123 Reg logo Blog

What will new data protection rules mean for online marketing?

By Will Stevens - May 10, 2017

Data protection rules across Europe are set to change, and if your small business collects personal data from customers, then you need to know what’s happening.

The new set of rules is called the General Data Protection Regulation (GDPR) and it comes into force on May 25th 2018.

In this guide, we’ll take a brief look at what GDPR will mean for the way your business does online marketing.

Data protection – an overview

The aim of data protection laws is to stop unscrupulous businesses misusing personal information, and to make sure that businesses keep private information secure.

Personal information can be anything from someone’s name, to their credit card number, or other financial data.

Some examples of misuse include selling email addresses to spammers or sending unsolicited marketing material.

Put simply, if you collect personal information (and most businesses do) then if you misuse that information, or fail to keep it secure, then you could face a fine.

How will GDPR change the way I do online marketing?

The aim of GDPR is to introduce a standard set of data protection rules across the European Union.

In the UK, we already have a reasonably strict set of data protection rules in place, so businesses that comply with existing legislation won’t have to change a huge amount to make sure they comply with the new rules.

However, there are a couple of important changes which you’ll need to take into consideration, especially if you use the personal data you collect to send marketing messages to customers.

Put simply, if you want to market your business to someone using their personal information, then you need to get explicit permission.

For online marketing, that’s likely to mean asking users to tick a box indicting they’re happy to be sent marketing messages from you.

In the past, some businesses may have used a pre-ticked box and asked people to untick it if they didn’t want to receive marketing messages, but under the new rules this will not be allowed.

If any dispute arises about whether someone has opted in to receive marketing messages, it will be down to you to prove that they did – so make sure you keep a record of all opt ins.

Consumers will also have the right to ask you to delete any data you hold on them (regardless of whether that data is used for marketing), so bear this in mind when organising your records.

What about my existing marketing lists?

If you’re already marketing to people who actively opted in to receive messages from you, then you don’t have to ask them to opt in again when the new rules come into force.

However, if they didn’t actively opt in, you may need to get explicit consent from them to continue sending messages. It’s a good idea to err on the side of caution here and make sure you have this consent on record before GDPR takes effect.

Can I send marketing messages without permission?

Although getting permission for marketing messages is the best and safest option, you won’t always need it under the new rules.

Marketing messages are permissible if doing so can be considered a “legitimate use” of the data you hold.

For it to be considered a legitimate use, there must be a clear relationship between you and the person you send marketing messages to – for example, they may have recently purchased a product from you, or have an account with you.

To be on the safe side though, it’s best to obtain explicit consent wherever possible.

What about physical marketing messages?

If you’re sending out things like mailshots or special offers to customers, then GDPR rules will also apply to this kind of marketing.

What about Brexit?

GDPR will come into force in 2018, at least a year before the Brexit process is complete. That means whatever happens, there is a period where UK firms will have to comply with the new rules.

It is also possible that the UK will decide to keep GDPR rules even after Brexit happens.

What about non-marketing issues and GDPR?

As you might imagine, GDPR is a huge topic so we can’t cover every possible issue, nor can we address specific issues that might be faced by an individual business.

However, there is help out there. One excellent resource is the website of the Information Commissioner’s Office.

Its article on preparing for GDPR is particularly useful.