What GDPR changes in SMS marketing, or the honesty of the marketer

GDPR is a hot topic for marketers who mostly communicate with the market using collected customer databases. Especially in the area which specializes in working with databases – SMS and e-mail marketing. For a few months now there has been a discussion in this field about the changes that the new regulation will bring, which in fact emphasizes… the quality of the marketer’s work. Why was the GDPR introduced?

The aim of the GDPR is not a revolution – because at the current level of development of European markets, there is no problem with the lack of respect for personal data. The guidelines are aimed at meeting the challenges of the digital world, where data processing is not just saving contact information in subsequent columns, but also a complicated technological process. The GDPR is also an element of the broader EU policy known as the European Single Market – implementation of which is to increase the competitiveness of the EU economy and secure digitization of particular areas of activity of the EU countries. As in the case of previous legal actions (e.g. the introduction of Euro or of Schengen area), the most important is not the creation of a new regulation, but the unification of the community law, which will facilitate how companies operate in the European Union.

GDPR – what is that?

The Act on the personal data protection sets the direction, but does not always specify how to follow it. Vagueness is a feature of this legal act. In each member country GDPR provisions are made more specific with special regulations, which will soon be replaced by a new law covering this issue. The new regulation will primarily concern the role of the supervisory body, the principles of supervision over ensuring the protection of personal data, the principles of cooperation aimed at the protection of personal data and the penalties necessary for the effective performance of supervision. The Act will also regulate issues concerning the rules of accreditation of certifying entities participating in the new certification procedure. Entrepreneurs will therefore have to rely directly on the GDPR in terms of norms governing the protection of personal data.

With the GDPR you have to look more broadly

The current regulations indicate five principles adopted in the protection of personal data: legality, intentionality, substantive correctness, indispensability and time limitation. Until recently, for the marketer, these were the main determinants in thinking about the protection of customer data.

From the perspective of the GDPR, the subject of data protection is treated somewhat broader. The regulation is guided by seven new principles: purpose limitation, data minimization, accuracy (processing correct data and, if necessary, updating them, and in the event of impossibility of rectification – removing it), storage restrictions, security and confidentiality (data must be processed in a manner ensuring adequate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage) accountability and compliance with the law, reliability and transparency. This approach is very close to the current one. The difference arises with regard to the planning of data processing.

The data processing process is to be additionally based on two concepts: “privacy by design” and “privacy by default”. The first of the terms refers to privacy at the design stage. The point is that even before processing personal data, the controller will have to design security measures adequate to the anticipated risk. The second term refers to the assumption that privacy protection is to be fulfilled automatically (unless the customer does not wish it). An example of how it works in practice; e.g. checkboxes which, according to the privacy by default principle, cannot be selected by the data controller by default. Therefore, one must think about data protection as a whole, already during the planning of marketing campaigns (and even: planning a new product).

Databases under the microscope

Outlined legal changes are moderate, but there is a lot of excitement in the industry, especially in e-mail and SMS marketing. The reason is simple – the most important in these two areas is the mailing base, which is the key to the success of the campaign. According to the SMSAPI study “SMS communication in companies“, 94 percent of the companies prepare their own bases by themselves. From the marketing perspective, this is the best approach – such database includes the company’s customers or people interested in it, so its effectiveness is higher than in case of the purchased database. After the entry into force of the GDPR, creating own bases will also pay off in a different way.

When the entity creating the database is its controller, he or her is confident that he has fulfilled all the obligations imposed by the provisions of the regulation, so that processing of the obtained data will be legal. The person whose data will be processed must, among others, include all entities that will use the data. In the case of purchased databases, if their owner is not able to predict which particular companies will buy the base, its use in accordance with the new law will be difficult. Until now, it was not required to indicate all entities that will use it in the future at the stage of creating the database. It is worth considering purchasing a database after the entry into force of the GDPR, so as not to lose money. In addition, all entities involved in data processing are important from a technological perspective. The project assumes existence of the so-called data processing processor. It is an entity that processes the database, e.g. as a manufacturer of the software used by the customer – the owner of the database.

GDPR grants a number of rights to the user who submits their data to the company. They have access to the content of their data and the right to rectify it, delete it, restrict or oppose its processing. They can also obtain the copy of their data and the right to transfer data. The user can also withdraw the consent expressed to the controller at any time. The database controller must also take this into account at the technological level – that is, create flexible systems that will allow for effective implementation of the above-mentioned rights. In addition to the indicated rights catalogue, if the controller violates the provisions of the GDPR, the person whose data is processed has the right to file a complaint with the supervisory body.

