How should a digital marketing agency be preparing for GDPR?

The arrival of GDPR inches steadily closer. We are all still being bombarded with emails about whether or not we are prepared. Ironically the continued existence of such emails has potential GDPR implications in itself!

So are you prepared? The problem is that some areas are still a little unclear. It does seem as though the goal posts keep shifting. Is it just you that feels a bit confused or is everyone in the same boat?

To help us start answering this question we turned to some recent research by the company Econsultancy. They conducted a survey in January 2018 amongst over 1,000 marketers in the UK. The results indicate that 59% of client-side (ie business-based) marketers still feel unclear about what does and does not constitute compliance with the GDPR.

Let’s take a look the three main areas of confusion:

1. Consent

This is the number one area that people struggle with. On the one hand, the principles of GDPR emphasise the need for individuals to give explicit consent to their data being used. We are told by the ICO that :

  • consent requires a positive opt-in;
  • we are not to use pre-ticked boxes or any other method of default consent;
  • consent must be specific and ‘granular’ so that you get separate consent for separate things.

Ultimately, vague or blanket consent is not enough. So does this mean that we now need to go back to all our clients and prospects and get fresh consent from them to use their data? Many companies do seem to be doing this. In the econsultancy survey, 86% of client-side marketers and 77% of agent-side respondents (such as a digital marketing agency) indicated that they are prioritising a review of consent mechanisms for collecting and processing data.

However, ICO guidelines also state that, whilst the GDPR sets a high standard for consent, “you often won’t need consent.”

They follow on by saying that if consent is difficult, we need to look for a different lawful basis on which to use the data.

There are six legal grounds for processing personal data under the GDPR. Consent is just one of those legal grounds. The other five are:

  • legitimate interests;
  • public interest;
  • contractual necessity;
  • legal obligations;
  • vital interests.

According to RedEye Compliance Director Tim Roe:

“The regulation was constructed in such a way that allows marketers to use legitimate interests for the majority of their data processing. All of the exciting stuff that we do, all the segmentation, the targeting and the profiling…all of that, in most cases, can be used under legitimate interests. That’s the major thing for marketers to realise”.

So before you pour too much time and energy into reviewing consent mechanisms for collecting and processing data, take time also to review how much of this could be covered under the legitimate interests umbrella.

2. Do we need a Data Protection Officer?

In many cases, the answer is no. It is a good idea for all companies to have someone who is recognised as the Data Protection lead. But this person need only be called DPO (Data Protection Officer) if your company falls into one of the following three categories:

  • You are a public authority
  • You conduct large scale regular monitoring
  • You process large scale special data categories (e.g. health or legal records, or financial data)

You can read more about these categories on the ICO website. But if you do not fall into one of the above categories then it is not mandatory; and in fact it could be viewed as unwise to appoint someone to a specifically-named DPO role in these circumstances, as this role could then incur additional GDPR-related responsibilities which may not be strictly necessary for your organisation.

3. Brexit

Brexit seems to find its way into every discussion these days! But just to confirm that GDPR will still apply in the UK even after Brexit has happened. The UK will still be a part of the EU when GDPR arrives in May 2018. After Brexit, the UK will have its own Data Protection Bill, but this is expected to incorporate GDPR. This is important not just for data protection in the UK but because to continue to store or process the personal data of EU citizens, companies will need to be GDPR compliant.

Many people are also worried about what actually happens on May 25th. Will some anonymous GDPR inspector be waiting on the doorstep, ready to slap punitive fines upon you if you are not totally compliant? Hopefully not, although obviously we should all do whatever we can to ensure that we are as compliant as we can be.

But many forward-thinking companies are viewing GDPR as just one element of their ongoing business improvement activities. Whilst working through the mechanics of what compliance means, then putting the requisite measures in place, can seem a little dreary, it helps to view GDPR in a more positive light. According to Richard Merrygold, Group DPO at HomeServe:

“This isn’t about the 25 May. It’s not a deadline. It’s not a hard stop. The 25th May is the beginning. If you do this properly and you approach it in the right way, this is a genuinely beneficial activity that can improve your organisation, improve your customer relationships. But you have to prepare to embrace a cultural change. I think in the short term it might be a little bit painful but in the long term, there will be some real customer benefits.”

At Xcite Digital we will continue to feature information about GDPR and its implications for marketing as it evolves over the next few weeks and months. But if we can begin to view it as an opportunity for company-wide cultural change, and a catalyst for closer interdepartmental working, then there might just be some light at the end of the seemingly rather dark GDPR tunnel.