GDPR - 5 Things To Ask Your Agency

There isn’t a one size fits all when it comes to GDPR, every company is different. But it is important to remember that May 25th is a starting point, not a deadline. What matters most is how you adapt to not only survive (i.e. avoid fines) but thrive (achieve competitive advantage) in the new environment defined by GDPR.

Between now and then it is crucial for companies – and their marketing teams – to change the way ‘personal data’ is obtained, stored and secured to ensure compliance. GDPR, of course, extends well beyond marketing, but we will focus on the impact on marketing activities as this is where your agency should be able to give advice.

As every company has a slightly different situation, we thought it would be worth listing the questions you should be asking your agency.

1. Is there an easy way to ensure GDPR compliance?

Some very small organisations probably will be able to achieve compliance without much effort, but large organisations will need to spend a considerable amount of time. A recent survey by SmallBusiness.co.uk found that 1 in four companies with over 5000 employees expect the cost of GDPR to exceed £1M and UK SME has spent over 80 days (600 hours) preparing for the legislation over the past year.

2. What are the GDPR rules for how long I can keep data? Does GDPR require opt-in marketing communications?

GDPR doesn’t work by defining timescales, and therefore it’s impossible to provide a straightforward list of requirements that you need to meet. GDPR requires organisations to look at the personal data they hold and determine the right way to handle it. Although there are best practices emerging, organisations need to make decisions for themselves.

GDPR doesn’t require opt-in for marketing communications, despite what you might have heard. You can claim that direct marketing is a “legitimate interest” for your organisation, allowing you to use an opt-out policy, but you must make sure that the justification is documented clearly.

3. Does GDPR mean I have to stop email marketing, unless a contact explicitly opts-in?

This is a common misconception. Companies can claim that direct marketing is a ‘legitimate interest’ to their business therefore justified without explicit consent. However, citizens do have the right to opt out, you must balance the right to privacy of the data subject with your legitimate interest of direct marketing to decide whether claiming the legitimate interest is reasonable.

4. How do I show I’m compliant?

The regulations are pretty straightforward about this. To show compliance, you must:

Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
Maintain relevant documentation on processing activities.
Where appropriate, appoint a data protection officer.
Implement measures that meet the principles of data protection by design and data protection by default.

5. Can my agency sort out compliance for me?

Unfortunately, not. Agencies don’t have enough visibility into client activities and so would be unable to accurately represent the company.

It’s hard for a marketing agency to know everything that needs to be done, or for a client to give access to all the systems that contain personal data – which includes any folder containing files with contact details.

They can, however, review the marketing automation system to see whether there is clear documentation about the source and consent of a contact.

Some aspects of GDPR involve weighing the data subjects’ rights against a legitimate interest. Although agencies can give opinions on how to balance these rights, so clients are fully informed, in the end it’s a decision they must make based on advice from their legal counsel, and one that should never be outsourced to a marketing agency.

It’s not all doom and gloom…

Although GDPR does place some arduous demands on marketing & information technology, it is possible to comply and continue proactive practices and efficient database marketing automation activities that drive revenue for your company.