The role of consent

In order for the database to be created, after presenting the data subject with the information clause formulated in accordance with the requirements of the GDPR, the customer must be asked for permission to process his or her data. At this point, GDPR puts quite specific requirements, namely: the legislator points out that the consent must be:

1. Conscious, concrete, unambiguous
2. Written in simple, intelligible language
3. Linked to the company’s information policy
4. “Clear”, i.e. It cannot raise doubts as to whether it was expressed
5. Related to the specific purpose of the processing – in a precise way defining what it concerns and what is the time frame for the duration of consent
6. Voluntary
7. Withdrawable – the customer can at any time ask to remove his consent from the database (and the withdrawal of consent must be as easy as its expression)
8. If the activities concern minors – required is consent of the legal guardian (in the case of children who are under 16 years of age, because children aged 16 or over may give their consent to the processing of personal data themselves. Member States can reduce this age limit to 13 years).

For the marketer all the above elements are very important. The point no. 3 may require further specification. 3. “Link to the company’s information policy”. Insofar, not every company had a written information policy, most often it resulted from the culture of the organization, rather than from a document. However, if you plan data collection, such document must be created – here too the regulation sets specific requirements. The standard information policy should include:

• controller data,
• data of the personal data protection officer (if his or hers appointment in a given enterprise is necessary)
• the purpose of data processing and the legal basis,
• the right to object or withdraw consent,
• data source, if you collect it from other entities,
• to whom you intend to share data,
• information on whether data is transferred to other countries and international organizations.
• the planned period of data storage,
• information about the rights of a natural person,
• the right to lodge a complaint with a supervisory authority,
• whether the provision of data is voluntary or mandatory, whether it is a condition for the conclusion of the contract and what are the consequences of not providing the data.
• information whether the data will be processed in the form of profiling.

These are not the only changes that result from the GDPR. The company’s responsibility will be greater in terms of ​​data risk assessment as well as the type and content of documentation needed to administer the data. Often, it will also be necessary to appoint a personal data inspector (PDI). In e-mail and SMS marketing, the processing of data of thousands of customers is highly likely to require supervision over the proper execution of the entire process. Especially in the context of possible data protection shortcomings – almost every violation must be reported to the appropriate supervisory authority no later than 72 hours after the violation is discovered (unless it is unlikely that this violation results in the risk of violating the rights or freedoms of natural persons.), and sometimes also directly to the person concerned. This obligation is imposed on the data controller, who in practice will be filling it with the help of PDI.

What to do with an old database?

The GDPR guidelines are important for companies both on the general and detailed levels. However, what should be done with the outcomes of the work up done up to this day – will the previously obtained consents be invalid? The answer to this question is given in recital 171 of the GDPR preamble, which speaks of two possibilities. The first case occurs, when the consent was collected in accordance with the expectations set by the GDPR: it is very likely that no update of such consent will be needed. However, the second situation, when the consent does not completely meet these assumptions or cannot be found, obliges the controller of the database to settle these obligations before May 25, 2018, i.e. before the entry into force of the GDPR, or to not use such contact data any longer.

New base

The creation of a new database will no longer require reporting it to the supervisory. The collector will keep a register of processing activities (entities that employ fewer than 250 employees will be exempt from the obligation to keep a record of processing activities), in which he or she will register personal data files that he or she processes. Already at the stage of creating new solutions, you will have to take into account the longer perspective of working with personal data, predict the risk and design adequate organizational technical measures that will allow you to secure the base. This thinking will also apply to the design of future business activities – you will not be able to collect data “just in case it may become useful”. In accordance with the principles of purpose limitation and data minimization, collected is only the information that is necessary to achieve a given purpose. For example, when you are planning an SMS campaign, you only need telephone numbers, not necessarily the favourite music genre.

Marketer, sleep well (if you have a clear conscience)

The GDPR emphasizes the importance of the customer’s rights to control personal data, which is related to the well performed work of the marketer. In a work where the main area of ​​tasks is the effective sending of SMS or e-mails, the most important are the databases. The high quality of the bases is guaranteed only by a pure approach, based on permission marketing, that is only contacting customers who have given their informed consent to it. If so far the process was legible for the user and compliant with the law that is in force, the marketer can sleep peacefully.

For more information please contact:

Jan Wieczorkiewicz
Data Protection Officer
LINK Mobility Group