Marketing
Under
The GDPR

Since its introduction, the General Data Protection Regulation (GDPR) has been poised to radically change the way that organisations handle their digital business operations. The GDPR expands the rights of individuals and their data, and places greater obligations on organisations that process personal data.

In order to comply, there are a number of revisions and adjustments that your organisation must make to your digital business practices, including your marketing and advertising efforts. If your organisation does not follow the revised regulations, you could receive significant fines and face prosecutions by the Information Commissioner’s Office (ICO). One of the most effective methods to market under the GDPR is to highlight the content that your organisation can provide as a way to gain individuals’ consent.

To ensure that your organisation effectively markets under the GDPR, it is essential that you understand consent along with how the new regulations impact your digital marketing and advertising efforts.

1. Overview of PECR, the GDPR’s Marketing Guidelines

The GDPR’s main focus is the protection of personal data and included under that umbrella is the Privacy and Electronic Communications Regulations (PECR), which specifically deals with electronic communications.

While PECR has existed since 2003, it is currently undergoing a major overhaul to adequately supplement the GDPR and update electronic marketing rules. The proposed revisions to PECR include simplifying cookies, banning unsolicited electronic communications if users haven’t given their consent and incorporating the GDPR’s two-tiered fine structure.

PECR’s biggest proposed change is making all forms of electronic marketing reliant on opt-in consent. Similar to the GDPR, this means that pre-ticked boxes will no longer be acceptable, even with business-to-business communications. Under the GDPR, your organisation must identify and provide a lawful basis to process personal data, which is any information that can be used to identify an individual.

2. Potential Consequences of Non-compliance

Under the GDPR, the ICO has the authority to mete out more substantial fines to organisations that don’t comply with the new regulations. If you are found to be non-compliant, you could receive one of the GDPR’s two-tiered fines:


A fine of up to €10 million (roughly £8 million) or 2 per cent of your annual turnover—whichever is higher—can be given for the following causes:


• Not properly filing and organising personal data records


• Not notifying the supervising authority (such as the ICO) and affected individuals about a breach


• Not conducting the necessary preliminary impact assessments

A fine of up to €20 million (roughly £16 million) or 4 per cent of your annual turnover—whichever is higher—can be given for the following causes:

Violating the basic principles related to data security

Violating consumer consent Even though your organisation could receive either fine, you would most likely receive the more substantial fine for any violations in your digital marketing and advertisement practices.

Even though your organisation could receive either fine, you would most likely receive the more substantial fine for any violations in your digital marketing and advertisement practices.

3. Obtaining Consent is Key

One of the most significant changes introduced by the GDPR is strengthening the standards of obtaining consent to process personal data. Failure to obtain proper consent puts your organisation at risk for significant fines.

In order for your organisation to remain compliant with the GDPR in your electronic marketing and advertising efforts, your process for obtaining consent must meet the following standards:


• Unbundled—Consent requests must be separate from other terms and conditions, and should not be a precondition of signing up for a service.


• Active opt-in—Your organisation cannot use preticked opt-in boxes.


• Granular—Provide options to individuals to consent to different types of processing.


• Named—Provide the name of your organisation and any third parties that will be relying on the individuals’ consent.


• Documented—Keep records that demonstrate what the individuals have consented to, what they were told, and when and how they consented.


• Easy to withdraw—Inform the individuals that they have the right to withdraw their consent at any time and explain how they can do that.


• No imbalance in the relationship—Consent will not be considered freely given if there is an imbalance in the relationship between the individuals and your organisation.

4. Advice for Marketing Under the GDPR

There are three main areas that your organisation may want to consider when marketing under the GDPR:


• Data permission—This refers to how your organisation manages your email opt-ins.


• Data access—This refers to the individual’s right to access their personal data and remove consent for its use.


• Data focus—This refers to your organisation having to legally justify the lawful basis for the processing of all the personal data you collect.

Fortunately, marketing under the GDPR can be an easy endeavour by following these best practices:


• Review how your organisation collects, processes, stores and removes personal data.


• Identify which of the six lawful bases applies to your personal data processing, and document your rationale for collecting personal data.


• Ensure that your process for obtaining consent meets the necessary standards. In addition, you may want to implement a double opt-in practice, which asks individuals to take an additional step to confirm their email address and provide consent.


• Audit your mailing list to ensure that the collected customer data meets GDPR requirements. If you identify any individuals that don’t have a record of their opt-in, you must delete them from your database.


• Educate your sales team about social media selling techniques, such as connecting with prospects on social media and sharing relevant content with them. The reason for this is that social media sites have privacy notices built into them.


• Create a content marketing strategy to provide individuals with relevant, useful content that incentivises them to give their consent. It could be a brief about important legislation, a hazard that impacts their sector, or health and safety guidance. Just remember not to make providing the content contingent on the individual giving their consent—this could mean consent was not freely given and thus make it invalid.

5. Remember: Content Incentivises Consent

The GDPR has considerably adjusted the guidelines for how organisations can manage their digital marketing and advertising efforts. Obtaining consent is now central to establishing the necessary lines of communication with individuals, yet making that connection is not always easy. However, by highlighting the quality and benefits of the content your organisation can provide, individuals may be more likely to give consent.

The content of this Risk Insights is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly.