What is GDPR and how will it affect your business?

2 shares

The battleground around customer consent versus legitimate interest is a fierce one. When the UK passed its GDPR standard for how companies can collect and process consumer data, it sent shockwaves throughout the world. Yet, it was only the first such standard. Canada has since issued its own standard, as has the state of California

GDPR defined: GDPR stands for the General Data Protection Regulation. It’s the toughest data privacy and security law in the world. Though drafted and signed into law by the European Union (EU), GDPR carries heavy legal responsibilities for organizations around the globe if they collect data related to EU citizens. GDRP went into effect on May 25, 2018.

Soon, updates to Apple and Google operating systems will further anonymize data, making it harder for companies to understand how users found their sites to begin with. This has Facebook highly concerned, given its primary revenue driver is its ad product – and without proper attribution, companies won’t be able to tell how effective an ad on Facebook, or its other properties like Instagram, really is. 

Impact of General Data Protection Regulation (GDPR) for online businesses

But for now, let’s look at GDPR, the original consumer data privacy policy. All others pull on similar language and use cases, making GDPR a standard policy. There are two sections in particular that marketers need to know with GDPR documentation:

  • GDPR Article 6(1)(a) – Consent as a lawful basis for processing data: The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • GDPR Article 6(1)(f) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Those two articles break down what’s known as consent collection and legitimate interest collection. Let’s make sure you gain a good understanding of both. 

How your organization can become GDPR compliant: Sorting out customer consent once and for all

Becoming GDPR compliant relies upon customer consent.

Customer consent is considered the gold standard of data collection: A consumer must click a button (that cannot be pre-filled) to say that they agree to give their information to the company.

You’ve undoubtedly seen these on a variety of sites you’ve visited recently. Here’s an example from SAP’s Future of Commerce website:

GDPR compliance: A webpage acknowledging cookies to receive customer consent.

Customer consent requires the customer – each and every individual one – to physically consent to the collection and processing of their data. 

Indeed, SMS TCPA policies require something similar for text message marketing.

Much like customer consent’s requirement to not have a box pre-checked and to require a physical consent, TCPA policies also require a physical agreement to be sent text messages, and that agreement cannot be pre-checked. Further, the language for the agreement must include information on how often a user will get sent messages, and how to unsubscribe and stop all messages. 

GDPR is not alone, then, in this requirement for a more manual consent process. 

How to generate a GDPR compliant privacy policy and define legitimate interests

Legitimate interest is more of a gray area within GDPR, and as a result, many marketers prefer it. Adding a requirement for a manual agreement for data collection adds friction to a website, and friction can severely reduce conversion. 

In fact, the Information Commissioner’s Office (ICO), a UK-based independent authority that guides businesses on how to apply UK’s data privacy laws such as the GDPR, has offered guidance for companies on how to generate a GDPR compliant privacy policy and interpret legitimate interest. ICO explains:

  1. The processing is not required by law but is of a clear benefit to you or others;
  2. There’s a limited privacy impact on the individual;
  3. The individual should reasonably expect you to use their data in that way; and
  4. You cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.

This makes legitimate interest far more flexible than customer consent. 

When to use consent v. legitimate interest: A handy legitimate interest assessment 

Based on our breakdown of consent versus legitimate interest so far, you might be thinking that it’s just easier to use legitimate interest in all cases. That’s not necessarily true. In fact, the ICO has made it clear that you cannot use legitimate interest as the default collection method for your company. 

Although legitimate interest is a flexible concept and will often be relevant, it does not apply to everything and you are not able to use it as the default basis for all your processing.

This is why most websites ask for consent upon you landing on the site. 

So, when can you use legitimate interest? Luckily, the ICO offers a three-part test for determining if legitimate interest can apply for your project, website, etc.

  1. Purpose test – is there a legitimate interest behind the processing? Under the purpose test, you need to ask yourself if the data collection is ethical, legal, and for the benefit of both your company and the consumer. And then, you need to clearly state the purpose behind wanting to process that data without consent (or under legitimate interest).
  2. Necessity test – is the processing necessary for that purpose? Using the necessity test, you need to demonstrate that there is no other less invasive way to achieve your goal, and ensure that the processing is proportionate to achieving your aims.
  3. Balancing test – is the legitimate interest overridden by the individual’s interests, rights, or freedoms? Finally, under the balancing test, you need to ensure that processing the data doesn’t infringe on the rights and freedoms of the individual. 

All right – so, this three-part test isn’t all that helpful. Let’s look at a few examples instead. 

Applying the three-part test: GDPR legitimate interest examples

The following scenarios are offered by the ICO in their documentation to help companies better understand how to apply the three-part test and ultimately which data collection and information practices to use. 

The charity case. 

A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them.

The charity’s purpose of direct marketing to seek funds to further its cause is a legitimate interest.

The charity then looks at whether sending the mailing is necessary for its fundraising purpose. It decides that it is necessary to process contact details for this purpose and that the mailing is a proportionate way of approaching individuals for donations.

The charity considers the balancing test and takes into account that the nature of the data being processed is names and addresses only and that it would be reasonable for these individuals to expect that they may receive marketing material by post given their previous relationship.

The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal however it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in the future.

The business seminar case. 

Individuals attend a business seminar and the organizer collects business cards from some of the delegates.

The organizer determines that they have a legitimate interest in networking and the growth of their business. They also decide that collecting delegate contact details from business cards is necessary for this purpose.

Having considered purpose and necessity the organizer then assesses that the balance favors their processing as it is reasonable for delegates handing over business cards to expect that their business contact details will be processed, and the impact on them will be low. The organizer also ensures that it will provide delegates with privacy information including details of their right to object. The organizer subsequently collates the contact details of the delegates and adds them to their business contacts database.

There are no legitimate interest loopholes: It’s about ethical data practices

On the fence about what to use? Start with the gold standard of consent. From there, expand into legitimate interest but always do your best to explain upfront what data will be collected and for what purposes. Finally, always allow recipients of marketing material to opt-out of a list of being sent information – even if that information is based on consent or legitimate interest. 

In other words, treat consumer data the way you’d want yours treated. GDPR requires companies to simply think a bit harder about what data they are collecting, if they need to be, and how to do so in an ethical way. 

Some companies are taking this standard to a new level and using ethical data collection and transparency as a marketing tactic in its own right. Let’s look at Lush for instance. They have made Data Ethics a pillar of their company values. 

“Now more than ever people are aware of how critically valuable their personal data is. In its lightest form, it is the tweets you post, the photos you upload, the people you DM. In its darkest forms, it is a tracker on your identity, an algorithm deciding whether you should be on a kill list. It is our belief that Data Privacy is a fundamental human right. The ethical data policy is about ensuring that all of Lush’s staff and customer data is secure and transparent. Our customers and staff have the right to know what we hold about them.”

As more and more countries, states and the like adopt GDPR-type standards, we are likely to see more and more companies adopting digital ethics best practices as internal values, and then using those as marketing fodder. This is the ideal goal of consumer data privacy and protection policies.

What can a next-generation CDP
do for you?
Watch our interactive demo.

Share this:
2 shares
Tracey Wallace

Subscribe to our newsletter for the most up-to-date e-commerce insights.