Our guide to GDPR for marketers (marketing agencies and in-house marketing teams) provides an in-depth analysis of the impact that GDPR will have on those involved in marketing, in particular digital marketing.
We also look at what you need to do to ensure that marketing campaigns that you work on remain compliant and you, and your client, does not breach GDPR and become liable for a fine.
What is GDPR for Marketers?
As a practising solicitor and digital publisher / marketer myself, I have set about to create the most comprehensive online guide to GDPR for those involved in marketing. The guide covers:
- What is GDPR?
- Understanding Personal Data
- The 6 New Data Protection Principles
- The 8 New Rights Individuals Have
- The 6 ‘Lawful Processing’ Grounds
- Lead Generation Forms and Consent
- The Data Storage Limitation
- GDPR and Display Marketing
- Privacy Policies and ‘Prescribed Information’
- Data Processor Issues
- Self-Reporting Breaches
- Fines For Breaching GDPR
- What Documents You Need to Comply
What is GDPR
GDPR is a European Regulation that will become law in the United Kingdom on 25th May 2018. It aims to establish a new set of legal principles and rules for the collection, storage and use of personal data.
GDPR focuses on three key areas:
- Good information governance
GDPR creates significant new rights for individuals regarding the collection and use and storage of their personal data. Under GDPR individuals are called ‘data subjects’.
GDPR also makes data processors (the party actually doing something with the data – very often this will be the marketing agency) directly liable for their own breaches. Later in this guide I’ll go through how data processors can now find themselves liable for omissions made by their clients and how to ensure that this does not happen.
When talking to clients about the impact of GDPR on their business I am often asked what impact Brexit will have on this topic. Will GDPR still apply after we leave the European Union?
The answer is “yes”, it will still apply because in England and Wales we are implementing the Data Protection Act 2018 that will copy the law set out under GDPR into domestic law immediately post the UK leaving the European Union.
Understanding Personal Data
The rules set out in GDPR apply to ‘personal data’. Non-personal data is excluded, so if you are a marketer working on B2B-only campaigns GDPR is not going to have such an impact on you. Most business data is not caught within the scope of GDPR (however job titles and business email addresses do fall within the definition of personal data).
So what counts as ‘personal data’?
GDPR defines personal data as:
“any information relating to an identifiable person”
This new definition is massively broader than the existing definition that applies under the Data Protection Act 1998.
Currently data only counts as ‘personal information’ if you can identify the individual by the data in question.
So someone’s full name currently counts as personal data but just a first name alone would not.
An email address like firstname.lastname@example.org would not count as personal data under the Data Protection act 1998 because you cannot identify the individual that it relates to from the information in the email address.
However, under GDPR’s new sweeping definition, this email address would be caught because it relates to an identifiable individual.
The new definition of personal data is extremely broad and designed to include ANY information relating to a particular person.
For this reason marketing agencies working on B2B campaigns need to build GDPR compliance into their client campaigns.
The 6 New Data Protection Principles
Within GDPR there exists six specific principles that set out the main responsibilities of organisations that are collecting and making use of personal data.
These are set out in Article 5 of the Regulations. I’ll guide you through each of them below.
Responsibility for compliance
The regulations state that the ‘data controller’ is responsible for ensuring that they and any data processor that they work with complies with the six GDPR principles.
The data controller is defined as “the person who determines the purpose for which, and manner in which, personal data is collected and used”.
The ‘data processor’ is defined as “any person who processes the personal data on behalf of the data controller”.
On many of the campaigns that a marketer works on both the client and the marketing agency will be the data controller. This will largely depend on how much autonomy the marketing agency is given. I.e if it is deciding what data is to be collected, how it is collected and then used, it will be the data controller, but if the client is taking these decisions then it will be the controller.
Again, both client and marketing agency may also be the ‘data processor’. If the client does not do anything itself with the data and contracts the agency to do all the ‘processing’, then just the agency will be the data processor.
However, in reality many clients will do some processing in house and so, in those circumstances, both the client and the marketing agency will be the data processors.
A party can therefore be both a data controller and a data processor in relation to the same data!
It should also be noted that a data processor can appoint a sub-data processor where it outsources part of the processing requirements. This will be common where the marketing agency engages third party services, such as cloud storage providers for storing campaign data, and / or email service providers for the delivery of email campaigns.
The 6 Principles Explained
Let’s take a close look at the six principles because they shape how to approach GDPR compliance.
Lawful, fair and transparent processing
This principle requires that data can only be collected and then processed if doing so can be justified on one of six grounds that are set out later on in the Regulations. This is the ‘lawful’ element of this principle.
The ‘fair and transparent’ element of the principle refers to subsequent articles in GDPR that require that a data subject (the individual whose data is being gathered) is told how their data is being collected.
Collected for specified specific purposes
Once collected, the personal data must not be used for any reasons beyond what the individual was told the information would be used for.
Under this third principle the data that is collected must only be used for the purpose for which it was originally collected. So, for example, if data is collected to deliver a guide to a website visitor, then the data that is collected to deliver that guide can only be used for that specific purpose, unless, of course, the individual is told that their data is also being collected for an additional purpose at the same time!
Yes, giving away content in order to build email databases will still be viable, but a few campaign adjustments will be required, as you’ll discover below.
All personal information that is collected must be maintained in a matter that maintains its accuracy. This is a fairly straightforward principle and simply requires that any personal data that is held must be updated if needed in order to maintain its accuracy.
The Regulations state that if a party storing personal data is notified of any change to that data, then it must update the data without undue delay.
Personal data should only be stored as long as is required to fulfil the purpose for which it was collected. Unhelpfully, GDPR does not set out any examples of how long that should be.
This creates many questions. For example, how long should new customer data be retained? How long should contact details generated from a marketing campaign be stored for?
This particular principle is of great significance to marketers, so we’ll take a closer look at it below.
Under this final principle, all data that is collected must be stored and processed in a secure manner. There are a range of articles in GDPR that expand on this principle.
A key point to be aware of is that in order to safeguard data security there must always be a written contract in place between the data controller and the data processor.
This means that, as a marketing agency, you must put in place a written contract for your services between you and the clients that you work with.
Have you got terms and conditions for the supply of your marketing services? Ideally you should already have a contract for your services in place, but, if you don’t, that will now lead to a breach of GDPR.
GDPR sets out a series of data processing warranties that set out exactly what must be included in the contract and which I’ll set out below in this guide. The warranties are extensive and our preference is to set them out in a separate document from your main terms of business and then to include a link in the terms of business to the data processing warranties document. You can see our standard ‘Data Processing Warranties’ document template here.
Bear in mind that the written contract requirement also means that if the marketing agency is engaging third party processors to fulfil part of a campaign for them, then they must have a written contract in place with that third party service provider.
Most services that you use as a marketer will have standard terms and conditions of business. The question though is whether they contain the required minimum information and so are GDPR compliant. If they don’t, then you can use the data processing warranties document and get the service provider to confirm their acceptance of it.
The 8 New Rights Individuals Have
As a marketer that collects and processes personal data, you must ensure that it is done in accordance with the rights of the data subject. In addition, it is a requirement that the individual is told of their rights.
The 8 new Rights of the Data Subject are:
Right to be informed
Under GDPR, the data subject has the right to be informed (a) what information is being collected, (b) why it is being collected and (c) how it will be stored.
In addition, they have the right to be informed of their rights under GDPR whenever their data is collected, along with a range of other details relating to the identity of the data controller and the use of the data being collected.
Right of Access
All individuals have a right of access to the information that has being collected and may be processed. This is known as the subject access request – a right that already exists under the Data Protection Act 1998.
One key change, however, is that it is no longer lawful to charge the individual a fee for supplying them with a copy of the personal data that is stored relating to them.
Right To Rectification
This right ties in with the accuracy principle within the six GDPR Principles. Essentially, an individual has the right to require that any personal data held in relation to them is kept up-to-date.
Right to erasure
Under this right, the individual has the right to withdraw their consent and request that personal data that is collected about them is erased.
A point to note though is that in some instances the party holding the data can still retain the data if it can rely on one of the grounds for the lawful processing of personal data other than consent (see The 6 ‘Lawful Processing’ Grounds below). In such circumstances it won’t be necessary to delete the data; a point we’ll look at in detail later on.
Right to restrict processing
This right enables the individual to limit the use that is made of their personal data after it has been collected. For marketers this means that your CRM or other database needs to be able to list the different processing activities or methods of processing that the individual has previously consented to.
For example, it may be that they have initially consented to receive marketing communications by email, phone, SMS and post. Subsequently if they contact you, or your client, it must be possible to record any changes that they request.
Right to data portability
This right allows an individual to obtain a copy of their information in a format that makes it easy for them to reuse that data. They are able to specify the format the data should be in within reason.
For the marketer it essentially means that you need to keep data in a format that can easily be handed over to the individual should they initiate a subject access request and ask to receive a copy of the personal data that is held on them.
Right to stop
This is an extension of the ‘right to restrict’. Essentially an individual can withdraw consent at any time after it was given. For the marketer it is important to ensure that it is easy for the individual to do this.
Rights related to automated decision-making
An individual has the right to object to being subject to automated decision-making. This mainly applies to employers and is not an issue for marketers.
The 6 ‘Lawful Processing’ Grounds
Tied in to the first data protection principle under GDPR, i.e. “Lawful Processing” is the requirement that data is only processed where it is possible for the processor to rely on at least one of the six grounds for lawful processing.
Understanding the grounds available for processing data is important to all digital marketers as it will enable you to understand when you need specific consent, or where you may rely on one of the other grounds.
In most campaigns that you are involved with consent will be the ground that you rely on to demonstrate that the use of the data is lawful. GDPR sets a new higher standard for consent, as it must be ‘freely given, specific and informed’.
This means that consent requires a positive opt in. For marketers this means that you cannot use pre-ticked boxes or negative opt-out statements, e.g. “Tick the box if you do not wish to receive news, updates and special offers from us”.
Another factor that must be considered by online marketers is that consent to receive marketing communications must be separate from consent to a business’s terms and conditions. In practice, this will require that lead generation forms use a double opt-in.
I take a close look at this below, with an example of what a GDPR-compliant lead generation form looks like.
GDPR also requires that consent is given in a specific and granular way. What does that mean?
Well, it means that you will need to be specific in terms of the type of marketing information that you may send to the individual, e.g. news, offers, third party products / services of interest. It also means that you need to list the different ways in which the business may communicate with the individual, e.g. email, SMS, telephone and / or post.
To fulfil a contractual commitment
If a customer makes a purchase from a supplier, then the supplier will need to collect certain minimum data to enable it to fulfil the contract.
This ground means that consent is not needed to collect and process the data required in order to deliver the service or product purchased by the customer.
However, principle 3 of GDPR (Processing Limitation) means that the supplier cannot use the information collected for any other purpose (without consent). So this data cannot be used later to send follow-up marketing materials, such as a newsletter. To do that, consent would need to have been obtained at the point of sale.
To comply with a legal obligation
In certain circumstances, a party will have a legal obligation to collect and store data. This is unlikely to apply to the clients of most marketing agencies. It would cover, for example, a house builder that is legally required to provide an NHBC warranty and so needs to collect, process and store certain data to enable it to do that.
This is a vague ground, but essentially, if collecting and processing data is needed in order to save a life, then this ground covers that.
A ground for the security services or other public bodies to rely on!
This is the most flexible of the grounds and it applies where there would be an expectation of the data subject that their data would be collected and processed. It could be used by a supplier to send a follow-up email to a customer confirming their purchase or to email them a receipt.
In theory it could be used to send subsequent marketing material, but the onus will be on the supplier (and the agency if they set up the email follow-up campaign) to show that the customer would have expected this. It is far safer to get consent and rely on that.
