Direct marketing will be among the areas more affected by the EU Privacy Regulation, but how can you get ready and gain advantage from it?
My personal experience is that marketing managers are panicing because of the potential impact of the EU Privacy Regulation (GDPR) on their CRM related activities that have been doing for years and on which their business considerably relies. There is no doubt that a cultural change will be required on how privacy compliance needs to be approached, but there are ways to minimize the negative impact of the GDPR and somehow also get advantage of it.
I summarized my position also in the video below in Italian as part of my videoblog series Diritto al Digitale, while the topic is covered in more detail in English below
1. Are privacy consents previously obtained valid?
I discussed in detail in this article on the requirements applicable to privacy consent under the GDPR. The Article 29 Working Party requires a higher level of detail in privacy consents, especially for profiling and direct marketing purposes. This means for instance that privacy consents obtained under the previous regime, even if compliant with the previous position taken by data protection authorities, including the Italian privacy authority in its guidelines on marketing practices, might no longer be valid.
This would be the scenario applicable for instance to single marketing consents obtained for direct marketing practices of the company, acting as data controller, as well as third parties, even if they are part of the same group.
2. What can you “save” of consents previously obtained?
This is an assessment to be run on a case by case basis. However, for instance you might reach the conclusion that a broad marketing consent referring to the products of the contracting party and its affiliates can be considered valid only in order to enable marketing activities of the contracting party. On the contrary, with reference to other scenarios a new privacy consent(s) shall be obtained.
3. What to do in order to collect new privacy consents?
The strategy that we are currently adopting for many clients is to put in place right now a “transitional” privacy information notice and privacy consents that are compliant with both the current data protection regime and the GDPR which would lead to two major advantages:
- under the current regime where fines are lower it is possible to immediately “cure” marketing lists, also for instance by means of initiatives of gamification; and
- on the 25th of May 2018 it will not be necessary to send a new privacy information notice to thousands (if not millions) of individuals since the adopted privacy information notice is already GDPR compliant.
4. Is legitimate interest an opportunity for direct marketing?
This is the hottest question for many of our clients and I discussed the topic in detail in this article. The GDPR refers in its recitals to the possibility to rely on legitimate interest for direct marketing purposes.
However, data processing activities based on legitimate interest need to be the result of a “balancing test” between the interests of the data controller (i.e. the company willing to advertise its products/services) and those of individuals who will receive direct marketing communications. Therefore, subject to a deeper assessment of the peculiarities of each case, direct marketing and even profiling activities can fall under the scope of legitimate interest and therefore not require a consent
- If it is identified also an interest of customers to the performance of marketing/profiling activity e.g. in relation to limited segmentation activities that allow to send offers only to customers that might be interested to it or be in the position of actually purchase advertised products;
- If the segmentation/profiling is not excessively invasive and marketing activities are not excessively aggressive; and
- It is given the right to individuals to object to marketing activities based on legitimate interest.
5. How long can direct marketing be performed for?
As discussed in this previous article, marketing and profiling consents obtained as part of a contractual relationship cannot be processed for that purpose during an unlimited period of time. The privacy information notice shall indicate the applicable retention period(s) and this shall be implemented in the information systems to avoid further processing activities.
Once the retention period has expired, if no other contract is in place between the parties, it might be possible to ask individuals to subscribe to a newsletter service.
Do you share my recommended actions? What is your view on the above? If you found this article interesting, please share it on your favourite social media. Also, you may find also interesting my series of blog posts on the most relevant issues addressed by the GDPR