The General Data Protection Regulation (GDPR) came into force on May 25th. Cognito has been thinking about how the regulation will impact marketing and communications.
GDPR requires businesses to protect the personal data and privacy of EU citizens, but the broad scope of the business means any company with prospects and customers in Europe, no matter where they are located, could be impacted.
I spoke with Dov Goldman, Vice President of Innovation and Alliances at Opus, and expert in regulatory compliance and information security, to understand how GDPR will change marketing.
Q: How will GDPR impact how the marketing function of an organization handles data?
A: Very simply, every organization has some kind of contact information. If you are in a marketing function, you are directly accessing, using and collecting data. That is directly in the crosshairs of this regulation.
Q: Does GDPR make differentiations on types of communications or is it more about the data itself? For example, is there a distinction between an advertisement or sending updates to clients?
A: GDPR contains the concept of processing personal data for carrying out obligations. If you have a pre-existing obligation or agreement with someone, that should be fine. It is considered on par with consent of a data subject.
Q: What core concept should marketers take away from GDPR?
A: The concept underlying all of this is data protection by design and by default. Let’s say you are getting data from someone. What benefit is it to them to share their data? Can you explain that explicitly to them? Can you explain explicitly how long you’re going to keep that data and what you’re going to do with it? How do they gain access to that data? I have your data – have I explained to your satisfaction how you’re going to benefit from my use of it?
Q: Let’s talk about something common in marketing, which is the acquisition of emails and lists. What category do you see that falling into under GDPR?
A: If you can buy a list, it’s considered public information. If you just asked me for my email, that would be different under GDPR. The concept of GDPR is an implied contract and by default this regulation has a template for that contract. There’s no contract between us if you bought my name on a list. People even say that the sign-in books in a hotel lobby can be a GDPR violation.
Q: Can an email address constitute data under GDPR? If people opt out, do I have to delete any record of that?
A: It depends.
We always knew that you couldn’t really identify somebody uniquely with only one piece of personal information. If you could get some information from public sources, it was considered lower risk because the data was already out there. The issue comes when you start putting different pieces of data together, things like names, addresses, phone numbers, birthdates, sexual orientation and ethnicity.
An email address by itself is not a huge problem because it is available elsewhere. You may not need to ask me for my email address, since it’s accessible from other sources. When I give you my email address, that’s a different story.
Q: If you would give one best practice tip for marketers as they start to think about marketing in a post- GDPR world, where should their head space be?
A: Remember the concept of the “right to object.” Individuals have the right to object to direct marketing. Marketers must make it clear to individuals how they benefit from that interaction because if they aren’t convinced, they can opt out.
In a GDPR age, marketers must understand the proper ways to handle different types of data and take steps to being more transparent as to why individuals should opt-in to direct marketing. The regulation forces us to actively ensure we are serving people, changing the way we communicate.
This interview was conducted by Natasha Ramsammy, an account executive for Cognito in New York