Lead Generation Forms and Consent
Consent must be:
- Specific and informed; and
- Distinguishable from consent to the supply of a product or service.
What this means is that if you run a campaign where you offer a guide for download, for example, then you need a ‘double opt-in’. This involves having two tick boxes. One so that the individual can consent to the general terms of supply; the second so that you can seek their consent to send them subsequent communications.
Many marketers that I speak to fear the attrition rate that this will have and reduce the effectiveness of many database building campaigns. My thoughts are that the database will be smaller, but it will be far more effective – those in the database will have expressed an active desire to receive those follow-up communications.
The Data Storage Limitation
The fifth data protection principle (storage limitation) requires that data is not kept for longer than is necessary to fulfil the purpose for which it was collected. Unhelpfully, GDPR does not set out how long this should be.
However under HMRC rules a business needs to keep customer and supplier data for at least 7 years, so this sets the benchmark for customer data.
For non-customer data, where consent was used as the legitimate ground for collecting the data, then that data can be retained until the individual requests that it is deleted or that they no longer want to receive communications from the business.
GDPR and Display Marketing
We offer a GDPR-compliant cookies policy here.
Privacy Policies and ‘Prescribed Information’
- The data controller’s identity
- What personal data is collected
- How personal data is collected
- Why personal data is collected
- When personal data will be shared
- What choices the data subject has
- How long the personal data will be retained
Data Processor Issues
Article 28 of GDPR requires that a written contract is in place between a data controller and their data processor. It goes even further and sets out a range of data processing warranties. To comply with this requirement, a marketing agency not only needs to have a written contract in place for its services, but it also needs to ensure the contract contains the data processing warranties.
As I mentioned above, the warranties are quite extensive and my recommendation is that they are included as a separate schedule from the main terms. GDPR for marketing doesn’t need to be difficult.
Depending on how you put your T&Cs in place with your clients will determine what approach you should take to putting this schedule in place.
If you use short form T&Cs that you link to from your order form, then you can either (a) include the schedule at the end of these terms or (b) have it as a separate page linked to from within the main terms. (This is how our standard short-form T&Cs for marketing services are set up.)
Conversely, if you put in place a long-form contract for your services, then the data processing warranties can easily be included as a schedule at the end of that document. (This is how our long-form marketing services agreement is set up.)
Self-Reporting GDPR Breaches
GDPR imposes an obligation on the data controller and the data processor to self-report any significant breach to the ICO. However, a breach only needs to be reported when it poses ‘a significant risk of harm’ to the data subject.
If in doubt, is is better to report the breach, as otherwise your agency, and potentially your client, could be liable for a fine twice – once for the breach itself and again for failing to notify the ICO of the breach.
Fines for Breaching GDPR
GDPR raises the level of fines that can be levied by the ICO for breach of GDPR. Currently the maximum fine that the ICO can levy under the Data Protection Act 1998 is £500,000. This will increase to E10,000,000 or 2% of global turnover, whichever is the higher under GDPR.
Clearly, the massive increase in the potential fines is intended to give the legislation ‘actual teeth’ as regards the growing number of global businesses that rely heavily on data collection and processing for the revenue streams of their business. Think of Facebook and their recent data protection issues!
What Documents You Need to Comply
So you set out researching GDPR for marketers and you’ve made it to the end of this guide to GDPR for marketers. The big question now is what exactly do you need to do to be compliant. Fortunately it is simple. It involves:
- Having a record of data processing activities. Essentially a spreadsheet setting out what (a) data you process and how, and (b) any third party sub-processor that is used.
- Putting a written contract in place with your clients that includes the data processor warranties.
- Ensuring that any sub-processor that you use has a written contract with you that also includes the data processing warranties.
The Information Commissioner’s Office is also a great source for additional GDPR Guidance.
Yes, GDPR for marketers is that simple. We offer a GDPR Compliance kit for marketing agencies, which will take care of all of this for you, priced at just £99.95.