• March 29, 2024
 How to talk to customers … and stay compliant

How to talk to customers … and stay compliant

By now your email inboxes, letterboxes and social media feeds will be chock-a-block with organisations outlining the changes they’ve made to their privacy notices and policies, as well as requesting your consent to continue to send you marketing information. There’s been an awful lot written about the new GDPR legislation which comes in to force this month on 25th May.

So what do you really need to know to ensure that your marketing stays on the right side of the upcoming regulations?

What’s the big idea?

It’s probably wise to start with the spirit of the law – what the new regulations are intended to do. The existing Data Protection Act was enacted in 1998 meaning that it dates to around the same time as dial-up internet connections and housebrick-sized mobile phones!

The new General Data Protection Regulations (GDPR) are designed to bring the law in this area up to date and to provide consumers with greater control over their own personal data and with protection against unsolicited and unwanted marketing – whether by email, phone, post or any other means.

It’s worth noting that the existing Privacy and Electronic Communications Regulations (PECR), which were most recently updated in May 2016, will continue to remain in force and need to be read alongside the new GDPR. PECR already covers marketing calls, texts, emails and faxes; the use of cookies and similar technologies used for tracking purposes on websites; and the privacy of customers using communications networks such as traffic and location data, caller ID, and call return amongst other things.

Why should I care?

The Information Commissioner has the power to fine organisations for a data breach and commentators expect the level of fines to increase over the next few years. A quick review of fines levied recently by the Information Commissioner’s Office (ICO) [https://ico.org.uk/action-weve-taken/] indicate the likely direction of travel. The improper use of personal data for marketing purposes is an area which will undoubtedly be firmly in the spotlight.

However, and of greater significance than the fine (up to 20m euros or 4% of turnover whichever is greater) for professional advisers, is that the reputational damage of breaching the regulations could be significant. In a business based on trust and respect, gaining a reputation for not looking after personal data properly could have severe consequences for your business and for you personally.

There’s also the time that would need to be taken in dealing with any ICO investigation to consider which will usually be significant and would likely provide an unwelcome distraction from your business. Not to mention being a distinctly unamusing way to pass the time.

Does it affect me?

This is a Europe-wide piece of legislation and, regardless of the length of the long and winding road towards Brexit, it will apply to us in the UK. The government has already indicated that even once the UK is outside of the EU the Data Protection Act – which is wending its ponderous way through the corridors of Whitehall at the moment to appear on the legislative timetable in due course – will follow the principles laid out by the GDPR.

By virtue of your work you are inevitably dealing with personal data – names, email addresses, IP addresses, ID, even biometrics. And as a piece of EU legislation, it does apply to all businesses, of all sizes, in all sectors, wherever they are based in Europe.

So what’s new?

The scope of this article is the marketing implications of GDPR and therefore assumes that there is a plan in place to ensure compliance with the new regulations in the conduct of your day to day business. For help and advice on these aspects please contact Blackmores who are the IPW’s chosen partner for compliance advice and have prepared a GDPR toolkit specifically designed for will writers.

In marketing terms some things to note are:

Legal basis for processing

Space does not allow for a detailed description of all of the legal basis for processing data and therefore we are focusing on some of the key things to consider, such as:

Where you have a contractual arrangement with a client you can continue to market to those existing clients providing that you always offer an unsubscribe or opt out facility (as is the case under the current Data Protection Act (DPA)) and that you signpost in your privacy statement the purposes for which that data will be used, how long it will be retained for, how it will be processed and stored, and that the right to be forgotten and right to portability will be adhered to (these are not unique to marketing uses for data and therefore details are not provided here).

The decision on who is a ‘current client’ will vary from organisation to organisation. Your policy setting out that decision and the reasons for it would be a key part of your defence should you ever be the subject of an investigation by the ICO.

Updating your privacy statement (which must be easily available and clearly signposted eg in an email a link to the privacy statement hosted on your website) to include the marketing purposes for which you might hold any data is important and it should also be covered in your terms of engagement.

It might be worth specifically considering whether you intend to share data with third parties. If this is the case (for instance you may wish to instruct a handwriting expert or genealogist) this should be covered in your statement along with details of how information sharing with those parties is managed (possibly by way of a processor agreement). Passing data to third parties for them to market to is not really advisable unless you have a burning reason to do so – if you choose to do this you will need robust evidence to show that specific consent was gained for that purpose – ideally naming the third parties by company name.

Whilst on the subject of third parties, do consider any bought-in data you may have purchased from a data broker. You can only continue to use this if you are sure (and written confirmation is best) that the data broker has obtained and can evidence the consent of the individuals on the list. If a contact from one of those lists has become a client then one of the other legal basis and apply and the restrictions are not as tight.

You also have a duty to ensure that records you are keeping are accurate and up to date. This may be something to consider when deciding who is contactable on the ‘legitimate interest’ basis of a current contractual basis. Could you really say that records from many years ago are up to date with the correct address, mobile phone number etc? Setting a sensible cut off date – for instance – clients that have instructed me in the last two years/five years etc is a good start.

