Why GDPR's a legitimate concern for data-driven business
By Nicky Tomkins27/02/2018
With the exception of wilful cowboys, most organisations - whether they are a charity or a commercial business - probably perceive their marketing efforts as legitimate. But when the GDPR comes into force on May 25th they might have to think again.
The General Data Protection Regulation (to give the new EU law its full name) includes several legal bases for processing and using people’s data. The two most relevant to marketers are:
Legitimate interest – defined as “where an organisation has legitimate interests to process an individual’s data for the purposes of direct marketing, unless those interests are overridden by the rights of the individual”.
Consent – defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
It’s a legal minefield. WPNC planning director David Brown urges organisations of all shapes and sizes to review their data activity now and put in place legal grounds for continuing to contact donors, customers or prospects from May.
David says: “Many people have heard of GDPR and know change is coming. Others understand that aspects of data they take for granted will soon be different. Yet the exact meaning of the regulation is lost on most; there’s an assumption that ‘someone else’ within the organisation will deal with it.”
While legitimate interest is a useful legal basis for marketing - and, in particular, direct mail as specified in the text - there’s a great amount of work to do to prove that legitimacy.
WPNC charity client JDRF, which has a mission to cure, treat and prevent type 1 diabetes, is close to finalising its GDPR strategy. Katie Hepworth, the organisation’s head of individual giving, explains: “We began looking at data compliance in marketing and fundraising a year ago. Firstly, we’ve upgraded our database to meet consent tracking requirements under GDPR. We’ve also written a new privacy statement and a supporter promise, as well as reviewing our security policy.
“We are mapping our fundraising data and identifying legitimate interest. Our postal communications are to people who have already been in contact with JDRF, and who we know have a close connection to type 1 diabetes. Because of this, we believe we have a strong case for legitimate interest.”
Another WPNC client, Princess Alice Hospice (PAH), established a GDPR project team during November 2017. Supporter experience manager Jo Hopkins says: “Data protection for marketing, fundraising and healthcare is paramount. We are implementing robust data mapping, privacy and policy analysis throughout, and have been relying on the ICO, Fundraising Regulator, DMA and Institute of Fundraising, as well as the PECR directives, for guidance.
“We’re fortunate to have been clear and transparent historically about our communication types, and the different topics and preferences supporters receive. This has enabled us to confidently use legitimate interest for our next communication with existing fundraising supporters and education including our new Privacy Notices. Suddenly stopping communications that they currently receive, and might be expecting, would not be a good experience.
“Thereafter, all communications will give them the same options as our new supporters and customers, asking them to state ‘yes’ or ‘no’ for email, phone and post contact. They will be able to establish, refresh and update their permissions, confirming explicit choice. Our communications have been predominantly by mail but having already captured email consent we will continue to contact supporters and customers as before, so we’re not expecting budgetary changes.
“The updates and guidance received so far is not wholly explicit and relies on organisational data protection judgements. Our GDPR team continuously reviews this and the associated risks with the overriding support of our newly appointed data protection officer (DPO).”
Jo continues: “Justification of using legitimate interest can take many forms. As an additional working example, I am reviewing with our DPO contacting our known bereaved families, as part of our continuing care ethos. We plan to advise them of our bereavement services, specific specialist contact details and remind them of the communications they can receive for their journey, while under our care.
“There’s no doubt continuous discussion and case study will be ongoing using legitimate interest and its incumbent to have full transparency of the decision making. This will ensure all data capture procedures, and our communications, have at heart our customer, supporter and patient privacy interests.”
For his part, David believes that organisations probably won’t find a one-size-fits-all approach for legitimate interest. He states: “We’re working with a number of organisations to establish the level of risk involved in communicating to particular audiences in a database about certain topics. For example, it could be okay to send a significant proportion of people a message with a specific purpose, but for another group it wouldn’t be justifiable under legitimate interest. This type of modelling and documentation of evidence seems to us the best way forward.”
Katie at JDRF agrees: “It’s a case of analysing each type of communication to each segment of the database. You need to create a framework and answer all of the questions for each type of supporter.”
Unlike consent and privacy statements, which can be more clearly displayed and explained, legitimate interest will probably remain the domain of the organisation, documented and ready to use as a legal basis if challenged. Katie suggests: “Legitimate interest means nothing to our supporters, but we can explain what we’re trying to achieve in our supporter promise. It highlights our mission to treat individuals’ data with respect and communicate things they’ll want to hear about.”
David points out agencies are well placed to help client organisations identify legitimate interests: “Because agencies find strategies to underpin relevant communications, we can look for information, insight and inspiration that forms organisations’ legitimate interests.”
He concludes: “From the outset, be sure to investigate all the different angles for legitimate interest and document your case. Keep a constant watch on the purpose of your marketing, and always try to do the right thing.”