Marketing breaching GDPR is a real issue! The General Data Protection Regulation (GDPR) has had a profound impact on how businesses communicate with prospects and customers, and how they conduct their marketing. There are still businesses that believe that once users consent to their marketing campaigns, they can use the gathered personal data however they want.
But this can get you in a world of trouble!
GDPR is much more complex than getting consent from visitors and users. While many news outlets have placed emphasis on how consent is handled, it’s actually about the way businesses handle and protect personal data, what they use it for, and how they seek permission to use it.
GDPR is not a directive – it’s a regulation, and it’s legally binding. Companies could easily breach GDPR with their marketing efforts, and here the 6 common ways it can happen:
#1 Contacting people without active consent
GDPR regulates consent in extensive detail, and according to their regulations, consent must offer real choice, and users have to be in charge! It needs to be prominent, and users should have no issues understanding it. It should also be always requested on its own, not as part of any terms or conditions.
The only valid consent according to GDPR is a positive opt-in and requires you to disclose any third-parties that rely on that consent. You should also provide an easy way to withdraw consent.
#2 Automatic opt-ins
Automatic opt-ins were a common method to trick users who weren’t paying attention to consent. Such tactics are considered predatory and are considered marketing breaching GDPR tactics. Any tick boxes that are pre-ticked or say “click to opt OUT” are a huge breach.
Remember: The only type of consent accepted under GDPR is a positive opt-in.
#3 Poor lead lists and storage
Where are you storing your lead lists? While it’s very convenient to have them readily available on a shared Google Drive or OneDrive document, that’s a very poor practice and definitely a GDPR breach if you have the link set to public for sharing.
Your leads list should be secured and encrypted, and shared only on a need-to-know basis.
How long you keep the information is also important. Under GDPR’s data minimisation principle, holding information for too long is a marketing GDPR breach, so it’s important to delete it as soon as you don’t need it.
#4 Obtaining lists without confirmation of consent
One way marketers fill up their sales pipeline is with purchased lead lists. There’s a lot of third-party lead generator sites that are willing to sell lists to you. But you have to be careful when buying lists.
If these generators don’t have active consent from users on distributing their data to other parties, then YOU will be the one who’s breaching GDPR as soon as you contact those prospects.
You always need to have proof that they consented to be contacted by you, whether they gave the consent to you directly, or through third parties.
#5 Ignoring erasure requests
Users who have given consent to collect and process their data have the freedom to withdraw that request at any time. They can also request that you delete all the data that you have gathered on them. Not answering those requests is considered marketing breaching GDPR.
Do you know how to erase data? Do you know how much time you have to get back to them once they send a request?
GDPR states that you must act within a month of receiving the request, but there are also instances where you can extend response times; for example, when the user made multiple requests or in case the request is very complex.
#6 Accidentally sharing email addresses
Accidentally sharing any personal information is considered a breach under GDPR.
Surprisingly, emails are a very common reason behind a data breach. Emails that are sent to the wrong recipient are the most common mistake, as well as emails with unprotected attachments.
An accidental data breach is still a data breach, so make sure your emails are secured and encrypted. This way, even if they are accidentally sent to wrong recipients.
Update: The ICO is sharing more and more information on specific circumstances and it’s interesting to note that a business email is protected under GDPR IF it contacts the ability to identify someone properly. The most common way is: [email protected] so with that in mind you should be wary about contacting businesses as well! Check out this page by the ICO about marketing to businesses here: https://ico.org.uk/for-organisations/in-your-sector/marketing/the-rules-around-business-to-business-marketing-the-gdpr-and-pecr/
For more information on GDPR email compliance, check out the 5 ways your emails could be breaching GDPR HERE >>> https://towerwatchtech.com/5-ways-your-emails-could-breach-gdpr/