Understanding GDPR Compliance in Digital Marketing

Understanding GDPR Compliance

Privacy!

A natural right of every human that is also often associated with the right to life and liberty.

It is what gives us freedom of choice to make our personal decisions without any external interference.

However, when it comes to digital privacy, the scenario does not seem to be the same.

Companies at an incredible rate use or can say, exploit our data.

We never know how badly these enterprises are surveilling us for commercial benefits.

From the website you surfed to the store you visited last time, almost each and every action of yours is leaving digital footprints that are highly valuable.

Seeing the value of personal data, the Economist even compared it with oil, referring to data as the world’s most valuable resource.

Data privacy is becoming a major concern day by day!

In fact, I would say it is not a less critical challenge than other global issues like climate change, economic inequality, health crisis and more. Just like other global crises, data privacy also needs to be addressed.

Different nations actively participate in the protection of their consumers’ digital privacy.

One of these revolutionary steps was the enactment of the General Data Protection Regulation (GDPR) by the European Union.

Let’s understand what GDPR is and how changed the whole scenario, especially in digital marketing.

What is GDPR?

GDPR, or the General Data Protection Regulation, is one of the most stringent laws passed by the European Union in 2018.

The law protects EU consumers against privacy breaches at the hands of companies by providing them with different rights to know why companies are collecting or processing their personal information & how they are using it.

The law applies to every organisation that offers its product or service to EU citizens. This means does not matter if your company exists outside the European Union, if you engage with EU citizens in any business deal, you will have to comply with the GDPR provisions.

While GDPR is a lengthy law dealing with various areas concerning personal information, we will try to understand how it impacts digital marketing or bulk email marketing and how marketers should comply with its provisions.

But before that, let’s know the definition of processing because that word will come in this article repeatedly.

What is Processing?

Processing just simply means anything you do with data. It is not just confined to collecting but also includes recording, organising, copying, making changes to, disclosing, and even selling it. 

GDPR & the Digital Marketing

GDPR provides 7 key principles that must be considered while processing data.  These seven principles are-

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Security
  7. Accountability

However, companies cannot process anyone’s data just by demonstrating that they are adhering to these principles.

Rather, companies will require to justify why they need to process someone’s personal information. The GDPR provides the following 6 legal bases in which the processing of data shall be considered lawful.

6 legal Bases for Processing

Consent- the individual whose data will be processed should give their consent in clear, unambiguous circumstances.

Contract- can process if there is contact between an organisation and the individual. For example- a food delivery company requires your address.

Legal obligation- Can process data if the organisation is under a legal obligation to do so. For example, companies require employee information for the purpose of tax deductions.

Vital Interest- If the organisation requires data to protect someone’s life.

Public Task or Public Interest- The organisation may process the information in the public interest or a public task- like collecting information for the population census.

Legitimate interests – if the organisation has a commercial interest in, for example, an insurance company processing personal data to spot fraudulent claims on the basis of legitimate interests.

Among these 6 legal bases, digital marketers usually fall under the first category: consent.  As a digital marketing company, you need to take consent from the users to collect or process their data.  The consent should be

  • Granular
  • Affirmative
  • Freely given

Apart from this, you should also keep the following things in mind while marketing.

Get explicit consent

Before the enactment of GDPR, marketers used to take implicit consent from the users. This means they just used to simply publish a privacy policy and assume that the user agrees to receive email communications.

Similarly, for email marketing or SMS marketing, digital marketers prepare the marketing database, which includes making the customers’ list from previous orders and gathering information from the pre-ticked checkbox that asks the customer to sign up for the newsletter.

However, now both of these actions are a violation of GDPR!

Maybe the customer did not read through your privacy policy and proceeded to your website.

Also, if they just ordered something from you in the past, does not mean they want to be part of your bulk email shots. .

To comply with GDPR provisions, you will have to ask for Explicit Consent.

It means you must put a NOT Pre-Selected Checkbox with clear information on how will use their information.

Consent Box

If they tick the box and proceed, that will be considered valid consent and GDPR compliance.

Be transparent about how you use information.

As a digital marketing agency, let’s say you run targeted ad campaigns, and to do so, you use web cookies to analyse user interests & browsing patterns.

Now having consent as your legal bases, you need to inform users about your actions in plain and simple English. For this,

  • Pop up a cookie banner on their screen.
  • Add a Privacy Policy web page link.
  • The privacy policy must provide detailed information. Like,
    • What data do you collect,
    • Why and how you’ll use it,
    • How long you’ll keep it (or how you decide this)
    • Who, if anyone, will you share the data with?
  • Provide an option to change cookie preferences
  • Make it easy to withdraw consent

Cookie & Privacy Law

Offer an easy opt-out option.

When people subscribe to a newsletter, that is not for a lifetime.

Marketers need to provide users with an easy opt-out option.

Within your bulk email shots, include an unsubscribe link so if the user is not any more interested in receiving emails, they can simply back off!

Also, if you use web cookies to collect data, it is important to allow users to manage their preferences or withdraw their consent. 

Consent Box1

Respect users’ rights

GDPR provides consumers with various rights that they can utilise in respect of their data being collected by an external party.  These rights include-

  • Right to be informed
  • Right to Access
  • Right to Rectification
  • Right to Erasure (Right to be forgotten)
  • Right to restrict processing
  • Right to data portability
  • Right to Object

When you should respect all these rights of users, the right to be informed remains the most important.

By providing the user with information about what data you collect, how you use it, and how long you store it, you protect their right to be informed.

However, there are other rights as well. Users can object to your action of using or storing their information, ask for its access, and even can demand its erasure.

If that is the case, simply by deleting their information, you protect their right to be forgotten.

Consider sending mail to generic B2B email addresses

That is because those generic business emails do not fall under GDPR.

GDPR deals with PERSONAL DATA, and if you send an email to a business entity, i.e., the email address does not include any personal name or personal information in it, then it will not be against GDPR provisions

Let’s say you email [email protected]; it will not require any prior consent because no personal information is included.

However, if you try to send an email to the business email of an employee or any other person, consent from the concerned person matters.

For example, if you want to send an email to a company employee like [email protected], then consent is required.

However, whether sending mail to a personal email address or a non-personal address, providing an easy opt-out option is highly recommended.  

Penalty for Non-compliance

GDPR imposes heavy penalties in case of non-compliance with its provisions. There are following two sets of fines GDPR can levy-

Tier 1- Up to 10 million euros or 2% of your annual global turnover, whichever is higher.

Tier 2- Up to 20 million euros or 4% of your annual global turnover, whichever is higher.

Which tier will be applicable to you depends on the severity of the infringement.

But let me tell you that infringement of basic principles like lawfulness of processing and taking consent all fall under SEVERE INFRINGEMENT.

Because, as a digital marketer, your legal basis is consent, you will have to face a more severe penalty.

The bottom line is keeping a record of consent.

Obtaining consent from users is one thing, but proving that you have the consent is another.

GDPR also requires companies to keep a record of these consents. It means that you must be able to demonstrate that:

  • when and how you obtained the consent, and
  • what information users were provided.

By doing so, you will be able to protect yourself against any false claims of breaching privacy!

I hope you enjoyed reading through the article!

To read more such articles, check out our blog. Here we share valuable information on topics like ChatGPT, Google Bard, AI, Digital Marketing and more.