GDPR in marketing

3 July 2018

25 May 2018 brought a lot of changes to the processing of personal data. On that day the long awaited and broadly publicised General Data Protection Regulation (GDPR) came into force to change the rules of personal data protection. Has GDPR revolutionised data processing and the work of marketing departments?

There is no doubt that marketing departments process loads of personal data in their everyday work. They receive new leads, maintain contacts with customers or business partners and promote their company's business on social media platforms. Marketing staff receive and process various data, including email addresses, telephone numbers and images. To process data in line with GDPR and in a secure way, we must consider a lot of factors. This article describes some of them.

Basis for data processing for marketing purposes

First of all, a marketing department should check if they have an appropriate basis to process personal data. This will usually be consent. Generally, the consent required under GDPR does not differ from the consent described in the old version of the Personal Data Protection Act. The request for consent should not differ from questions regarding other issues (e.g. contractual provisions) and should be in clear and plain language. The consent must be voluntary. Therefore, after drafting a consent form using either your own resources or a paid template, and before publishing it on your website, you should read it several times to see if you understand it. Avoid sophisticated legalese. Also, the user must grant his consent actively. This means that you should not show the user a consent form with the consent box ticked by default hoping that the user will not notice that you have decided for him in advance. It is also a good idea to apply visual effects that will catch the user's attention without being too conspicuous.

Data processing for marketing purposes

Once you obtain the user's consent or have another basis for the processing of his personal data (e.g. a contract with a business partner providing for the processing of personal data), you should inform the user precisely how his personal data will be processed. The information clause – because this is what is meant here – should first of all specify: the data controller, the data processing purposes, the basis for data processing, the data being processed, the data recipient, and the rights of the data subject. Just like the consent, such information should be communicated in a clear and easily-understandable way, especially using plain language. It is also worth considering the visual appearance of the privacy policy on the website. The policy should be clearly worded, and apart from the policy's text body you could use infographics or easily understandable Q&A to highlight its presence on the website. The privacy policy must also be easily accessible to users. Besides providing the above-mentioned information when contacting the user for the first time you must ensure that the privacy policy is always in a visible place on the website.  If the user uses a mobile application, he must be able to find the policy with two taps.

Database purchase and GDPR

It is quite common for marketing departments to obtain users' data indirectly from third parties. In other words, marketing departments often buy databases. With GDPR in force such practice has become quite risky. The Inspector General for the Protection of Personal Data (presently, the President of Personal Data Protection Office) holds that the purchase of databases is not strictly forbidden. She adds, however, that there must be a legal basis for purchasing a database and that the purchaser must immediately (within a month) inform the user about this fact. Usually, the legal basis for processing a database will be the user's consent for the sale of his personal data by another data controller. Yet, the supervisory authority reminds that the basic principle underlying the consent is that it must be informed and voluntary. Therefore, the user, when asked about his consent, must be told who exactly the purchaser is, which means that the purchaser may not be described using generic categories such as "business partners" or "third parties". So if you decide to purchase a database from another data controller, you should check how they have obtained the personal data of your prospective customers. You should also ask the seller if the databases are appropriately secured and what categories of data they include.

Technical aspects of marketing data protection

The legal requirements or the information obligation are not the only things for you to remember in the context of GDPR. Particular attention should be paid to technical and organisational measures referred to in GDPR, which are to ensure a high level of data protection being one of the Regulation's main objectives. Unfortunately, GDPR does not provide examples of such measures. It only says that the data controller or data processor must select appropriate security measures.  Therefore, it is worth commissioning a professional auditor to conduct a legal and technological audit in the company to see what areas of your business are exposed to risk and what should be changed or improved.

You should also carry out your own analyses of the data you collect. If you create customer databases, you should segregate them according the legal basis for obtaining the data. The same applies to consents for receiving marketing information or consents for receiving commercial information by electronic means – those two consents have a different legal basis so it is advisable to collect the data obtained on their basis in separate databases. Remember also to encrypt and pseudonymise the data you hold – the access to specific databases must be restricted to a limited number of parties. The above-mentioned databases should be accessible only to the marketing department and not to all employees who have access to the data in the cloud.

You should also not forget about the data minimisation principle, according to which, when processing data for a given purpose, you may collect only such user data that are required to meet that purpose. So if you want to obtain a customer's data in order to send him a newsletter, you should ask only for the email address and, as the case may be, the full name of the recipient. Asking customers to disclose their correspondence address or PESEL number is completely redundant and against the data minimisation principle.

GDPR and social media

The next step is to analyse your company's activity on social media websites. Of course, Facebook, Twitter or LinkedIn have their privacy polices and service terms and conditions. Still you should remember that by collecting the data of social media users (e.g. through a contact advertisement on FB) you become a separate data controller. It is not a good strategy to rely exclusively on the measures implemented by the social media platforms because, in the event of an inspection, the supervisory authority  will examine your security measures and your compliance with the accountability principle.