Here we cover the best practices regarding one of the most important changes GDPR brings about: the concept of gaining and reaffirming consent as well as offering the option to withdraw it.In this article, we cover some of the basic principles of the concept of consent in GDPR in relation to digital marketing. If you are interested in more specific tip on situations regarding social media, digital marketing and the rights of employees, see this article:
Personal Data Processing and Marketing
There are six privacy principles that relate to processing personal data in GDPR: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, and confidentiality. GDPR will have an impact on the way data can be carried from social media to a company as a natural person. From this point of view, the principles of purpose limitation and data minimization are perhaps the most important data protection principles.
The principle of “purpose limitation” abides us to only obtain personal data for “specified, explicit and legitimate purposes”, and to only use data for the purpose the subject has been made aware of. This means for example, that if we ask for permission to use data in a specific context, the permission doesn’t carry over to other, unspecified purposes. The principle of data minimization rules that data that is collected of a subject shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” so that the amount of data kept for processing remains at minimum.
Two key takeaways to keep in mind is the legitimacy of data gathering and the opted-in consent of the individual at play. The consent to give information must be, according to Article 4 of the GDPR, "a statement or a clear affirmative action to signify the agreement to process the personal data". Businesses will need to provide processes in a way that proves prior consent to data handling processes, and consent on one data handling process does not equal automatic consent to another data handling process.
Opted-in, Granular Consent
Another important aspect of consent from a marketing perspective is the requirement for granular consent. Granular, individual consent basically means that for each separate "thing", you need a separate consent. This includes getting consent from people currently in your email lists if they were added there in a non-GDPR compliant matter. This means if they were added to an email list without an informed, opted-in consent form or tick-box.
From a marketing point of view, consent is perhaps the most important legal base for processing personal data. Moving forward, you will only be able to add prospects to your database if you have their specific, opted-in consent. Under GDPR article 4.11, consent must be freely given, specific, informed and unambiguous. When creating consent clausules and informing people of their rights, note that if consent cannot be withdrawn, it can as per WP29, be considered not freely given.
Re-consent and Withdrawing Consent
With the upcoming regulation, it seems that all current or potential customers existing in a company's database will have to be contacted by the company. The company has to approach the customers who have been added to a database in a non-GDPR compliant matter, that is, without an explicit, opted-in approval. If the customer contacted doesn't agree with staying in the database, their data will most likely have to be moved. It is likely you will have to erase a large part of your current prospect database, so be prepared with alternative strategies.
This is a good point in time to rethink about your email lists, the ways in which people have been added to them and categorized within them, and the specific purposes of the email lists. When trying to re-gain consent from people in the email lists, companies may be getting very low response rates. Considering this knowledge, it makes sense to run a cost-benefit calculation to find out if it would make sense to start completely over with gaining contact information. If, for example, you have a lot of people in an email list but the rate of email opens is very low, you might want to think about starting over with a new email strategy altogether.
Note is that withdrawing consent must be equally or less burdensome as giving it. An easy way to make sure of this online is to replace the box/area where a consent is given, with a box where you are able to withdraw consent. For example, when a visitor clicks a “Subscribe”-button, it should then be replaced with an “Unsubscribe”-button.
New Approaches to Finding Leads
The relationship between the upcoming data protection legislation and the growing importance of social media is huge. As the process of gaining consent to add people to database becomes more and more complex, companies will inevitably suffer from loss of leads. What is needed, then, are new approaches to lead allocation, prospecting and creating connections with future customers. Now is the time to put time and energy to educate and empower your employees in order to create a strong social media presence and community around your company.
Consent and its details is perhaps the most pressing issue to tackle for anyone working with social media and digital marketing. Fortunately, the rules are quite sensible and intuitive. As companies can no longer generate leads with automatic opt-ins and hidden, implied customer “consent”, new strategies are needed for lead allocation and creating and nurturing relationships with prospects and clients. As we can expect is a significant drop in the number of leads now that the rules of consent change quite radically, many companies are now looking into Employee Advocacy and harnessing their employees to take more active roles in social media. Employee Advocacy creates trust-based networks and improves the quality of brand-prospect communications, and helps maintain good engagement between companies and potential customers.