Data and data analysis, it has become the lifeblood of consumer marketing, but under the General Data Protection Regulation (GDPR), the processing of personal data will come up for review within marketing departments, in many cases, drastic review. What must B2C marketers take into consideration?
GDPR entails important considerations relating to the processing of personal data.
The impact on B2C marketing is many fold. Important considerations relate to the lawful processing of personal data, the right to be forgotten and the right to object to profiling.
Lets’s start with a definition; what is personal data anyway?
Personal data is defined as “any information relating to an identified or identifiable natural person.”
This begs the question, what, or indeed who, is an identifiable person. Article Four of GDPR provides this definition: “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This is a little ambiguous. In the era of big data, marketers may know a great deal about an individual, without necessarily knowing their name. As the ICO, the UK regulator concerned with overseeing data protection in the UK states: “Simply because you do not know the name of an individual it does not mean you can not identify that person.”
This is especially relevant in the era when big data can provide a mass of information about specific individuals, even if this information is anonymous.
The lawful basis of processing data
Under GDPR there are six lawful bases for the processing of personal data. These are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
B2C marketers are likely to put emphasis on legitimate interests and consent.
Focusing on consent, there are specific requirements under GDPR.
GDPR sets high standards for consent, stating that consent must be:
Unambiguous and involve a clear affirmative action.
- Consent should not normally be a precondition of signing up to a service.
- It bans pre-ticked opt-in boxes.
- Requires granular consent, meaning consent must be specific to processing operations.
- Records showing consent must be maintained and clear.
- Right to withdraw: This is a specific right under GDPR. It is important you clearly communicate to people their right to withdraw and provide an easy way for them to withdraw consent.
- For Public authorities, or employers and other organisations in a position of power, securing valid consent is harder.
The ICO says that, “You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.”
Legitimate interest
Because of the strict rules and requirements for consent, some marketers may instead rely upon legitimate interests to lawfully process data. Under legitimate interests, it is possible for marketers to contact customers with a new offer or details of a product, providing the content is relevant and and appropriate based on passed purchases.
Right to be forgotten and individual’s control
GDPR allows individuals to contact an organisation and request that data held about them is:
- Rectified
- Erased
- Portable – meaning data held can be supplied to individuals at their request in a readable or machine readable format.
But these days, data can be analyzed and processed to create a detailed profile of individuals, to use, for example in the targeting of advertising.
The new ePrivacy Regulation, currently in draft form, will relate to profiling. The regulation will require extra consent in the event that you use data for which you have received consent in order to perhaps use AI to analyze buying behavior.