Prospects

In the area of contacting prospects who are not current clients, there are a number of basis under GDPR under which you can continue to market to them.

The most talked-about is positive opt-in where someone is required to actively consent to continue to receive marketing information from you. (note – the medium is unimportant – it applies equally to emails, phone calls, post, faxes etc).

This is the best possible option in many ways in that it shows that the people you are marketing to actively want to receive marketing communications from you. This is an excellent opportunity to spring clean your mailing lists. After all, what’s the point in continually contacting thousands of people who are never going to engage with you or buy from you but instead delete your emails or recycle your leaflets without so much as a quick glance?

Positive opt-in must require your subject to take a positive action to consent i.e. they have to do something (like click on a big green button) to confirm their interest and willingness to continue to receive marketing information from you. Pre-filled tick boxes or offering an unsubscribe only option, are not sufficient.

There is also increased emphasis placed on the relevance of the marketing communications being sent. It must be clearly linked to the reason why you’re in communications with them. For example, if I am their will writer I cannot start to market to them about my sideline art business offering discounts on my paintings.

Some organisations are using this as a good reason to ask people to update their contact details and preferences. This has to be considered on a case to case basis and a sensible balance struck between the value of gaining that more granular information and the potentially increased likelihood that someone may not bother to respond because they can’t face filling in a form that is too lengthy and detailed and takes too long to complete.

Keep it fresh

Many organisations hold data indefinitely (how many people do you know who have never deleted an email ever?) and this is something that GDPR seeks to change. There is a new requirement to keep data up to date which means that if you do gain opt in consent; then you need to obtain consent again after a set period of time in order to continue to market to those individuals.

Again there is no rule about what period of time is chosen. Current guidance ranges from 12 months to 24 months and again the point here is that the ICO will look for evidence that you have made a conscious decision on this point, documented the same and that you actually adhere to and action the procedures outlined in your documentation.

Clearly, you will need a system to both record consents (you’ll need to be able to easily find proof of consent in the event of a data breach or complaint against you) and to diarise reminders to refresh that consent. In the absence of a CRM system, this could prove burdensome and may consider you to reconsider the wisdom of getting positive opt-in consent for every person (as long as you are sure you have a legal basis on which to hold data under one of the other criteria).

Is it different for B2B?

The rules around business-to-business (B2B) marketing are not quite so strict although many companies are taking the view that they may as well take the positive opt-in route with their business contacts as well as with their individuals as this is seen as best practice and speaks to the point about cleaning up lists and improving the quality of the same.

This may apply to you if you market to financial advisers or other professional advisers. Please contact us on 0800 133 7127 if you’d like to know more about B2B marketing to corporates and corporate individual subscribers.

Given that the new legislation is designed to protect consumers (think automated calls about PPI and mass spam emails) and that you are marketing to the general public, making sure that consumers’ rights are protected should be the number one aim in our thinking about GDPR compliance. Yes, business email addresses do count as personal data … possibly this a subject for a whole separate article!

Information security

A quick word on systems. If your marketing campaigns run off your case management system (or the same place where you hold your client files and records) then you should have information security (physical and cyber) covered as part of your preparations for the introduction of GDPR (although much of the requirement is the current law under the DPA).

However, if you use a separate system (eg a mailing system such as Mailchimp or Campaign Monitor), multiple spreadsheets or a separate system then you should ensure appropriate security measures are in place.

You’ll need to check the terms of your systems as well particularly with regard to whether or not the software provider (for example) processes data outside of the EU. For example, sharing files via Dropbox for Business is ok (data is processed within the EU) but Dropbox for Individuals is not. US-based companies are particularly noteworthy here. It is not the case that just because data is processed in the US then you should not use the service. If a company is signed up to the Privacy Shield (the old Safe Harbour agreement) for example then that is ok.

Where do I start?

Putting in a communications plan before 25th May – and having an ongoing plan – is the priority in marketing terms.

This is not a one-off process and, done well, could actually improve the level of return achieved for your investment in marketing activity.

The ICO website is excellent and includes a self assessment questionnaire which helps you to understand where you are currently. There’s a checklist on there and another questionnaire to assist in understanding whether you are a data controller or a data processor (or both) and in deciding on the legal basis by which you are holding and processing data.

Overall GDPR is going to (forcibly) raise the bar for marketers. And this can only be a good thing. Eradicating lazy data collection and storage practices can only be positive. Marketers will need to think in new and creative ways about how to personalise its campaigns and offers to make them relevant to their target audience and stimulate engagement and interaction. After all, isn’t that what good marketing – and especially content marketing – is all about?

For an effective marketing plan won’t fall foul of the GDPR, contact Solve Legal Marketing today by calling 0800 133 7127 or email info@solvelegal.co.uk.

Disclaimer: This article is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. The information provided is not legal advice and you should not rely on it before taking action. Do consult a lawyer or compliance professional.

 

Solve Legal

http://www.solvelegal.co.uk/