You’ve all heard of it. Those four letters that have been causing nightmares for marketers and anyone with a database! It is now less than 100 days until the new regulations come into force. If you are like most people (including me) you’ve been reading as much of the material out there as you can, to try and get a handle on what GDPR means for you.
With so much written on the topic you’d expect to be able to get a grasp of what it will entail. However, as is often the case with regulations and legislation, it seems to be open to interpretation and ambiguity. This has led to so many different assumptions and interpretations, that the contradictions don’t help you to understand it at all. You can’t even tell if what you are reading is true. Experts have been popping up all over the place to offer help and support to those with limited knowledge, making a tidy little profit in the meantime, but could be of great use.
The initial fears have somewhat dissipated but there is no denying that the data world is being shaken up. GDPR is coming in to place stricter rules on the processing and storing of data which means for us as consumers we are being offered more protection, so it is a good thing right? Reading the ICO bulletins, blogs, and interviews they advise that providing you have adhered to most of the current legislation in place then you are likely on the right path already and these changes are more a case of tightening up good practices to make them better. So perhaps this isn’t all doom and gloom?
GDPR, for consumers, is putting more security in place for our data and while the early fears were that B2C databases were about to become obsolete, it seems easier to understand the things you need to do to make sure you stick to the new regulations. The ambiguity seems to be surrounding B2B databases. Perhaps it is less ambiguous and more a case that B2B marketers have been hoping that they will not be subjected to major changes. Either way, from the latest updates, corporate email addresses and other contact details are personal data.
Much of the wording in GDPR is related to the processing of data. Do not confuse this with use of personal data. You might have the right to process the data but that doesn’t automatically mean that you have the right to use that data, for that you will also need to look at the new ePrivacy Directive. Overall there is a much greater move towards a prior consent needing to be given, an “opt in”.
There are still going to be ways to process data for marketing. You’ll hear a lot about Legitimate Interest over the coming months, and certainly in the first 6 months post GDPR. Essentially you would need to look at whether or not a user should expect the processing to take place. Do you need to process the data for the function of your business? If you are a marketing company then you would need to know the marketing managers at organisations in order to pitch them your products and services, which could help their business grow through advertising. Is that legitimate interest? The regulations surrounding legitimate interest point out that it “must be real and not too vague”. Not too vague…I’m not sure on the legal definition of “too vague”, a subjective term that is likely to be worked out over the few years post-GDPR in court rooms!
Unfortunately, I’m not sure we will fully understand the full implications, do’s and do not’s, or even the full extent of GDPR until after it is in force and a few unfortunate organisations have found themselves subject to the new fines for breaches. It is certainly an interesting time, but as yet I’m not sure you’ll find the answers you want. Check out the DMA and ICO for checklists and data audit templates. Look at GDPR and the ePrivacy Directive and try to plan as best you can, everyone is in the same boat.