The GDPR has an effect on virtually every type of business. Let’s begin with what might come as a surprise; most direct marketing is not affected by the GDPR at all. This is the domain of the ePrivacyDirective that has been in place for years. The number of e-mail consent requests you might have received in the days surrounding May 25th may suggest otherwise, but these actually havelittleto do with the GDPR.
The ePrivacy Directive is the cornerstone for marketing departments using electronic communications for their activities. This will be replaced by the ePrivacy Regulation. A regulation is a legal instrument that has direct effect across the European Union, whereas a directive has to be implemented into national legislation by the Member States. But this replacement takes time as negotiations between European institutions are still under way. So meanwhile, for unsolicited marketing, you’re still bound to the national rules in place following the ePrivacy Directive: there are currently no changes in that department.
…and the GDPR
In general, the GDPR does not change particularly dramatically with regards to the protection of personal data in general. All in all, the processing of personal data– also in marketing – is stillbound to a few important principles. First, there should be a clear and precise purpose for the processing activity. Second, there should be a suitable legal ground for the processing. For normal personal data, the GDPR specifies six different grounds, as did the former framework for Data Protection, laid down in the 95/46/EC Data Protection Directive.
According to the GDPR, data processing can be legally done:
- If the data subject has given consent,
- If it is necessary for the performance of a contract,
- If it is needed:
- For compliance with a legal obligation (art. 6c),
- For protection of the vital interest of the data subject (art. 6d),
- For the performance of a public task (art. 6e), or
- For the purpose of the legitimate interest of the controller.
So, the good news for the marketing departmentis that not all theire-strategies will be illegal under the GDPR if they are already aware of the ePrivacy Directive. However, it will depend on the type of activities they undertake for marketing purposes. For example, if a customer has given their consent to receive e-mails from your company, then you can contact them only via email, you are not permitted to call or text-message them, based on art. 6a GDPR.
There exists another ground on which you might (legally) base your e-strategies though. Article 6f of the GDPR states that if you can establish that the ‘legitimate interests’ of your company are not overriding ‘the fundamental rights and freedoms’ of the customers you want to contact, then you can base your phone calls or other marketing strategies on this ground. This balancing test is key for the application of article 6fGDPR and it is not as easy as it seems to be. You need to take into consideration the impact of your processing activities on the individuals concerned. Your customers should not be subject to misuse of their personal data. It is a stringent test to pass.
As explained above, the consent requirement is not unique to the GDPR, it was already in place and can be found under Article 13(3) of the ePrivacy Directive.
So what does change, then?
There are a series of obligations that add to the previously existing ones. Notably, the data subject has the right to data portability, but that right is not so relevant to marketing departments. Furthermore, an organisation has to keep registers of processing activities, perform data protection impact assessments on riskier processing activities and maintain a register of data breaches (and sometimes notify them to supervisory authorities and/or the data subject). Also, the sanction regime changed. Fines can now be up to 4% of worldwide turnover of an organisation.
PrivacyPerfect is a GDPR compliance tool provider working across multiple member states of the EU.