rights Reserved. © NCC Group 2016 GDPR and Marketing 4

Consider implementing an automated system that can be used to log and monitor consent and contact preferences. This should be made available to anyone who needs to make contact with individuals so that checks can be made prior to contact to ensure contact is permitted.

Updating procedures and processes as soon as possible to ensure they meet the GDPR requirements will give you more time to embed practices across the organisation. This will mean that by 2018 your compliant processes will be effortless and will be business as usual.

Another area where organisations will need to dedicate time and resource to is training and awareness to ensure that all employees are conscious of their responsibilities as well as the changes that the GDPR will bring.

Preparation and planning are key to the success of your readiness strategy for compliance. While a two-year lead-in period before the GDPR is enforced may sound like a long time, it will go quicker than you think so thought and effort now will ultimately ease the pain further down the road. Here are the top threee things marketing departments should be doing now to prepare for the changes:

1. Automation - Consider implementing an automated system that can be used to log and monitor consent and contact preferences.This should be made available to anyone who needs to make contact with individuals so that checks can be made prior to contact to ensure contact is permitted.

2. It’s not too early to seek consent – Updating procedures and processes as soon as possible to ensure they meet the GDPR requirements will give you more time to embed practices across the organisation. This will mean that come 2018 your compliant processes will be effortless and will be business as usual.

3. Train your teams - Another area where organisations will need to dedicate time and resource to is training and awareness to ensure that all employees are conscious of their responsibilities as well as the changes that the GDPR will bring.

NCC Group can provide you with assistance in a number of ways including a current state assessment, gap analysis, roadmap to compliance or a training and awareness programme to help you to continue your journey to compliance.

If you require a more in depth conversation about how the changes will affect you we are happy to provide guidance based on your individual needs.

CTA – insert email address, phone number and/or landing page details here

ABOUT NCC GROUP

All Rights Reserved. © NCC Group 2016

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face.

We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Visit: www.nccgroup.trust

Contact: response@nccgroup.trust

Share

All Rights Reserved. © NCC Group 2016

www.nccgroup.trust@nccgroupplc