Amid the hype of last week’s introduction of European-wide GDPR regulations, Karl Dukes Marketing Director of Mediahut clarifies the regulatory context surrounding consent and communications.
A 20-year industry marketing veteran, Dukes tells betting stakeholders not to panic when implementing GDPR compliance directives, a subject matter currently dominating all corporate agendas…
As of today, 2 days before GDPR comes into legal effect here in the UK, I am receiving literally dozens of “repermissioning emails” from a wide range of companies.
Most of these are well written and compliant. However, almost all of them are also unnecessary. So many organisations have either left it too late or simply panicked themselves into requesting permission, as they think that they ‘MUST have consent’ to continue communication. This is not necessarily the case.
The big problem with the “yes or no” questions that are being asked is simply that a lack of a YES is, by definition, a NO. People are seeing databases being rendered unusable, by simply asking an unnecessary question!
I will apologise now for the following sentence, but it is an important one.
Recital 47 of the EU GDPR 2016/679 (I know..) clearly states that you do not NEED consent, as long as the processing that is carried out does not override the “fundamental rights and freedoms” of the subject, taking into consideration the reasonable expectation of the data subject, based on the relationship with the controller”. (Sorry…)
So let’s think about this rationally. If I sign up with a company to allow them to provide services to me, it would not be unreasonable for me to expect that company to communicate relevant and pertinent content to me. Moreover, in a number of circumstances, I would expect them to (e.g. if I have purchased a subscription of some sort). This means that that company has already GOT the “lawful basis for processing” that it needs, and therefore does NOT need another one.
Part of GDPR is that we MUST carry out a fair and reasonable assessment of the risks of processing and to ensure that they are proportionate for the task being carried out.
However, a simple three-part test fulfils this remit;
You need to:
- A) Identify a legitimate interest; (The ICO definitions include “commercial interests, individual interests or broader societal benefits”)
- B) Show that the processing is necessary to achieve it; and
- C) Balance it against the individual’s interests, rights and freedoms
This test allows us to establish a “Legitimate Interest” under the GDPR regulations and allows us to process data for the specific task for which the balancing test was completed.
In practice, it simply is not as binary as this, and common sense would dictate what that interest is. We would need to ensure that the processing is lawful, and carry out a “Legitimate Interest Assessment” (LIA) for each process. The key advice is to only use data in ways that the consumer would “reasonably expect”, and will not cause them harm or they would find intrusive.
And sorry to all you email senders, although GDPR does not place any specific restrictions around what you can and can’t do, PECR (Privacy and Electronic Communications Regulations) still does, and you have to fulfil your obligations in exactly the same way as previously. So no spam, no unsolicited email.
The GOOD news, however, is that Direct Marketing (i.e. physical mail shots) is automatically compliant.
GDPR is NOT a revolution, it is an evolution of the existing regulations (the DPA). If your processes were compliant before, then they almost certainly will be now. Yes, there ARE more boxes to tick, and yes, there are more forms to fill in. BUT if your processes are robust and your procedures are sensible, then there is nothing to fear.
Karl Dukes – Sales and Marketing Director – Mediahut
Sports betting marketing and communications will be discussed at the upcoming ‘Betting on Sports Conference’ (#boscon2018 – Olympia London-18-20 September 2018). Click on the below banner for more information…