Marketing is the sector likely to make the most data and privacy mistakes

In the years since the GDPR was introduced alongside the existing Privacy and Electronic Communications Regulations (PECR), many marketing departments have implemented privacy and data security systems and processes to ensure customer data is held safely. However, the Information commissioner's office (ICO) is targeting how data is used more than how it is stored.

Last year, 16 enforcement notices or monetary penalties were issued for marketing offences (both GDPR and PECR) – the highest for any sector monitored by the Commissioner’s office. With the largest of these fines being a budget breaking £200,000, so marketing managers take note, this can seriously damage your career as well as your employer’s reputation and viability.

In most of the cases brought by the ICO, customer data had been used unlawfully for purposes outside its original remit. Ironically, one such firm made calls to people registered on the Telephone Preference Service (TPS), attempting to sell them software to block nuisance calls!

As with many areas of the GDPR’s wording, at times the definition of how (and when) data can be used and how this interacts with PECR is vague at best and confusing at worst, especially when it comes to email marketing.

Lenitha Bishop from The DPO Centre explains "Although email is being used in ever more new and interesting ways by busineses to market to their customers, there are clear rules set by UK data protection law that put limitations on how it can be used to ensure individuals privacy and data protection rights are respected. Marketers, there must be aware of these limitations so they do not find themselves on the wrong wide of the ICO."

When considering an email campaign to existing customers, from a database collected via a sales channel, GDPR and PECR have to be considered. At a time when there is pressure from the sales team to deliver leads, from finance to deliver on budget and from the creative team to meet the brand objectives, usually within tight deadlines, it takes a brave marketeer to stand up and advocate for data protection.

Lenitha explains, “At the planning stage of a business-to-consumer (B2C) campaign, it is important to know the difference between a marketing message and a service message. For a marketing message, you must gain valid consent from the recipients, whereas for purely service messages (like order confirmation emails) this requirement does not apply.”

She adds, “When using communications that contain both marketing and service aspects, these are considered marketing messages, therefore organisations must have two versions of the same service message – one with and one without the marketing element – to accommodate those individuals who have not provided their consent to receive marketing materials but still need to receive the relevant service message. This also relies heavily on the relevant records of consent being kept up-to-date. And we all know how difficult it can be to gain consent in the first place.”

However, nothing is as straight forward as that when it comes to GDPR! Whilst consent is required for sending the majority of B2C marketing messages, there is a ‘soft opt-in’ exception, allowing organisations to send marketing to existing customers about similar products or services without gaining explicit consent, provided they are given the option to opt out.

If you’re in any doubt about the validity of your campaign, always check before pressing send. Whilst the line between marketing and service messages is not always clear, in disputes regarding GDPR and PECR violations it is often a highly contested point that ultimately decides the case.

Be clear where the line is and tread carefully.