Why are marketing managers spooked?

Insight Data’s general manager Jade Greenhow discusses marketing data and the implications of GDPR – the new data protection regulation that comes into force on May 25.

In today’s super-connected world, we’re creating 2.5 quintillion bytes of data per day and the volume is increasing exponentially – according to IBM, 90% of the world’s data has been created in the last two years alone.

All of this data is being used by organisations for a myriad of purposes, with companies such as Google, Facebook and Apple collecting, processing and using the personal data of millions of individuals for advertising and marketing.

It’s no surprise that individuals, authorities and governments are concerned about the information organisations hold and what they are doing with it. Current data regulations are outdated and vary across EU member states, so a new Europe-wide framework, the General Data Protection Regulation (GDPR), has been agreed and will come into effect on May 25.

The GDPR is being policed by the ICO (Information Commissioner’s Office) which has new powers to fine organisations up to 20 million euros or 4% of global revenue for non-compliance, so businesses will need to carefully review and update their policies and procedures, while carrying out a data protection impact assessment (DPIA) is recommended.

The GDPR relates to the processing of personal data with greater emphasis on the ‘fundamental rights and freedoms’ of individuals. This includes how organisations collect, store, transfer or use personal data including customer information, prospects/sales leads and marketing data lists.

Any information that can identify an individual – such as a name, email address or even a computer IP address – is considered personal data under the GDPR even if that individual is an employee, director or owner of a limited company, thus the new regulation can apply to business-to-business as well as business-to-consumer.

There is widespread confusion about marketing under the GDPR with some ill-informed experts suggesting the new regulation could have dire consequences for marketers because of tighter opt-in ‘consent’.

However, consent is not the only way to comply with the GDPR. There are six legal grounds for processing data and, for many companies, particularly business-to-business, legitimate interest will be the legal basis for direct marketing in accordance with Article 6(1)(f) of the Regulation.

Recital 47 of the GDPR states: “The processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest.”

If your business supplies the trade, commercial or new-build sectors you will probably use a prospect database of some sort, whether this is a list of companies stored on an Excel spreadsheet, Microsoft Access, or a CRM system. Under the GDPR, managing this database will be more difficult and time-consuming with your company at risk from fines unless you comply with the following:

document all the personal data you hold and show how and when it was sourced
keep the data accurate by regularly updating the information
have evidence of how and when you update the personal data you hold
show how the data will be used, how long it will be retained and who will have access to it
demonstrate the lawful basis for processing personal data
recognise the rights of individuals to know what personal data you hold and why, and respect their demand to correct, restrict or remove their data
have procedures in place to detect and report on a data breach, such as theft by an employee
Insight Data has been monitoring the developments of the General Data Protection Regulation since it was first proposed in 2012 and we have continuously adapted the way we collect and manage prospect data, including the personal data we hold, to ensure our customers can continue to market successfully to fabricators and installers, building contractors and architects after May 25.