From May 2018, the GDPR will affect all processing of personal data including email marketing. This session will outline the key impacts on marketing consent and profiling, and provide practical ideas on how to make your email campaigns legal.

1. 10 key marketing impacts of the General
Data Protection Regulation (GDPR)

2. GDPR Current position
• GDPR final text was published April 2016 –
despite Brexit, it goes into force May 2018
• It applies to all organisations processing data
on behalf of EU citizens
• It’s a Regulation not a Directive: the same in
all EU countries
• It’s big and complex: comprising of 99 articles
and 173 recitals
• It’s broad: covers all types of processing of
personal data, B2B and well as B2C, by data
processors as well as data controllers.
• Consultation began Spring 2016 to replace the
current ePrivacy Directive
UK citizens will no longer be EU
citizens after BREXIT. But the UK
will still want free flows of data.
So the UK is likely to create its
own DP laws for UK citizens,
which are expected to be
broadly similar to GDPR.
Please note: No final guidance has been issued
yet by the ICO – expected later in 2017

3. 10 January 2017 New ePrivacy Regulation text

4. “Privacy is a fundamental right. It is on a par
with other fundamental rights, it’s not a
political position. So whatever business models
you develop you will have to respect that right.
It is not negotiable. Full stop.”
Dutch MEP Sophie Veld

5. New Data Protection Regulations
GDPR ePrivacy

6. GDPR: Key Impacts for Marketers
1. Broader definition of personal data
2. Need for transparency & provision of information
3. Accountability & requirement for evidence
4. Tougher to gain consent for marketing
5. Use of legacy data restricted
6. Processing under Legitimate Interests in place of consent
7. Safeguards on profiling
8. Impacts on the database
9. Data Subject rights
10. Responsibilities of data controllers and data processors

7. Broader definitions of personal data
‘Personal data' means any information relating to an identified or
identifiable natural person ('data subject'); an identifiable natural
person is one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person
Much broader definition, so
more activities
will become regulated

8. New Principle: Transparency
The principle of transparency requires that any information and communication relating to the
processing of those personal data be easily accessible and easy to understand, and that clear and
plain language be used.

9. Transparency – Requirements for Privacy Policy
• Who is the Data Controller?
• Their contact details
• What are the legal bases and purposes of processing?
• Are Legitimate Interests being relied upon by you or
third parties?
• Who the recipients of the data may be
• If the data will be transferred outside the EU and how
this is protected How long will it be stored?
• How to exercise rights
• The right to withdraw consent
• The right to complain to the Supervisory Authority
• Whether data is required for contractual purposes and
the consequences of refusing
• Whether profiling with legal effect exists (also other
profiling)

10. 39 of the 99 articles require evidence
to demonstrate compliance
New Principle: Accountability
You will need evidence to prove compliance

11. Tougher requirements for consent
Consent of the data subject means any freely given, specific, informed and unambiguous
indication of the data subject's wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal data relating to him or her.
• Pre-ticked boxes will not be valid consent
• An end to conditional (tied-in) consent
• Must be collected in an ‘intelligible and easily accessible form, using clear and plain language’
• Must be as easy to withdraw as to give consent

12. Consent requires a positive opt-in. Don’t use
pre-ticked boxes or any other method of
consent by default.

13. Example statement wording
At xxxxx, we have exciting offers and news about our products and services
that we hope you’d like to hear about. We will use your information to
predict what you might be interested in. We will treat your data with respect
and you can find the details of our Contact Promise here.
I’d like to receive email updates from xxxxx based on my details
You can stop receiving our updates at any time.

14. (171) Directive 95/46/EC should be repealed by this Regulation. Processing
already under way on the date of application of this Regulation
should be brought into conformity with this Regulation within the
period of two years after which this Regulation enters into force.
Where processing is based on consent pursuant to Directive
95/46/EC, it is not necessary for the data subject to give his or her
consent again if the manner in which the consent has been given is
in line with the conditions of this Regulation, so as to allow the
controller to continue such processing after the date of application
of this Regulation. Commission decisions adopted and authorisations
by supervisory authorities based on Directive 95/46/EC remain in
force until amended, replaced or repealed.
Use of Legacy Data

15. Email re-permissioning
under fire

16. Processing under
‘Legitimate interests’
Legitimate interests can be used provided that the interests of
the data subject are not overriding; must be within reasonable
expectations of data subjects
“The processing of personal data for direct marketing purposes
may be regarded as carried out for a legitimate interest”
Recital 47

18. Where does that leave email?
• PECR will still be in force in May 2018
• PECR “trumps” GDPR
• Soft opt-in can still be used
(effectively legitimate interests for
email)

19. Profiling becomes regulated
‘Profiling' means any form of automated processing of personal data
consisting of the use of personal data to evaluate certain personal aspects
relating to a natural person, in particular to analyse or predict aspects
concerning that natural person's performance at work, economic situation,
health, personal preferences, interests, reliability, behaviour, location or
movements.
It’s a very broad definition:

20. Not all profiling is equal
Profiling with legal or similarly
significant effects
Consent required
Profiling for direct marketing
Right to object

21. E Privacy draft - rules on cookies
• Users must be given control of any privacy-sensitive
information stored on their devices, without having to click on
a banner asking for their consent on cookies each time they
visit a website.
• Browser settings will offer an easy way to allow or refuse
cookies: browsers will not have to default to ‘no cookies’.
• Analytics cookies (e.g. counting visitors) will not require
consent.
• No consent is needed for non-privacy intrusive cookies which
improve internet user experience, e.g. to store items in a
shopping basket.
• Requirement to revalidate cookie consent every 6 months - not
clear how that will take place.

22. Example of where a consent
statement is recorded in the
CRM system
Impacts on the database

23. ICO Draft
Guidance
on Consent

24. Data Subject Rights
Data subjects have the right to
object to direct marketing and to
profiling.
These rights must be brought to
the attention of data subject
“clearly and explicitly and
separately from other
information” at time of collection
or in the first communication.
Other rights
• Erasure
• Access
• Portability

25. Responsibilities of controllers & processors
• Both data controller and data processor can be held
responsible for any damage suffered - material or non-
material
Impacts
• Detailed written contracts need to be in place for 2018.
• Sub-contractors must be notified to Controller and should
be bound by same terms as main Processor.
• Data Protection Certification schemes will be developed by
Regulators but will not be compulsory.
• Clear written instructions will be necessary.

26. The information provided and the opinions expressed in this document represent the
views of Opt-4. They do not constitute legal advice and cannot be construed as offering
comprehensive guidance to the Data Protection Act 1998 or other statutory measures
referred to.
The original content of this document is the intellectual property
of Opt-4 and may not be reproduced without permission 2017 ©