These slides are taken from a presentation our Compliance Director gave at the Festival of Marketing 2017. It covers the essential information you need to know about GDPR, answering the big questions for marketers.

1. INSERT INFORMATION CLASSIFICATION HERE
General
Data
Channels
UX / CRO
Consent or Legitimate
Interest?
The big question for marketing.
Public

2. INSERT INFORMATION CLASSIFICATION HERE
Lawful basis
To process personal data under GDPR, you require a legal basis:
• Consent
• To perform a contract
• Legal compliance
• Protection of vital interests of a person
• Public interest or official authority
And the big one for marketing!
6(1)(f ) – Necessary for the purposes of legitimate interests
pursued by the controller or a third party, except where such
interests are overridden by the interests, rights or freedoms of
the data subject
“the processing of personal data for direct marketing purposes
may be regarded as carried out for a legitimate interest.” Rec 47
Public

3. INSERT INFORMATION CLASSIFICATION HERE
GDPR ,
not E-privacy
(PECR)
Public
GDPR is not about permission to send electronic marketing
(that’s another law)!
GDPR is about all of the other processing you do behind the
scenes as well:
• Segmentation
• Targeting
• Profiling
• Data matching
• Screening
Example; Electronic marketing needs to be compliant with
GDPR and Privacy and Electronic Communication
Regulations.
Just because you’ve got a tick box for electronic marketing,
doesn’t make you GDPR ready.

4. INSERT INFORMATION CLASSIFICATION HERE
Consent
Public
“any freely given, specific, informed and unambiguous
indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data
relating to him or her”
ICO “The GDPR sets a high standard for consent.”
“Remember – you don’t always need consent. If consent
is too difficult, look at whether another lawful basis is
more appropriate”.
You will need to be specific about any use you will be
putting the data to.

5. INSERT INFORMATION CLASSIFICATION HERE
Legitimate Interest (this is the way many
businesses have been doing it since 1998)
Public
• Is it the most appropriate lawful basis for processing?
• Explain how or why we need an individual’s personal data
• Use a layered privacy notice/policy
• Give individuals the option to refuse marketing
• This right is explicitly stated, prominently displayed and it’s easy to exercise that right
• Collect the minimum data necessary and delete records after use
• Ensure you have a valid reason to process an individual’s personal data using your
legal legitimate interests
The processing of personal data for direct marketing purposes may be regarded as
carried out for a legitimate interest. Rec 47

6. INSERT INFORMATION CLASSIFICATION HERE
The Balancing Test
Public
Marketing is a legitimate interest of the data controller, but:
• Is the processing necessary for the direct marketing?
• Is any third party processing necessary for the purpose of direct marketing?
• Is their another way of achieving your legitimate interest?
• Would the individual reasonably expect this processing?
• Is the processing relevant to your relationship with the individual?
• Are you processing the minimum personal data required to meet your needs?
• Is this processing likely to harm or disadvantage the individual (what type of
marketing are you doing??!!!)

7. And finally…
Public
Don't wait for further guidance, work with what you have.
This law won’t go away, act now while the current
regulations are in place.
If whatever route you have chosen becomes damaging to
your business or seems impossible, ask advice from the
ICO or DMA, a better route may be possible.
Get someone in your organisation trained to Data
Protection practitioner level.
The first step is the data audit, if you haven’t started yet,
start one tomorrow.
Good Luck!