See our latest news articles
In this article, we’re going to bring you up to speed on making your digital marketing database compliant. If you’re not actually sure what GDPR is, you’ll find our general introductory blog a helpful starting place.
Under GDPR, not all databases are equal. The regulation accepts that you need a database of your existing clients, it also accepts that you may need to retain that information for a while after you cease to do business with them, but you will need to give proper consideration to how much data you need to store and for how long.
However, marketing data comes under closer scrutiny, there are distinctions, depending upon how you intend to use the database. We will deal with databases for direct mail separately; the tightest regulations are for digital marketing activities. This is what you need to know about these, so you don’t come a cropper.
Under GDPR, there is a distinction between a person’s private and professional data. GDPR is concerned with people’s private data: their home address, their personal email address, their personal contact number, their health details, their religious persuasion, even their gender. Anything that can be used to identify an individual.
However, while GDPR does not extend to an individual’s work contact details, you still need to make sure you are taking the right precautions. If someone works from home, their address in your database may be their home address; this automatically puts it under the GDPR rules.
It can be hard to know sometimes whether a business contact is handing over data which is also their personal data, so even if you are purely a B2B organisation, you can’t be sure that your database falls outside the GDPR. It’s therefore sensible to assume all data you hold falls under the regulation and follow best practice.
GDPR expects everyone to think carefully what data is stored, how it is used and whether the use is reasonable and legal. It is important you think if the data you hold is needed or just being held “in case” or just because the software you use has it as a field by default.
GDPR also distinguishes between different kinds of data, with some to be considered to be more sensitive than others. Religious beliefs, disabilities and even gender fall into the most sensitive category. This therefore means you need to think critically as to whether you need to hold this information.
One piece of information that many organisations collect by default is gender; GDPR requires us to change our mindset and question whether we really need to know this. Many health practitioners – such as personal trainers, homeopaths and osteopaths – will routinely ask this question of new clients. But once the person is in front of them, the answer to the question is obvious, so this raises the question whether they need to hold that information on their database.
There is no right or wrong answer to this. One of the practitioners listed above may have an offer specifically designed to boost women’s health and may therefore want to divide their database into men and women. That could be acceptable under GDPR, but retaining the information after that marketing campaign may not be acceptable.
As stated above, GDPR accepts that you need data about your clients to enable you to provide your services to them. It also accepts that you may want to contact them in a marketing capacity; they have bought from you already, so it’s reasonable to assume they may want to hear about new products or offers from you.
However, you need to make sure that you only keep essential information. For example, if you are a restaurant holding a gala evening, you will need to collect data on all the attendees to make sure the event runs smoothly, including name, phone number, email address, dietary requirements and potentially mobility restrictions.
To be GDPR compliant, after the event you would need to delete the personal information, i.e. the dietary information (which could reveal their religion) and anything that might reveal disabilities, since this is seen by GDPR and being sensitive and greater care should be taken of it. Of course, if all the same guests come to your next event, you will have to ask them for this information again – but that’s what GDPR wants you to do. It also requires you to keep a record of the fact that you have deleted the data!
Many companies’ databases contain contacts who aren’t their clients and who didn’t give specific consent to receive marketing emails. That will no longer be acceptable with the new regulation; you will need consent from prospects before sending any marketing emails.
This means that if you have a data capture tool, you will have to spell out exactly how you will use the data (see below for guidelines to specific consents). This will mean rethinking the consents you obtain for data capture tools such as a downloadable e-book on your website or if you run a competition at an exhibition in which you get people to enter by filling in their name and email address on a tablet.
Additionally of you buy data from a 3rd party you need to ensure that the data you buy has been collected legally and the correct reasonable consent were given when the data was collected.
Another thorn in the side is that now you have to make sure your existing database of prospects have all opted in, even if they’ve been receiving emails from you for years and haven’t unsubscribed. This means you’re going to have to contact all of them, giving them a link to a web page where they can opt in to your marketing communications. You cannot assume contacts want to receive your communications just because they have not said no, you should assume they don’t want to receive marketing unless they have said yes.
The exception to this would be business contacts. In networking circles there is often a tacit understanding that if you give your business card to someone, they can put you on their marketing list, as long as they have the option to unsubscribe. This is unaffected by GDPR, as long as you are sure the information they have given you is not personal.
You will need to get these consents before May’s deadline. You’ll also need these consents to be very specific, detailing exactly how you will be using their data. Depending upon whether you intend to share the data with other organisations, you may need several consent boxes, for example:
Yes – I’d love to receive communications from Joe Bloggs Sprockets about company news, industry insights and offers
Yes – I’d love to receive communications from Joe Bloggs Sprockets about offers and news from their carefully selected partners: LIST OF NAMES OF ALL YOUR AFFILIATED ORGANISATIONS
Yes – I am happy for Joe Bloggs Sprocketts to pass my details to other sprocket manufacturers and suppliers.
Not only do you have to have consent from the people on your marketing database, you have to be able to demonstrate that consent; even if they opt in, if you can’t prove it, you could still be hit with some serious fines. In the example of a competition run at an exhibition, you will need to make sure you keep the records of the consents agreed to by every entrant.
All of this has implications for your CRM software; the database will need to record when contacts chose to opt-in. If you don’t have this facility, speak to your provider early to make sure they are on the case.
Another point to consider is that consents can’t be understood to be given forever. You will need to go back to your contacts regularly to check that they are still happy to receive your digital communications. What ‘regularly’ means has not yet been determined, but annually would be an intelligent guess at this stage.
Finally your contacts must be able to ask what data you hold on them and to request to be “forgotten” by you. These are known as Subject Access Requests (SAR’s) you need a process to be able to deal with SAR’s quickly and to record the SAR and your subsequent action.
There will inevitably be teething problems as GDPR beds in, with the law as it applies in the UK being refined by resulting court cases. GDPR in practice will often not be black and white; what you will be required to show is that you have proper processes in place and have given due consideration to what data you hold, for what purposes and for how long. If you can demonstrate a robust policy, you will have a good defence should the Information Commissioners Office (ICO) come knocking.
Our other GDPR blogs: