Data ProtectionPrivacy

Top 5 answers on how direct marketing changes with the GDPR

Direct marketing will be among the areas more affected by the EU Privacy Regulation, but how can you get ready and gain advantage from it?

My personal experience is that marketing managers are panicing because of the potential impact of the EU Privacy Regulation (GDPR) on their CRM related activities that have been doing for years and on which their business considerably relies. There is no doubt that a cultural change will be required on how privacy compliance needs to be approached, but there are ways to minimize the negative impact of the GDPR and somehow also get advantage of it.

I summarized my position also in the video below in Italian as part of my videoblog series Diritto al Digitale, while the topic is covered in more detail in English below

1. Are privacy consents previously obtained valid?

I discussed in detail in this article on the requirements applicable to privacy consent under the GDPR. The Article 29 Working Party requires a higher level of detail in privacy consents, especially for profiling and direct marketing purposes. This means for instance that privacy consents obtained under the previous regime, even if compliant with the previous position taken by data protection authorities, including the Italian privacy authority in its guidelines on marketing practices, might no longer be valid.

This would be the scenario applicable for instance to single marketing consents obtained for direct marketing practices of the company, acting as data controller, as well as third parties, even if they are part of the same group.

2. What can you “save” of consents previously obtained?

This is an assessment to be run on a case by case basis. However, for instance you might reach the conclusion that a broad marketing consent referring to the products of the contracting party and its affiliates can be considered valid only in order to enable marketing activities of the contracting party. On the contrary, with reference to other scenarios a new privacy consent(s) shall be obtained.

3. What to do in order to collect new privacy consents?

The strategy that we are currently adopting for many clients is to put in place right now a “transitional” privacy information notice and privacy consents that are compliant with both the current data protection regime and the GDPR which would lead to two major advantages:

  1. under the current regime where fines are lower it is possible to immediately “cure” marketing lists, also for instance by means of initiatives of gamification; and
  2. on the 25th of May 2018 it will not be necessary to send a new privacy information notice to thousands (if not millions) of individuals since the adopted privacy information notice is already GDPR compliant.

4. Is legitimate interest an opportunity for direct marketing?

This is the hottest question for many of our clients and I discussed the topic in detail in this article. The GDPR refers in its recitals to the possibility to rely on legitimate interest for direct marketing purposes.

However, data processing activities based on legitimate interest need to be the result of a “balancing test” between the interests of the data controller (i.e. the company willing to advertise its products/services) and those of individuals who will receive direct marketing communications. Therefore, subject to a deeper assessment of the peculiarities of each case, direct marketing and even profiling activities can fall under the scope of legitimate interest and therefore not require a consent

  1. If it is identified also an interest of customers to the performance of marketing/profiling activity e.g. in relation to limited segmentation activities that allow to send offers only to customers that might be interested to it or be in the position of actually purchase advertised products;
  2. If the segmentation/profiling is not excessively invasive and marketing activities are not excessively aggressive; and
  3. It is given the right to individuals to object to marketing activities based on legitimate interest.

5. How long can direct marketing be performed for?

As discussed in this previous article, marketing and profiling consents obtained as part of a contractual relationship cannot be processed for that purpose during an unlimited period of time. The privacy information notice shall indicate the applicable retention period(s) and this shall be implemented in the information systems to avoid further processing activities.

Once the retention period has expired, if no other contract is in place between the parties, it might be possible to ask individuals to subscribe to a newsletter service.

Do you share my recommended actions? What is your view on the above? If you found this article interesting, please share it on your favourite social media. Also, you may find also interesting my series of blog posts on the most relevant issues addressed by the GDPR

#1 Which companies shall care about it?

#2 Will fines be really massive?

#3 Did you run a privacy impact assessment?

#4 New risks for tech suppliers

#5 What changes with the one stop shop rule?

#6 How the new privacy data portability right impacts your industry

#7 What issues for Artificial Intelligence?

#8 How to get the best out of data?

#9 Are you able to monitor your suppliers, agents and shops?

#10 What liabilities for the data protection officer?

#11 Are you able to handle a data breach?

#12 Privacy by design, how to do it?

#13 How data on criminal convictions of employees become a privacy risk

#14 Red flag from privacy authorities on technologies at work

#15 Need a GDPR compliant data processing agreement?

#16 Is your customers’ data protected from your employees?

#18 Data retention periods, an intrigued rebus under the GDPR

#19 Legitimate interest and privacy consent, how to use them?

#20 How privacy consent changes with the GDPR?

#21 Privacy information notice: how to make it transparent when it’s complex?

#22 How direct marketing changes wih the GDPR?


Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world leading law firm DLA Piper. Top global IoT influencer and FinTech lover, finding solutions to what's next for our clients' success.

Related Articles

Back to top button