GDPR and data privacy
European governments were coming under pressure to address data protection vulnerabilities and in 2016 launched the General Data Protection Regulation (GDPR), replacing the previous Data Protection Directive.
This GDPR has important implications for digital marketers, because it outlines how to collect, store, and use any user or customer data that they collect.
Pro tip: Use this handy checklist to help you develop a marketing strategy that’s GDPR-compliant.
Note: GDPR applies to companies operating in the EU. Other jurisdictions have different data protection guidelines, so be sure you understand your obligations if marketing in those areas. For example, if your company retains data on residents of California, you must comply with the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020.
Principles of data protection & privacy
Regardless of where your company markets to and which regulations you must comply with, it’s best practice to always apply these six general data protection principles.
Lawful, fair, and transparent processing
Data security, integrity, and confidentiality
Let’s look more closely at each of these.
1. Lawful, fair, and transparent processing
When companies process user data, it must be done in a lawful, fair, and transparent manner. The processing is lawful only if one of the following applies:
The data subject has given consent.
The processing is part of a contract or legal obligation.
The data must be processed to protects someone’s vital interests.
Processing the data is in the public interest.
Consent is a very important principle when telemarketing list it comes to data privacy. According to the GDPR, content must be “freely given, specific, informed, and unambiguous”. When collecting data, companies should:
Be very clear on when consent is required.
Record how they seek, record, and manage consent.
Make it easy for people to withdraw their consent.
You cannot assume that informed consent is implied through the customers’ interactions. You must give them the option to opt-in to your data collection processes.
2. Purpose limitation
Even when users consent to their data being used, the data must only be kept for specified, explicit and legitimate purposes. In particular, the data should be used only for the purposes informed to the user. For example, if you tell the user that you’re collecting data for research purposes, you cannot then use that data for marketing purposes.
Remember, just because you have the data doesn’t mean that you can use it for any purpose. You cannot use the data in any way that is incompatible with the informed purpose of the data.
If users share data on the understanding that the data is private, you shouldn’t share it with the media.
If users share data with you about their experiences with your products, you shouldn’t sell that data to a market research company.
If employees share personal health-related data with you, you shouldn’t share that data with other employees or with healthcare companies.
In some cases, you may wish to use the data for more than its original purpose. If you suspect this new purpose is incompatible with the original purpose, you should obtain new consent to use the data for the new purpose.
Suppose a bank collects customer data about their banking preferences and behaviors.
After checking the customer data, the bank realizes that some customers would benefit from better loan or savings offerings from the bank. In this case, the data use is compatible with the original purpose, so no further consent is necessary.
The bank then enters into a partnership with an insurance company. It believes some of its clients would benefit from insurance and want to pass on the customer data to the insurance company. In this case, the data use is incompatible with the original purpose, so further consent is necessary.