Just like the people of Westeros thought dragons were dead, it turns out many of the expectations around GDPR were off the mark. GDPR has not ushered in a marketing apocalypse; rather, it has more clearly defined how marketers can operate.
In this blog, we’ll unpack how the six lawful bases of GDPR have changed the way companies approach marketing.
The Six Lawful Bases
Before GDPR, there were different rules and regulations that defined how you could legally handle an individual’s personal data, depending on the medium. GDPR aims to better define how a company can make use of personal data under six regulations.
This is the biggest change to how marketers approach personal data. Before opt-in was the exception rather than the rule. Under GDPR processing of personal data is not allowed, except under specific circumstances, or if the individual has consented to the processing of their personal data.
The way companies can ask for consent has also changed. In the past, companies could hide their true intentions behind obscure legal terms and industry jargon. Without an understanding of this type of language, ordinary people could unknowingly consent to things they never planned on consenting to. Under GDPR, consent can only be given under agreements that are specific, informed and unambiguous.
Agreements must also respect the right for an individual to retract consent, which is specifically outlined in Article 7 of GDPR:
“The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
The processing of personal data is permissible if you have a contract with an individual that requires you to do so, or if you need to process this data to enter into a contract with them. Since personal data is a key part of any contract, it makes sense for GDPR to ensure data processors clarify how this personal data applies. Marketers should be careful not to look at this as a safety net or loophole.
If laws exist outside your contractual agreements that you need to comply with, your marketing agency will be allowed to process personal data. A similar regulation existed in the Data Protection Act of 1998, but GDPR has increased the clarity around the idea in this clause. In particular, recital 45 states “the processing should have a basis in Union or Member State law”. For marketers outside the EU, this means you should ensure compliance with EU or member state laws.
If vital interests make you think "it's vital to my B2B marketing agency so this should be applicable to me", don't get too excited. Vital interests refer to situations where processing an individual's personal data is necessary for protecting someone's life. Government authorities, medical professionals and law enforcement agencies are most likely to make use of this regulation.
If you are performing a task that is in the public interest, such as scientific research, or have official authority, then you are covered by this regulation. ICO highlights that this has connections to Schedule 2 of the Data Protection Act of 1998. The two main differences are the "relevant task or function must have a clear basis in law", and "public authorities can no longer rely on legitimate interests for processing carried out in the performance of their tasks". As a marketer, it's unlikely that this will apply to you.
This part of the GDPR will likely be of most interest to marketers; but again, expectations need to be kept in check. While this regulation allows for a certain degree of interpretation, it still includes clauses that prevent marketers from gathering data as freely as they used to. ICO looks at article 6(1)(f) which states:
“(if) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
“Showing that you have a legitimate interest does mean however that you (or a third party) must have some clear and specific benefit or outcome in mind. It is not enough to rely on vague or generic business interests.”
Ensure Your Telemarketing Campaign Is GDPR Compliant
It’s vital that your telemarketing strategy is built with a solid foundation in the relevant lawful basis of GDPR. To help you achieve this, you’ll need the right marketing partner. GCL Direct is an organisation with over 27 years of B2B telemarketing experience that can help you achieve this goal. For more information on how we can assist, contact us today.