Today is Data Protection Day! A reminder of the never ending challenges many marketers and brands face regarding their data.
The last year has been interesting to say the least. For many companies it has meant completely rethinking months of strategies and customer communications to align with government guidance and changing customer behaviours. Needless to say we were all running around like headless chickens and naturally a lot of things fell by the wayside.
For Data Protection Day, our team have put together some guidelines to make it just that bit easier to get things done this year and ensure your data is accurate, up to date and protected.
It’s no wonder a lot of confusion stills exist around when and how to use the key lawful bases for processing data for marketing purposes: consent and legitimate interest.
Legitimate interest, based on the ICO’s definitions, is the most flexible of the six legal bases for processing personal data, and it can therefore be applied to many different situations. It is, for example, the most appropriate basis when processing data is of a clear benefit to you or others, there is limited privacy impact on the individual, or where an individual would reasonably expect their data to be used in that way. The balance of fundamental rights is of equal measure and transparency is crucial when making these decisions.
GDPR specifically states that direct marketing may be considered a legitimate interest in recital 47, albeit upon the appropriate and thorough application of a balancing test. By balancing the business and marketing objectives with the rights of the individual – and a good dose of common sense – and documenting it in a professional and trackable manner by completing a Legitimate Interest Assessment (LIA) , marketers can use this basis for marketing with more confidence.
Applying a balancing test to a legitimate interest and also applies to prospect data and data sourced from third parties as well as first party data. There is nothing in the GDPR that prohibits the use of third-party data, provided that it is undertaken in accordance with the data protection principles and regulatory guidance.
When it comes to consent, this is what the ICO has to say; “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”
This means that, in many instances, consent may not be required. However, some examples of when it is required involve the use of electronic marketing (including email) and this is where GDPR and the Privacy and Electronic Communication regulation (PECR) dovetail, i.e. email marketing requires consent and the requirements for consent are set out in PECR.
Fundamentally the GDPR is intended to build and maintain trust with consumers. That means applying both rigour and common sense when balancing commercial interests with consumer rights and regularly testing that decision to ensure it is the right approach.
The days of privacy being a box-ticking exercise are well and truly gone. The principles of privacy by design and ‘responsible marketing’ have to be embedded in businesses now. Challenging but necessary – but those business that get these fundamentals right will reap the rewards.
Get in touch to find out more about data protection