The application of the General Data Protection Regulation principles in modern digital and direct marketing has shown to be one of the most technically challenging areas since it also provokes the application of the whole array of national laws and directives that govern individuals’ rights, like e-Privacy.
Direct marketing is customer-faced, which makes mishaps and mistakes automatically visible, while daily communication with data subjects all over the world, makes it extremely sensitive and prone to data protection violations.
In the meantime, the range of communication with individuals has grown wider and finer. Jumping from physical address to e-mail address and then to third party platforms, apps, and push notifications.
Organizations are interacting with an increasing customer base, via multiple channels collecting various data, from location, to preferences, on computers, tablets, and smartphones.
All this adds to the complexity of the implementation of appropriate measures and security mechanisms necessary to stay compliant.
Directly managing an individual’s personal data always triggers the application of data protection principles, measures, and requirements, which means adjustments in the way marketing is done.
There is also an invisible force – a marketing mindset, that struggles with the application of data protection rules and requirements, seeing them of opposite values to what marketing’s mission is.
Marketing is trying to find out as much as it can about consumers, place their messages, sell their products and services, and often see the GDPR as a set of restrictive measures in this process.
However, Marketing should be based on transparency, trust, and mutual agreement between individuals and the company, on what should be communicated and when, how their data is being used, and the added value that is exchanged here.
This puts more pressure on the collaboration between the Data Protection Officer and the Marketing department, requiring a CMO to gain an understanding of data protection principles, and a DPO to become a little bit of a marketing expert.
If they understand each other, they can create a compliance program that is flexible enough to allow marketing to continue achieving its goals while maintaining compliance, protecting the company from reputational damages, GDPR violations and extreme fines.
Another challenge is enforcing data protection measures in IT systems, making marketing platforms compliant, and implementing a complete solution rather than multiple fractional solutions that cover opt-ins and opt-outs but do not allow propagating notices along different marketing layers, making the communication non-compliant.
However, those obstacles are not insurmountable. Overcoming them will have to be a joint effort of organizations’ stakeholders, and how you approach them will affect the success of your marketing.
If you want to learn more about creating urgency and support for your privacy program download our guide for a successful DPO.
Compliance with applicable Regulation and Directive
When engaging in any direct marketing communication, you are obligated to comply with:
Over time, we have gotten accustomed to the GDPR requirements. We have some general knowledge about how marketing should be conducted, what is expected, and are familiar with certain definitions, data subjects‘ rights, and terminology.
However, compliant marketing in practice raises more than a few questions, especially from a technical and organizational point of view.
GDPR requirements for Direct Marketing
When conducting direct marketing communication, there are certain baseline requirements dictated by the GDPR and call for full compliance with:
• Lawfulness, fairness and transparency principle
• Purpose limitation principle
• Data minimization principle
• Accuracy principle
• Storage limitation principle
• Integrity and confidentiality principle
•Data subjects’ right fulfillment
These GDPR requirements are somewhat intertwined with the marketing activities, and although the execution and fulfillment of those are not entirely the obligation of the marketing department, it is important that each employee coming into contact with data processing activities, is aware of the implications and obligations for the company.
Let us go over principles in a high-level overview.
1. Lawfulness, fairness, and transparency
➡️ Lawful basis for processing
Before you start with any direct marketing activity, you need to ensure there is a proper lawful basis for processing personal data. This is step one of your journey.
When it comes to direct marketing, the two most important legal bases you should concern with are CONSENT and LEGITIMATE INTEREST. Other lawful bases like a contract, legal obligation, protection of vital interest, and public task, are not likely to appear in the marketing line of responsibilities.
1.Consent: the individual (data subject) gave consent for the processing of his/her personal data for one or more specific purposes. Consent has to be specific and granular and kept separate from other statements. You also have to keep records of consents, detailed enough so you can demonstrate it when needed (who consented, when they consented, what they were told at the time, how they consented) and will require some sort of consent and preference management.
2. Legitimate interests: the processing is necessary for the purpose of data controllers’ legitimate interests or the legitimate interests of a third party. The exception is when those interests are overridden by the data subject’s fundamental rights and freedoms that require the protection of personal data, especially if an individual is a child or a minor.
When can you use legitimate interest?
In its Recitals, the GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
The most appropriate way to approach data processing under the legitimate interest when planning a direct marketing campaign is to conduct LIA– legitimate interest assessment by your DPO or outsourced privacy experts. This way, you will leave a documented audit trail and protect yourself from unnecessary risks.
Note that there is no specific mention of LIA or requirements for you to conduct one mentioned in the GDPR.
Conducting LIA is not a marketing responsibility. However, the initiative can come from a CMO.
However, unless you are contacting an existing customer whose details you obtained in the course of a sale of a product or service and provided the right to opt-out, you will need to obtain proper consent regardless of the outcome of your LIA.
One of the most important parts of being compliant and maintaining good communication and relationships with your customers (and potential customers) is providing them with all information regarding processing of their personal data, including how it will be used.
