Four common misconceptions about the GDPR for marketers
First published on econsultancy.com
Econsultancy’s latest research shows that over half (59%) of client-side marketers still feel unclear about what does and does not constitute compliance with the GDPR.
These findings are based on a survey conducted in January 2018 amongst over 1,000 marketers in the UK.
In this post, I discuss some of the common questions and myths circulating about the GDPR discovered in the research.
1. Obtaining consent
When marketers were asked about their top three priorities ahead of the legislation’s enforcement, 86% of client-side marketers and 77% of agency-side respondents indicated that they are prioritising a review of consent mechanisms for collecting and processing data.
The compliance conversation among marketers has been heavily centred on the notion of obtaining consent but there are, in actual fact, six legal grounds for processing personal data under the GDPR. In addition to consent – legitimate interests, public interest, contractual necessity, legal obligations and vital interests represent other legal grounds.
RedEye Compliance Director Tim Roe notes the confusion and hype around consent:
For marketers, there’s a lot of confusion out there, which is stopping them from moving forward. On one side, they know that consent is not always a viable proposition but on the other side, they are being told by compliance people and they are being told by lots of consultants that they need consent…And people are creating less than ideal situations because they can’t comply in that way.
The regulation was constructed in such a way that allows marketers to use legitimate interests for the majority of their data processing. All of the exciting stuff that we do, all the segmentation, the targeting and the profiling…all of that, in most cases, can be used under legitimate interests. That’s the major thing for marketers to realise.
2. Appointing a Data Protection Officer
While over half (59%) of client-side respondents and 40% of agency respondents say that their organisations have either appointed or are planning to appoint a Data Protection Officer, it is not mandatory to do so unless in certain circumstances such as:
Where the processing of personal data is done by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity
Large scale regular monitoring
Large scale special data categories e.g. health records, criminal offences, mortgage applications
3. The GDPR and Brexit
It is a misconception that Brexit will mean that the GDPR will not have any impact in the UK. The UK will still be a part of the EU when the GDPR is introduced in May 2018 and will remain an EU member state for several months after that. The position for the UK after that is less clear and will depend on negotiations but the UK has already proposed a Data Protection Bill, which intends to modernise data protection laws in the region.
Irrespective of Brexit, if British businesses want to do business in Europe and need to process the personal data of EU citizens, they will need to comply with the GDPR. The regulation has international implications as it concerns any organisation storing or processing EU personal data, regardless of where the organisation is located.
4. The May ‘deadline’
With the enforcement date looming, many businesses are understandably concerned with being ready and prepared in time for 25th May.
Richard Merrygold, Group Data Protection Officer at HomeServe, says that the 25th May is only the start of your compliance journey:
This isn’t about the 25 May. It’s not a deadline. It’s not a hard stop. The 25th May is the beginning. If you do this properly and you approach it in the right way, this is a genuinely beneficial activity that can improve your organisation, improve your customer relationships. But you have to prepare to embrace a cultural change. I think in the short term it might be a little bit painful but in the long term, there will be some real customer benefits.
Compliance with the GDPR needs to be built into the culture of a company, and not just to an individual department or contract with an agency. Marketers therefore need to think about integrating their strategies with the efforts of other parts of a business and plan and execute in a holistic way. In this way, transitioning to a post-GDPR world will require compliance that is both ongoing and iterative.