Let’s have a chat about GDPR…

Posted on Posted in Marketing

‘Right, I’ve had enough’ I said this morning to my business partner. ‘If I get one more email telling me unless I go through a complex series of processes the sender will never speak to me again, I shan’t be responsible for my actions…’.

Someone said to me recently: we seem to be going through a process similar to the Millenium bug. People are terrified, panicked by four letters:

G D P R

At Limeslade, we’ve been avoiding talking about GDPR because it’s a horrendous bandwagon. But we’re growing so tired of people following the lemmings to the cliff, it’s time to have that conversation:

Part of the problem is that the General Data Protection Regulation is quite long – about 64 pages. So none of the petrified people have the time to read it. In fact, a lot of the document doesn’t apply to most people. Much is taken up by its application in the field of medical care and work with vulnerable people. Relatively little of it is actually applicable to activities normally carried out by legitimate businesses.

I even had an email recently from an organisation to whom I pay substantial sums each year to receive information. They told me they wouldn’t send me the information I pay them for, unless I opt-in to their mailing list. Unbelievable stuff.

There has been scaremongering galore.

  • You’ll be fined 4% of turnover“,
  • “Your business will face collapse“,
  • etc etc.

Throughout this process, I’ve been reminded of my days in law school and the words of Lord Goff of Chieveley in Commercial Contracts and the Commercial Court (1984) LMCLQ 382, 391:

“We are there to help businessmen, not to hinder them; we are there to give effect to their transactions, not to frustrate them; we are there to oil the wheels of commerce, not to put a spanner in the works, or even grit in the oil.”

It’s as simple as that.

I don’t believe anyone in the legislature or judiciary intends us all to stop marketing tomorrow. They don’t even want us to re-draft our marketing lists and start our businesses over again. They simply want to try and stop people data mining and selling viagra where it’s not wanted. I’m going to put my neck on the line, and say anyone who tells you they can’t speak to you unless you explicitly consent hasn’t read the regulation and they’ve been badly advised.

There are, as I keep reminding people, SIX legal bases for processing data, each of which have equal validity in the eyes of the law. Two of them are:

  1. Consent – which must be clearly given, but can be given verbally. You don’t need anyone to tick a box on a website, or as I saw recently, print out a word document, sign it and send it back!
  2. Legitimate Interests – this is the important one. Is it in the legitimate interests of the person for whom you’re processing data or for you to process that data?
Eurovision GDPR Moment
Thanks to @thePoke for this gem

Marketing, joyfully, is even listed by the GDPR as a recognised legitimate interest. Hurrah! A sigh of relief goes out around the world… BUT: you need to make an assessment, document the findings of that assessment, make sure you’re not being intrusive, and have careful regard to the processing of children’s data (unlikely to affect any of our clients). Basically, be responsible about it all.

But above all. You DON’T need to email everyone, spamming their inbox with unnecessary emails. You don’t need to claim that unless they ‘opt-in’ or whatever language you choose to use, you’ll never speak to them again. In fact, in the example of the society above, they’d made it so complicated to opt in, their route to opt-in was probably in breach of the legislation anyway!

If you need any help with this stuff, I’m happy to help. Unlike a lot of people, I’ve actually read (most of) the regulation. And because it makes me so cross that there’s so much misinformation out there, I’ll provide you with all the necessary tools and data completely free of charge. Or you could just read this page.

NB – the above is for marketing purposes. There are other implications in terms of security and other activities, retention and reasons for processing data, but at the time of writing, the above is understood to be the correct position in terms of processing data for the purposes of marketing with legitimate interests to do so.