By Yusef Sanei
The General Data Protection Regulation (GDPR) will become fully enforced throughout the European Union on the 25th May 2018. Coverage of the GDPR has created an almost apocalyptic impending sense of industry doom, heavily focusing on eye-widening fines.
The information sways between sensationalist scare mongering and heavy legislative literature, so we were keen to shed some light on the new regulations and explore how they may affect agency (B2B) new business but more importantly, how these new regulations could actually be a blessing in disguise!
(Almost) Nothing New
Despite what the recent coverage may suggest, these new regulations haven’t come out of nowhere. After 4 years of debate and preparation, the EU Parliament finally approved the GDPR on the 14th April 2016. This approval triggered the 2-year post-adoption grace period meaning the GDPR will become fully enforceable in a few months’ time (25th May 2018). The GDPR will replace the already existing 1995 Data Protection Directive, which enforces many similar regulations that the new GDPR will up keep.
Why Something New
The European Commission (EC) acts as a legislation implantation branch of the European Union. The EC has recognised that the digital economy is only going to get larger with the digitisation of most aspects of life. However, this predicted growth can be threatened by a lack of trust on the consumers part, thus, these new regulations ensure trust to be established by giving digital service users more information and greater control over their data and how it is used. This places most emphasis on B2C but still effects B2B in one major way.
Individual and personal data can only be processed if there is at least one lawful basis to do so. One of these lawful reasons, legitimate interest, is how B2B marketers will legally be allowed to target individuals. However, the industry coverage thus far has thrown this word around as the saving grace clause of the regulations, but what does ‘legitimate interest’ actually mean?
The EU’s GDPR legislation or the ‘Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)’ as the boys in Brussels refer to it, contains 29 references to ‘legitimate interest’.
What does it all mean?
Whilst mining through dense EU law may not be for everyone – the discussion around legitimate interest needs to be elaborated. Luckily, we’ve done the leg work and discussed the most relevant usages.
Article (47): ‘the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.’
A data subject (target) has to ‘reasonably expect’ to be contacted by you.
For example, if you want new biz for FMCG and you contact someone from Coca-Cola, then you are all clear, as someone from Coca-Cola could ‘reasonably expect’ to be contacted by someone from FMCG.
Article (69): ‘a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.’
If I contact Coca-Cola and they never want to hear from me again, then they are entitled to opt-out and never be contacted by me again. I have to make clear to Coca-Cola, why I have contacted them – which is something I imagine most people are already doing.
Article (111): ‘where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.’
This one is a bit wordy…but it is important. If I wish to contact the head of marketing at Coca-Cola, I don’t need to source/use data about their children, dogs name and where they last went on holiday. I only have the right to use data that is applicable for my reason of targeting, for example, new biz.
Article (113): ‘Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer.’
I cannot continuously spam the head of marketing at Coca-Cola until they talk to me, I need to be able to show that there is a qualified reason to target them e.g. they have a strong lead score. Again, this isn’t rocket science and should be something most respectable agencies are already doing.
Article (6)f : ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’
Nice and simple: Don’t email children (under 16).
Sigh of Relief
Thankfully, after that slight trudge through the heart of dense European Commission’s Legislation, we can draw some very positive conclusions.
This isn’t the apocalypse that some would have you believe. Yes, if you don’t follow the regulations there will be hefty fines, but even in this scenario, you don’t send out an accidental email to someone and next thing you know the Data Protection Police have arrested you in front of your colleagues and have taken over your business. There are warnings and cautions before the fines will be applied – after proved continuous breaches.
Buzzing Around the Ointment
This could, however, be susceptible to change due to the upcoming E-Privacy Regulation which, were it to be passed, would work alongside/compliment the GDPR. However, the E-Privacy Regulation is still in draft form and is being heavily debated between the Council and the Parliament, so we are still unsure what the final regulations will look like. This is something we will be following closely and will be sure to discuss in upcoming articles.
What we can take from the GDPR is that the new legislation should act as a much needed wake up call. We should all practice and implement qualified targeting, lead scoring and transparent reasons for contacting someone. This should be embraced by businesses, and if you are already practicing good etiquette then there’s nothing to worry about. This is a chance to change the digital industry for good, not the beginning of the end.
Please note that this article is written from writers point of view. The information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts if you would like further clarification.