A Simple Guide to Online Marketing in a GDPR World
Considered as the strongest data protection rule in the world, the GDPR or General Data Protection Regulation is a Europe-wide legislation designed to protect the personal data of EU citizens. It came into effect on May 25, 2018, replacing European data protection rules that were first enacted in the 1990s.
Contrary to popular belief, you are required to adhere to the provisions of GDPR even if your business is outside the European Union. As long as you have customers living in EU member states, you must ensure that your company is GDPR-compliant, regardless of the base of your operations.
But what exactly is GDPR and how can you adjust your existing online marketing strategies to ensure compliance?
The GDPR Defined
GDPR is reportedly created to “harmonise” data privacy laws all over the continent. It is also designed to provide greater protection and rights for people based in Europe, as well as give consumers more control over their personal data.
Under GDPR, businesses are required to protect the privacy and personal information of citizens for EU-based transactions. It also has provisions for the exportation of personal data outside of the EU.
The good news with GDPR is that all of its provisions are the same across all of the 28 member states of the European Union. This means you don’t have to create separate online marketing campaigns for each member state since you need to adhere to only one standard. However, this single standard is very high and strict. You need to be careful to avoid unknowingly breaking the law and paying hefty fines.
Key Fundamentals of the GDPR
Here is some key information you should know about the GDPR.
Types of personal data protected under the GDPR
Under the GDPR, the definition of personal data includes the following:
- Basic information pointing to one’s identity, such as name, address and ID number
- Web data, including IP address, location, RFID tags and cookie data
- Health and genetic data
- Biometric data
- Data pertaining to one’s race or ethnicity
- Political opinions
- Sexual orientation
Who is required to comply?
If you meet the criteria listed below, you are required to comply with the GDPR:
- You have a presence within an EU country
- You have no presence in an EU country but you process personal data in relation to EU residents
- You have more than 250 employees
- You have fewer than 250 employees but your data processing often affects the rights and freedoms of data subjects
Who must ensure compliance within your company?
There may be several people in your company or organisation who are tasked with ensuring that you comply with the GDPR. They are:
1. Data controller
The data controller identifies why and how personal data is processed. They also ensure compliance among the company’s third-party contractors.
2. Data processors
Data processors are responsible for the maintenance and processing of all personal data records. If there are any breaches or incidents of non-compliance, data processors are the people who will be held liable.
3. Data protection officer or DPO
The DPO, who is designated by the data controller and data processor, is responsible for overseeing data security and compliance. Not all companies or organisations require a DPO.
What You Can and Cannot Do Under the GDPR
The GDPR comprises 11 chapters and 91 articles detailing what you can and cannot do with the personal data you have collected from customers and employees, as well as the consequences you may suffer should you breach any of them. Here are the five most important rules you need to follow.
- You cannot obtain customer consent using terms and conditions written in complex and confusing language. Your customers should be able to give and withdraw their consent easily at any time.
- You cannot deny a customer’s request to access their existing data profile. You should be able to provide them with a detailed electronic copy of the data you have collected about them free of charge. Conversely, you should also inform them about how you use the data they have provided you with.
- You cannot keep customers’ personal data after it has fulfilled its purpose. Under the GDPR’s Right to be Forgotten provision, customers can ask you to completely remove their personal information from your database.
- You cannot legally own customers’ personal data after having access to it. Customers should be able to collect their data from you and reuse it as they see fit.
- You cannot export customers’ personal information to places deemed by the EU as not having sufficient levels of data protection.
If your company has been found to have committed a smaller offence, you could pay a fine of up to €10 million or 2% of your global turnover (whichever is greater). Serious offences, meanwhile, could result in a fine of up to €20 million or 4% of the company’s global turnover (whichever is greater).
How the GDPR has Affected Online Marketing
Indeed, GDPR has significantly affected the way we do business in the EU. But if there’s one aspect of business it affected the most, it’s got to be marketing.
The Privacy Electronic Communications Regulations (PECR) already covers marketing. Whilst GDPR doesn’t replace PECR, it has expanded the definition of consent. This means you need to comply with the provisions of both GDPR and PECR.
As mentioned earlier, customers should be able to freely give or withdraw their consent anytime. This means you should do away with website forms featuring pre-ticked opt-in boxes. Instead, you should ask an individual first before you can use their contact details and email them promotional materials.
Also, you must explain to your target market why you are sending them a particular email. Not only does it promote transparency, but it also reduces the risk of your recipients filing complaints against your method of communication.
Can You Use Personal Details Found in Public Domains?
A good example of this issue is how GDPR affects WHOIS. WHOIS is not an acronym, but rather a shortened version of the question “Who is responsible for this domain name?” It is a protocol created by ICANN in the 1980s to help individuals find the names and contact details of anyone who has registered a domain. Law enforcement agencies have been using this protocol to identify people behind the spread of malware and the owners of malicious domains. This is considered illegal under GDPR as it doesn’t allow companies to publish information that identifies individuals without their consent.
To address this issue, ICANN announced the Temporary Specification for gTLD Registration Data a few days before GDPR was enacted. This temporary policy requires the redaction of the personal information of domain owners, effectively changing the domain industry landscape.
If you’re not from the domain industry and you want to use personal data found in public domains such as business websites for marketing purposes, there is no clear-cut answer yet on what the consequences could be should you pursue this line of action. A good option is to consult legal experts to ensure that you’re not violating any GDPR provision.
- How you manage users’ data
- Reasons for processing personal data
- Any forms of marketing you send
- How long you keep the personal data you have collected
- Rights of your data subjects
How Long Can You Keep Personal Data?
As mentioned earlier, you are required to delete a customer or user’s personal data as soon as they have served their purpose. You should also remove them when the owner of that data has requested for it.
Browser Cookies and the GDPR
Cookies are small files that are stored in your computer when you browse the Internet. Whilst they are considered harmless and can be easily deleted, they can be used to determine your online activity and preferences or even identify you without your consent. Because of this, the majority of browser cookies are subject to GDPR, specifically those used for analytics, advertising, and functional services.
To ensure compliance, you must stop collecting said cookies. Another option is to ask for consent or find a lawful way to collect and process data that are usually provided by browser cookies.
Can You Use Your Old Marketing List?
GDPR pointed out that pre-ticked opt-in boxes do not indicate valid consent. Therefore, unless the people on your mailing list previously gave you their consent in a way that complies with GDPR, you may have to contact and ask them to opt in again.
With its hefty fines and stringent rules, GDPR may seem harsh and unforgiving. However, it doesn’t mean you should be afraid of it. Instead, think of it as an opportunity to improve your online marketing strategies.
To ensure compliance, review your IT policies and always ask for consent first before including someone in your mailing list and sending them promotional materials. If you want to reach more customers in the EU, don’t simply rely on your mailing lists as there are other ways to expand your reach. You can explore other strategies for generating customer interest such as search engine optimisation, social media marketing, and creating localised content. Finally, when in doubt, always consult legal and marketing experts first before making a move.
At Springhill Marketing, we can help you create a GDPR-compliant marketing campaign. Contact us today to obtain the solutions you need.
Drive Your Business Towards The Best Results.
Talk to us about how we can help.