By: Howard Freeman, MD, Fortis DPC
There is no doubt that GDPR has had a great effect on marketing. Some businesses believe that the GDPR and PECR were designed to stop them from communicating with prospects and customers. Of course, we now know that this is not the case. The laws were designed to stop abuses of data and high levels of spam. We see many cases where companies have been fined for sending out thousands of hundreds, if not millions of emails to a database that they probably do not really know the true source of and they most definitely do not have consent, you only have to look on the ICO website to see those that have been fined under the GDPR and PECR for such behaviours.
However, what has changed is that most organisations are now taking a sensible and structured approach to their marketing and doing their best to ensure that they do not breach the regulations. GDPR and PECR both require data to be maintained in an accurate manner which has forced companies to clean up their databases which is of course in their interest to do so.
Since the arrival of the GDPR in May 2018, one of the most misunderstood elements of the regulation, was that many organisations felt it curtailed many marketing activities, if consent does not exist. Whilst there is an element of truth in this, businesses can continue to market to their clients and prospects if proper procedures are followed and the outcomes documented. If a business is marketing to existing customers about products that are similar to those purchased previously, it is fair to say that the customer would be interested in such products, and it is reasonable to market such products to them. This is often referred to as ‘legitimate interest’. Of course, it is advisable to gain explicit consent from your clients wherever possible. If correctly implemented and understood, then GDPR should not have too great an effect on customer relationship marketing.
However, many businesses we engage with seem confused about what they can and cannot do and this leads to two potential situations. The first is where the business chooses to do nothing – that could be seen as high risk and breaching the GDPR and PECR. This can have a devastating effect on sales pipelines or incomes. The alternative situation is where the business chooses to simply ignore the regulation and carry on regardless. This means that the marketing is high risk and there is little or no data governance inside the business. Without the appropriate controls in place, data breaches can happen easily. The recent data breach by the Conservative Party is a particularly good example of this, where data governance processes failed.
Fortis DPC is often asked if marketing emails can be sent under the GDPR rules. If the recipient is not a customer or a former customer, then the PCR and the GDPR rules say no. Therefore, explicit consent is required. However, if the business believes that the individuals being targeted would benefit from the offering then carrying out a data privacy impact assessment, or DPIA to assess the risk to the rights and freedoms of the individual is the recommended course of action. The risk to the rights and freedoms should be extremely low and if so, then it is possible to send marketing emails. But again, professional advice should be sourced and all activities prior to, should be documented.
For some organisations GDPR is still seen as a challenge as they have yet to really think through how they can market to prospects in a compliant manner. Many choose to do nothing, and this is a high-risk strategy. Many times, marketeers have told me that the senior management has not been told of the risks. It is possible to send marketing emails, but again professional advice should be sought and all activities prior to, should be documented.
About Fortis DPC
Designed to deliver full service GDPR Compliance, Fortis DPC offers a suite of services to over 300 clients across the UK and Europe to help business know what compliance investment is required.
Serving domestic and international clients, Fortis DPC has a goal of becoming the trusted compliance partner for businesses across Europe, the USA, Australasia, South America, South Africa and beyond. Their goal is to deliver compliance and certification to regulations and standards across all territories and to continue to offer more services to both new and existing clients through its commitment to continuous improvement.
Their compliance work is to ISO27001 standards across Europe and in the UK, to Cyber Essentials standards which helps clients on their data protection journey. It also help business achieve Cyber Essentials and Cyber Essentials Plus Certification.