Preparation for GDPR compliance is hitting top gear. On 25th May 2018 we will see the new GDPR framework take effect – and it offers all marketers the greatest opportunity for business transformation in a generation.
The GDPR lays out 6 legal grounds for processing personal data. In conversations, webinars and debates I have attended, particularly over the past few months the focus has been on two of the six GDPR principles, “Consent” or “Legitimate Interest”. However, all six are equally valid.
The six GDPR principles, requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not processed beyond those
- Adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Processed in a manner that ensures appropriate security of the personal data
We need to remove the hype that surrounds this new legislation and look at the facts. It makes sense that “Consent” or “Legitimate Interest” would be chosen or highlighted as the two principles that would be of most interest to marketers trying to establish and implement a plan for GDPR compliance.
B2B marketers will be able to make use of the “Legitimate Interest” legal ground for their marketing activity in most instances. “Legitimate Interest” is a subjective legal ground, meaning that an organisation must justify their activity and consider the privacy risks for data subjects. “Consent” is black and white. The data subject must have freely given specific, informed and unambiguously expressed a ‘Yes’ or a ‘No’ preference. However, it is a robust standard which may be hard to achieve. If in doubt, the ICO have said “Legitimate Interest” might be the better choice.
Another important principle that needs attention is accountability. Accountability is also a core principle. The principle of accountability refers to many measures organisations will need to carry out to demonstrate a culture of respecting privacy and data protection. The GDPR asks companies to be accountable for their own decisions on how they collect and use personal data. Accountability applies to everyone across the company.
When understanding the ramifications of GDPR, brands that fail to take responsibility will most likely lose customers, goodwill and ultimately shareholder value. Those that can demonstrate good data governance will find customers will trust them more and share their data more, which should lead to better revenues. Which legal ground will your business choose “Consent” or “Legitimate Interest”. Or will your business employ a mix of both?