We’re busting 3 myths about GDPR for marketers

12 September 2017 by Mark Williams

If you search for ‘GDPR’ on Google, you’ll get more than five million search results. Even a more targeted search for ‘GDPR for marketers’  will get you more than one hundred thousand. There’s a lot of information on GDPR out there, sure, but not all of it is reliable. 

This month Elizabeth Denham, UK Information Commissioner, voiced her concerns about the proliferation of GDPR myths on the Information Commissioner’s Office (ICO) blog. Here’s what she said: 

“For the most part, writers, bloggers and expert speakers have their facts straight. And what they say – and sometimes challenge – helps organisations prepare for what’s ahead.

But there’s also some misinformation out there too. And I’m worried that the misinformation is in danger of being considered truth.”

At Pensar, we firmly believe that knowledge – not fear – is the key to achieving compliance with the GDPR. So we’re going to join the ICO and bust 3 common myths about GDPR and marketing.

1. Marketers can only process data if they have explicit consent

Much ink has been spilled on the importance of consent under GDPR. Here’s what we know for sure: 

  • The GDPR does say that pre-ticked, opt-in check boxes do not count as valid consent;
  • The GDPR does require organisations to make it easy for people to withdraw their consent; and
  • Under the GDPR, organisations must explain consent using clear and plain language.

Does this mean that businesses and marketers must have explicit consent before they can process data? No.

For data processing to be lawful in the eyes of the GDPR, you must identify a lawful basis for processing personal data. And consent is just one example of a lawful basis. Other lawful bases include:

  • Processing for the performance of a contract;
  • Processing for compliance with a legal obligation;
  • Processing for the performance of a task carried out in the public interest.

Here’s the bottom line: consent is just one mechanism for achieving compliance with the GDPR. As a marketer, you can rely on other lawful bases in addition to (or apart from) consent – for example, where processing is necessary for your organisation’s or a third party’s legitimate interests. Review the full list of lawful bases on the on the Information Commissioner’s Office website and see if any of them apply to your business.

Data protection for marketing agencies

2.  Marketers need to ‘refresh’ or re-collect consent from existing customers and users before May 2018

The GDPR does not require you to automatically refresh, ‘repaper’ or re-collect existing consent from your customers.

If you’re relying on consent as your primary lawful basis for processing data, you need to make sure that the consent you’ve collected meets the GDPR standard and is specific, detailed, properly documented and easily withdrawn.

If you don’t think you meet the standard, you’ll need to change your consent mechanisms and seek new GDPR-compliant consent – or establish another lawful basis for processing data.

Pro tip: if you’re still confused about consent, take a look at the ICO’s guidance on consent under GDPR.

 

3. You only need to worry about your own compliance

Under the GDPR, there are three types of people: data subjects, controllers and processors.

Data subjects are the people whose data is being collected, processed and stored. These are your customers, product users, employees or any EU citizen you collect personal data from.

A data controller is the person whom the data subject entrusts with their personal data. The controller decides how to use and handle that data. The data processor, on the other hand, is the person or entity that actually handles personal data as mandated by the data controller.

So if you’re selling a product to EU citizens online and using Shopify as your ecommerce platform, then you are the controller and Shopify is the processor. If you then contact your customers using a platform like MailChimp or HubSpot, then they’re also processors of your customer data.

Of course, a business can be both a controller and a processor. But here’s the thing: as a controller you’re responsible for the data you collect, and you need to make sure that the processors you use to handle that data are compliant with the GDPR. It’s not enough to be compliant yourself and turn a blind eye to your processor’s compliance (or lack thereof).

Fortunately, many marketing and ecommerce platforms have pledged their commitment to GDPR. HubSpot has published a whitepaper about it, and MailChimp has updated its Data Processing Agreement accordingly.

What marketers can do today to prepare for the GDPR

The GDPR is a positive step towards a more transparent, safe future in which consumer privacy is properly protected. It’s also a great opportunity for marketers, and a source of competitive advantage for agencies.

Now that you’ve got the facts, here’s what you can do today to prepare for the GDPR:

Data protection for marketing agencies

Remember: knowledge is power. Here’s more helpful information on the GDPR: