Here are some key considerations to help you get your marketing and communication compliant with the General Data Protection Regulation (GDPR).

First of all, what is the General Data Protection Regulation (GDPR)?

Developed by the European Union, the EU General Data Protection Regulation 2016/679 (GDPR) aims at strengthening the individuals’ rights regarding the collection, use and storage of their personal data. It also aims at harmonizing rules at EU level: the GDPR applies to all businesses and organizations involved in processing personal data of EU citizens.

All companies that interact with personal information of EU citizens must be compliant with the GDPR and its main principles.

Basically, your company must embed the GDPR’s main principles within its operations. These main principles include:

1. Principle of lawfulness, fairness and transparency

Your company needs to make people aware of what their data will be used for (transparency). Your company also needs to ensure that the data is used only in the way you have specified (fairness) and that its processing meets the requirements described in the GDPR (lawfulness).

2. Principle of purpose limitations

This means that personal data:

  • can only be obtained for specified, explicit and legitimate purposes;
  • can only be used for a specific processing purpose that the subject has been made aware of and no other;
  • cannot be used further without additional consent.

3. Principle of data minimization

In other words, only the minimum amount of data required for the specific purpose(s) should be kept.

4. Principle of accuracy

Broadly speaking, the data should be kept up-to-date and any inaccurate data should be updated or deleted.

5. Principle of limitation of storage in the form that permits identification

This principle discourages unnecessary data redundancy and replication. In very brief, data should only be kept for as long as it is needed, and anything no longer required should be removed.

6. Principle of integrity and confidentiality

This means that the data should be processed in a secure way that ensures it won’t be lost, destroyed, damaged or unlawfully used.

7. Principle of accountability and compliance

This principle ensures that companies can demonstrate compliance. Your company must be able to demonstrate its compliance with the above principles.

What do the GDPR’s main principles mean for your marketing and communication?

Here are some key considerations to help you get your marketing and communication compliant with the General Data Protection Regulation (GDPR).

1. Be clear when collecting the consent

Make sure that individuals give their explicit consent for one or more specified and legitimate purposes. You should ensure that your company always clearly describes why the personal data is collected, and explicitly indicates the specific purpose(s) for which the collected data will be used.

In addition, individuals must be able to withdraw or amend their consent as easily and quickly as they have given it. In particular, the subjects must have the rights to be forgotten, to transfer their data or to oppose certain types of processing of their data.

And the explicit consent of parents is necessary for the processing of personal data of children and minors under 16 years.

2. Document your collection and processing of personal data

Your company must be able to prove that the personal data has been collected, processed and stocked in accordance with the GDPR.

Therefore, be specific about the intended use of the information you are collecting and record when, why and how the personal data was collected and processed. If the personal data is used for several purposes, your company must request separate consents for each use because you must be able to prove that the data is used in a manner that is aligned with the initial purpose for collecting it.

3. Update and maintain up-to-date your email marketing lists

Your company must be able to demonstrate that it has obtained the subject’s explicit consent in a manner that is compliant with the GDPR.

New subscriptions to mailing lists can be automatically managed with the double opt-in (meaning that people must opt-in and then confirm that they give consent for you to store their data).

Regarding subscribers already on your email marketing lists but without any registered consent, you should regain consent by sending out an email asking them to confirm their subscription and letting them know exactly what their data will be used for.

Make sure your contacts are able to withdraw their consent or change their preferences, and ensure that these requests come into effect promptly and in accordance with the GDPR.

4. Check your website’s cookie policy

Regarding the cookie policy of your company website, consents must be clearly expressed by a positive act and must be given before any action for which they are being asked can start. Besides, your website’s users must be able to easily change idea and adjust their preferences or withdraw their consent at any time.

In addition, the consents must be stored so that they can be used as evidence in case of control. And the consents must be renewed every 12 months upon the user’s first visit to your website.

5. Make your marketing and communication as accurate as possible

Since the data must be accurate and limited to what is necessary for the purposes for which it is processed, make sure that your marketing is keeping accurate records, especially regarding consents, and that you can promptly delete, correct or complete individuals’ personal data upon their request at any time.

Regarding your communication purposes in particular, be clear about what kind of data needs to be collected and minimize the data in your company’s possession because you must be able to prove that you need the collected data, that it is actually relevant to your activities.

As for profiling and customization, your company is required to specify, when requesting consent, that the data will be used for automatic analysis purposes in order to personalize the user’s or customer’s experience. Therefore, make sure that your customers, users and visitors understand their interest in profiling and personalization, and that they explicitly give their consent.

Marketing and GDPR

Watch the presentation available in English, French and Italian.

I hope this post was helpful. However, I would like to make it clear that this content is for informational purposes only. For any legal or professional advice on privacy and personal data issues, please visit the European Commission’s page “Data protection: Rules for the protection of personal data inside and outside the EU” and contact an expert or a certified specialist.