Welcome to the Tuesday 2¢ . It’s Tuesday, the weekend is a distant memory and it’s time to let off some steam and give our 2 cents on a hot industry topic. This week Ian Truscott considers the build of our marketing houses, what they are made of and if they will survive the upcoming storm of GDPR.
I’ve been talking about GDPR a lot and previously I’ve described this as an opportunity , but in this post I thought I’d share some useful facts about GDPR from our own experience.
My personal experience of GDPR is, that while I discuss with my team our marketing campaigns, double-opt in and our painstaking adherence to the rules, another 5 messages will pop into my in-box from organizations I’ve never subscribed to. The BEST one today offers me advice about GDPR!
Like many consumers, both in my personal and professional life, I am really looking forward to some of this noise that’s in my inbox to subside.
Marketing Week recently reported that UK fashion retailer ASOS is expecting a slight drop in sales, due to GDPR. And some marketing teams, like British pub chain Wetherspoons , decided to chuck it in, throw away their database and start from scratch. This shit is real.
It made me think about the story of the three little pigs: From May 1st on, the big bad wolf of GDPR is coming to blow your house down, and it seems that some organizations are not sure if they have built on brick, sticks or straw. So, how do you know what your marketing house is made of?
My colleague Manuel Weiss ( who you might have seen on Inside censhare ), our data protection officer, is our guide on these matters. He has written a documentation (that is available to clients) where he states:
"In order to be allowed to process personal data, you need to either have the explicit consent of the person, or a legal foundation (like a commercial contract, business relationship, employment etc.). If you build your data processing on a person’s consent, it is inevitable to document this consent. This can be in writing or using a tool."
Consent is the keyword here and if you don’t have it, you’ve chosen straw.
But even if you have consent, let’s not jump to the conclusion that you’ve got brick. There still could be flaws in your building material of choice, that makes you vulnerable when the huffing and puffing starts.
The next question is; what do you have consent for?
Again, I will quote from my friend Manuel:
"One of the guiding principles of the GDPR is data separation. The principle implies that data collected for one purpose may not be used for another purpose. As an example, if you have a contractual relationship to send invoices to a person, it does not mean you are allowed to sell this address data to address dealers. This may also mean that data used in one department (like Finance) cannot simply be used by another department (like Marketing)."
Not got the right consent? Then little piggy you got sticks and oh man that angry old wolf has already blown through your brother’s straw house.
But, even if you’ve got consent, for the purpose of marketing, can you feeling confident your house is up to code?
What about that pig from the neighboring village that built your extension – the outbound agency you opened your data up to? Can you feel hot wolf breath coming through the gaps?
Quoting again my data man Manuel:
"Further contractual requirements apply if you either have “sub-contractors” (that would include Freelancers), or if you process personal data of EU citizens in countries outside the EU. In these cases, you will need either data processing agreements (between you and all sub-processors) or EU standard contractual clauses (aka EU model clauses) for processing data outside of the EU."
Now, I am not suggesting this is the definitive post on GDPR. Outside providing best GDPR practice on using our product, we don’t provide general GDPR advice and if you are unsure, it’s important to consult a professional. Rather than that random dude that emailed me today, I’d recommend Tim Walters - if you don’t have a subject matter expert in the business, like we do.
However, I hope these three main points are useful to give you some idea of your readiness for GDPR – because here comes the wolf.