How GDPR will affect marketing

DLA Piper's Rachel DeSouza explains what marketers need to consider with GDPR on the horizon

The EU's forthcoming General Data Protection Regulation (GDPR) will have a big impact on marketing, according to law firm DLA Piper.

Speaking at Computing's recent Technology Marketing Innovation Conference, Rachel DeSouza, an associate from the firm explained how the regulation would change what marketers need to consider when collecting and using data.

"GDPR impacts technology marketing, specifically direct marketing, as it regulates the collection of email, phone, and other contact information," began DeSouza. "It also targeted marketing, regulating the use of IP addresses and cookie data."

She added that GDPR will also apply to profiling activities via the use of big data, and data aggregation with third party sources.

"Most organisations will be using aggregated data from lots of sources for their marketing," she explained.

De Souza continued: "GDPR brings a broad meaning of personal data, so it will capture a lot of data collection. It brings new complaince burdens and raises the compliance bar."

The EU's aim with the legislation, she added, is to give consumers more control over their personal data. So it brings new consumer rights, new rights of access to personal data, and the right to object to the processing of your personal data and to withdraw that consent later.

"It also introduces a new consent model. It requires explicit consent for the processing of certain types of personal data. So marketers need to move away from relying on consent because it's going to be harder to achieve."

"Governance is also key," she advised. "GDPR includes enhanced organisational governance requirements like the need to appoint a data protection officer [once a firm goes beyond a certain level of data processing], and also introduces the concept of being able to show how you made your decisions.You must be able to show why you're processing personal data, how it was collected, and what processes you have to ensure the proper controls are in place."

De Souza explained that some of her firm's clients have told her that they collected data because they may need it in the future.

"That will have to change," she advised. "Unless you can state what data you collected and why, you won't comply."

"You need to move away from relying purely on consent," De Souza contined. "The use needs to be for legitimate interest. Consent is only for high-risk processing, and explicit consent is required there, which needs to be managed actively. Users have to be able to withdraw consent as easily as they give it."

There has been some confusion in recent months, as some experts have stated that the GDPR is already in force, although the fines, which will be up to four per cent of the parent company's global turnover, won't come online until May 2018.