It’s now been a year since the General Data Protection Regulations (GDPR) came into force. The build-up was huge, with business inboxes everywhere flooded with re-consent forms. Conferences and information sessions were attended, and even today marketers are unsure of the circumstances surrounding when and to whom direct marketing communications can be sent.
But was all the hype warranted? Or was this the 2018 equivalent of the Y2K bug? Quite frankly, it is still too early to make an accurate assessment. And when it comes to how major data breaches will be managed under the GDPR, all eyes were on British Airways, who in early September 2018 confessed that 380,000 customer credit card transactions had been maliciously hacked.
The most significant to note, we think, was France fining Google $57m for GDPR violations. Certainly not to be sniffed at, and a valid concern for all businesses with high-volume data holdings. With up to 4% of global revenues up for grabs, should you be found in violation, we arent suggesting for one minute you take your eye off your compliance obligations.
That said, despite it still being early days, there are clearly some elements of the GDPR which have been over-hyped; below is a list of the main ones.
In the months leading up to May 2018, inboxes were inundated with emails asking customers and clients to provide their consent for ongoing marketing communications. It turns out that none of this was strictly necessary.
Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, told The Guardian that many of those requests were “needless paperwork”.
“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.
“Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”
Unfortunately, the only thing sending out re-consent forms achieved was to give an opportunity for clients who had previously been happy to receive marketing information the opportunity to decline consent.
The fear of external hackers causing data breaches
Although external hacks like the one which befell British Airways or the 2017 Malware attack on the NHS grab headlines, according to data from the Information Commissioner’s Office (ICO), four out of five data breaches are caused by internal negligence or a lack of adequate safeguarding policies and procedures. Take the case of Morrison’s Supermarket, which last year was ordered to pay compensation to thousands of employees after the payroll details of 100,000 employees were leaked online. The cause of the leak? A disgruntled employee.
The statistics given by the ICO confirm that Managing Directors need to focus their attention on securing internal systems, as well as ensuring GDPR compliance and directing their IT teams accordingly.
No more direct/email marketing
“The GDPR has killed direct/email marketing”. Of all the myths that prevail around the GDPR, this one has perhaps the biggest impact on businesses’ ability to market and sell their products and services.
This is completely untrue. Remember, consent is only one of the six grounds on which you can process personal data. The saviour of the day for marketing and sales purposes is ‘legitimate interest’.
The Direct Marketing Association (DMA) points to article 6(1)F of the GDPR:
“Processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.”
This means that as long as the people you are contacting are likely to have an interest in the products and/or services you provide, you have documentation to prove you have considered the impact your campaign will have on recipients is small, and people are given the choice of opting out of further communications, your marketing team can fill their boots.
This article is not designed to insinuate the GDPR should not be taken seriously. Over the coming months and years, as fines are issued for breaches, all industries will gain a clearer view of how harshly regulators and the courts plan to treat non-compliance. However, as long as you completed your IT mapping so you know where all the personal data you hold is kept, have updated third-party data processing contracts, and send marketing materials to those who have a ‘legitimate interest’ in what you are providing, your organisation can carry on as normal.
Reach Revenue works with business owners, leaders and investors to develop high performing sales and marketing teams aligned to the strategic objectives of their business. To find out how we can help you, please call 0203 858 8030 or email firstname.lastname@example.org.
 Y2K stands for Year 2000 bug or Millennium Bug, a problem in the coding of computerized systems that was projected to create havoc in computers and computer networks around the world at the beginning of the year 2000. Nothing happened.