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible, and easy to understand. Use clear and plain language and visualization where appropriate.
Article 13 of the GDPR dictates that the data controller needs to take appropriate measures to provide information when collecting personal data from data subjects or in a situation where the data have not been obtained from the data subject.
For a CMO, it is essential to understand the importance and legal requirements of transparency, as well as how to present them to the data subjects, choosing the right wording, proper form and making it accessible to their website visitors, newsletter subscribers, and other contacts.
Fairness of the processing is based on the fact that the data subject is aware of how personal data is processed, how data is kept, used and collected, so they can base their opt-in on a fully informed decision.
2. Purpose limitation
Purpose limitation means you can collect and process personal information only to accomplish a specific, explicit, and legitimate purpose.
When further processing is taking place on the same data, you will have to make sure that the processing is compatible with the original purpose. If they are incompatible, you will have to inform the data subject and then try to obtain valid consent.
3. Adequate, limited and relevant processing (data minimization)
Complying with the data minimization principle means you will have to identify the minimum amount of personal data you will need to fulfill the purpose of data collection and collect necessary, relevant and adequate information.
The accountability principle means that you need to be able to demonstrate that you have appropriate processes to ensure that you only collect and hold the personal data you need.
The GDPR says individuals have the right to complete any incomplete data, which is inadequate for your purpose, under the right to rectification. They also have the right to get you to delete any data that is not necessary for your purpose, under the right to be forgotten.
If you are wondering how to determine whether the information you hold about an individual is in line with these principles, here is an example on how to decide which data to collect when your visitors subscribe to a newsletter, the first thing you are going to do is ask:
- What kind of information do you need in order to provide the service and send a newsletter?
The answer is; only an e-mail address.
- Do you need any other information, and for what purposes?
You can ask for a name in order to make the experience personalized and better for the customer. However, since this is not a necessity, you should make this field optional.
So, to assess whether you are holding the right amount of personal data, you must first be clear about why you need it.
4. Accuracy principle
You should take reasonable measures to ensure that the data you are processing is accurate and kept up to date.
Suppose you are wondering what is considered a reasonable measure in this particular case. It means ensuring that there are data verification procedures that prevent inaccuracies in data during the data collection process and afterward.
A good example would be verifying the source of information (e.g., two-step authentication) and keeping data corrections records.
Remember that any data subject-access requests made by unauthorized persons will result in a breach. It is highly recommended that you do not obtain clearly more sensitive or potentially more harmful data, for the purpose of authentication, than the data that is subject to the request.
5. Storage limitation
The storage limitation principle means personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed.
So if you are conducting a direct marketing campaign, define what is the necessary amount of time you want to keep the data, and define the following:
➡️ Marketing purpose duration – if this is a one-time or limited-time activity define when it ends and make sure to stop any further processing of collected data once the purpose has expired. This could be a seasonal campaign or a prize game.
➡️ Opt-in validity – if you rely on consent as a lawful basis for certain processing, define how long the processing will continue before you ask the individual to re-consent. It is recommended but not necessary. However, if you intend to keep the data until consent revocation, potentially forever, make sure it adheres to all data protection principles.
➡️ Data retention – define how long you need to keep the data after the purpose has expired or consent was revoked. It is not recommended to delete the data immediately as you could get a complaint about previous marketing communication and lose the possibility to demonstrate prior compliance. For consents, recommended data retention periods are usually anything from 3 months up to 1 year. After the expiry of a data retention period, it is your obligation to remove the data.
6. Technical and organizational measures (Integrity and confidentiality principle)
Personal data needs to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Take into account the nature of your activities, context, the purpose of data processing, data subjects’ right fulfillment, and possible risks.
According to your assessment, institute data protection policies and technological safeguards that will help you meet your GDPR requirements, keep personal data secure and make a cooperation with data protection authority straightforward.
Take into consideration your data collection points, tools and third-party software, context, and purpose of data processing, the ability to fulfill requirements related to compliant opt-outs and opt-ins, data subjects’ rights fulfillment. You should assess your risk and include technical safeguards for acquired data.
7. Data subjects’ right fulfillment
Each of the data subject rights, granted by the GDPR is equally important and highly complex. It is a prerogative of an individual to demand those rights to be fulfilled and an organization’s duty to comply.
Fulfillment of those rights is an intricate and complex matter that will affect organizations’ data processing activities (including processing activities for marketing purposes).
Even though data subjects’ right fulfillment is usually not part of marketing responsibilities, the two will interlay in some areas. For example, data subjects request can be made verbally or in writing, through any channel, including social media, and to any person inside your organization.
The request does not have to be titled so it mentions the GDPR or specific right, as long as it is clear what data subject is requesting. This can be challenging since all requests pointed to your organization to any employee are considered valid, so there is a high possibility marketing will have to recognize the request and take the next steps.
Make sure that every employee from the marketing department is familiar with data subjects’ rights and knows how to respond and react when such a request crosses their path.