The General Data Protection Regulation (GDPR) affects any organisation that processes personal data. Elliot Fry of law firm Cripps considers the implications for retail marketing.
On 25 May, the GDPR, which governs the use of personal data, comes into force. All sectors are affected, and the implications for shopping centres vary depending on the type of marketing you plan to carry out.
Indirect marketing, such as posters or flyers, is unlikely to use any personal data, and is therefore unaffected, whereas direct marketing, such as emails or texts, inevitably uses personal data and is therefore affected by the new – more onerous – rules.
At this point it’s also worth considering the penalties for failure to comply: up to €20m or four per cent of worldwide turnover (compared to £500,000 previously). The reputational damage could also be significant, as people are becoming more aware of data protection issues.
Brexit is also irrelevant here. The GDPR may be EU law, but a domestic version of the same regulation is working its way through Parliament. To avoid the penalties, shopping centres must be compliant.
If you are at all uncertain about meeting the new requirements you should seek legal advice, but here are some of the key issues around the GDPR and marketing.
Current law already requires you (except in very limited circumstances) to have an individual’s consent before you send marketing emails or texts. The GDPR raises the bar for the standard of that consent. Consent must be freely-given, as opposed to bundled in with terms and conditions. It must be specific and informed, which affects consent given via a third-party. It must also be unambiguous, so pre-ticked boxes are not appropriate.
The new consent standard also applies to historic data, so as well as changing your practices going forward you need to review your existing databases. Any marketing communications should also come with a clear ‘unsubscribe’ option.
As an extra consideration, you must ensure your suppression list (also known as the ‘do not send’ list) is maintained and respected.
Consent is not always required for this, although you should comply with any requests to be taken off a mailing list. Cleaning mailing lists against the Mailing Preference System (MPS) is also important.
What to do
Any direct marketing campaign must be carefully considered to ensure you have the appropriate consent or other basis to send out marketing materials to your audience.
Be careful when considering any “re-consenting” exercise with your existing database, as asking for permission to send marketing material is itself a marketing message. A good data protection lawyer should be able to advise you on the best steps for your shopping centre’s individual situation.
Finally, paperwork is vital. Keep a record of all consents, the direct marketing you carry out, and what basis you do it on, as part of your wider GDPR compliance project.