We might be leaving the EU, but we are keeping Europe's laws. Recent votes in the House of Commons set the foundation to make European law UK law, one of the first steps to making any Brexit easier for British business.
One important consequence for marketers will be that the GDPR, the General Data Protection Regulation, will become British law in May 2018 and it will stay even when we leave the EU. This is good news for British marketers because it should mean you can continue to work and trade in Europe as normal.
But there will be changes. Marketers need to read our top 9 things to think about to help plan for the implementation of the GDPR in May 2018:
1. A higher threshold for marketing consent.
Consent has to be given, and not taken for granted. In your marketing, tell your customers exactly what giving their details to you means for them. If they do decide to share their details with you and consent to your marketing then consent has to be given freely and unambiguously. Practically, this means stating clearly why you want someone's details and how you will use that data. Consent wording should be separate from other terms and conditions, not include pre-ticked boxes, and include different options for different types of consent.
2. You don't need opt-in consent for all of your marketing.
A second possible option is the use of, 'Legitimate Interests'. This is an alternative to consent for the processing of data. For the full ins and outs of Legitimate Interests, look at the Data Protection Network's guide here but remember that Legitimate Interests can be used only when business interests do not 'override the fundamental rights and freedoms' of the customer, particularly if the subject is a child. This approach could be useful, particularly for B2B marketers.
3. A new definition for personal data.
Anything that can identify a person can be classed as Personal Data. This widens the definition considerably, taking in IP addresses and cookies which track behaviour in addition to the more obvious postal addresses or mobile phone identifiers.
4. The GDPR only applies to personal data.
You will use personal data in your marketing, but there are opportunities to sidestep using personal data in your targeting using pseudonymisation techniques, and the GDPR won't apply in these cases. Some marketers are already experimenting with targeting to personality types and tailoring messages for specific traits for example.
5. If your organisation handles large quantities of personal data, you will need hire or train a data protection officer.
A Data Protection Officer (they will be known as DPOs) will handle your company's relationship with data. They should know what is permissible and what isn't, what your business needs to do and the processes it needs to put into place to keep it operating within the law. They should also be able guide your business to GDPR compliance.
6. Maintain robust records, particularly when a customer gives consent for marketing.
Make sure you keep meticulous records of how and when a customer agreed to give their consent and what they agreed to, in case you find yourself in a dispute because of your marketing. This will show what the customer saw and what they did. As long as you behaved correctly, this will be your insurance to show you did everything by the book.
7. B2B data is personal data.
The GDPR erodes the differences between B2B and B2C marketing. This presents a much bigger change for those who work in B2B marketing, as marketing to job titles is currently permissible. But the GDPR changes this and makes B2B marketing more reliant on explicit consent or Legitimate Interests.
8. People have the right to have their personal data erased or moved to another organisation. Free of charge.
Make sure your business is able to give your customers' data back to them should they want it. This may be difficult if you have several databases held in more than one place, but you will need to find ways to pull specific customers' data together should they want it.
9. If you're still not paying attention, there are fines of €20 million or 4% of global turnover, for getting it wrong.
These very harsh penalties are there to make sure fines hurt for the largest companies, particularly the US tech giants. But your business will not be exempt. Get GDPR compliant to be safe.
To find out more about how the GDPR will affect your business and to start action planning, check out our portfolio of GDPR courses and qualifications designed to support compliance at every level of the organisation.