GDPR -Bad things happen when good men stand by and do nothing

For me GDPR has become like a secret code word to get into any lunch, conference, party or event these days. The General Data Protection Regulation is in effect upon us although key elements are still to be confirmed. A couple of weeks ago the consultation paper on 'Consent' was published (closes March 31st 2017) and so I wanted to write this article so marketing people could understand what is about to hit them. I'm not going to hold back and will explain simply what it means. The summary is that this could easily devastate 'digital marketing' as we know it. I have worked for lots of businesses, big and small and I would suggest very few, maybe 1 or 2 are compliant and so I thought it worth sharing what it means for marketing before we are all operating illegally or fined or both.

In this article I am focusing on consent as that is the biggest area of commercial impact although, I suspect that, Subject Access Requests will be the most painful impact if the ICO does decide to make them FREE and opens the flood gates and requires businesses to make the data available on-line!

In the recently published consultation paper on consent, ( March 2nd 2017 link below) the simple rule is that consent for marketing must be freely and voluntarily given, explicit and positive. In other words a tick in the box. At the moment anything less is a breach and liable to a fine. For over a decade the ICO has accepted a variety of levels of consent but it would seem that the many other formats that have been previously accepted will no longer be valid. The 'soft opt-in' appears to have gone, although originally it was suggested that it would remain. The consultation document implies both that there is an acceptance of 'legacy' or former consents and through a confusingly worded (Recital 171), that there is a 2 year grace period to get things right. Firstly, if you read the paper carefully, historical consent is acceptable providing it conforms with GDPR and therefore the new rule,so not accepting any other form of consent. Secondly, we have had conflicting responses from the ICO about the 'grace period', I am told that yesterday, the Information Commissioner confirmed, no grace period. And worse any consent gained via 'pre-ticked' boxes is no longer valid either.

THAT MEANS THAT ON 25/5/2018 FOR ANY EMAIL ADDRESS WITHOUT THE CONSENT BOX TICKED AND AUDIT TRAIL TO EVIDENCE CONSENT, THE EMAIL ADDRESS CANNOT BE USED FOR MARKETING, no matter how good a customer they are or if they are a member of your loyalty scheme. No customer journey, no developing repeat sales, no sale period prompt no marketing to customers who have bought without a positive opt-in!

That is going to impact massively as businesses will have to make contact with their customers or prospects now and ask them to opt-in ( our experience is that unless they are an 'active customer' less than 5% will). We are running campaigns like this for clients in a variety of forms but inertia rules and if there isn't a customer need to do something, they won't. The ICO says this is not new and technically they are correct. They have said for some years, that 'best practice' is the empty tick box but have allowed other levels of consent that are not best practice, but legal. Now to remove that standard and insist on the higher level is at best going to be difficult. I suspect when marketing teams really understand this our email platform and opt-in campaigns will be busy for the remaining 14 months before it becomes illegal. A lot of businesses only regularly email top customers and 're-activate' older or 'legacy data' for special events such as sale events or store closures etc but they are marketing communications and will need opt-in.

Businesses will probably want to reconsider direct mailing as something that has had some resurgence recently and of course telemarketing both of which operate still at a lower level of compliance i.e. opt-out with MPS/TPS filters.

I've talked about email but this of course covers 'electronic communications' which embraces SMS and automated calls too.

One quick point on marketing to children and that is that there are new rules that require you also to hold the consent of the parent or guardian and as before be able to evidence that. Probably not unexpected or unreasonable by games or electronics tech businesses but probably a huge blow in my experience, for Music and Fashion businesses who have not collected this data before and are often not geared up to do so now.

Now to turn to B2B marketing, as I know many people are relaxed thinking their business is exempt. In reality, this will probably be the biggest impact. Sadly, it would seem that the ICO is still undecided but it would appear that they are differentiating between incorporated businesses and unincorporated. The latter group, sole traders and partnerships being treated as personal data therefore needing the 'positive opt-in' and all of the above applies. There are also discussions about what is personal and what isn't even in incorporated businesses but I am assuming that if not now, in the future it will all be controlled by the GDPR rules. Again taking the rules as they are presented with regard to marketing for consent, that means you need a tick in the box for marketing from each person. I checked this with one of my legal colleagues and as I had always used the argument that by giving me your business card, you are giving me consent.... I was shocked to hear that this is not the case and still requires a positive consent for marketing. He then went on to tell me that having the card was no proof of consent and gave me the example of a former colleague in a former business and 'opportunist salesman' who when they checked into a hotel on business, would often help himself to the business cards in the glass bowl on the hotel reception desk that had been entered into a prize draw. His argument was that anybody staying in this luxury hotel on business was probably a good prospect!

The impact on all B2Bmarketing is that since consent was not previously required nobody has obtained consent to market and so the new rules will devastate a lot of the marketing activity of many businesses and nobody seems to be aware of this 'double whammy' for this sector. The B2B marketer is left between 'devil and deep blue sea' when it comes to emailing as the ISP's block emails that rely too heavily on 'role accounts' i.e. sales@ enquiries@ etc but that is what the ICO wants us to use.

The industry of business list rental will probably be over because also the rules on 3rd party opt-in are clear and explicit, applying to both B2B and B2C, you need to get consent to each use of the data so 'carefully selected 3rd parties' can no longer apply in the new regime. Thankfully, we have developed a solution to this a few years ago in preparation for the new rules with 'Coalition Marketing' which we had the ICO look at in 2015. I suspect prospective users will now understand more why I was banging the drum about it over recent years and we will be revealing it again shortly now that we can build it around the new rules.

That brings me finally for this article, to consent for ‘processing’ which again whilst this is not new, the rules are again making this more explicit so that each type of processing requires a separate opt-in. The opt-in to accept marketing needs to be carefully considered, it can’t be too general and cover other things but also it must not be too specific as that would restrict its use. For example, to consent to receiving a newsletter is not the same as receiving promotional emails or marketing in general. A lot of websites invite people to sign up to their newsletter but that is a sole a specific purpose.

I would like to acknowledge the help and contributions from my colleagues who are often much closer to the ‘coal face’ in terms of detail on GDPR as my focus is very much marketing and theirs is a much wider remit. In particular, both David H Taylor and Mark Child have been able to help me explore what can and can’t be done and I am grateful for the time they have invested too. If anybody needs any help or specific advice, I'd be happy to put you in touch.

There will soon be more articles and material concerning GDPR, 'Customer Farming' and 'Intelligent Marketing' and a timely launch of 'Coalition Marketing', our compliant email prospecting tool.

It was my mother who provided two very prophetic and probably useful pieces of advice or sayings, the first was that sometimes I should keep quiet and then people could only think that I’m a fool. The second that often drives me on with things like this ‘Bad things happen when good men stand by and do nothing’. In this case, we've all let it happen I suspect and to now do nothing will result in at least some loss of business or risk significant fines. I welcome your thoughts and comments.

by Rob Bielby, CEO, The Marketing Innovation Group

Click here to contact Rob