GDPR and Marketing Webinar

Transcript of the Video

Good afternoon, ladies and gentlemen. Suzanne Dibble here, data protection law expert. Okay, well good to see you all here. We had over 1200 people register for this session, so it should be a good one. Lots of 'hellos in the chat box, hello, hello.

Okay. So, awesome to be here with you all. I know I've obviously been communicating with lots of you in my Facebook group, but there's nothing quite like a live webinar so thanks for making the time to come and attend this. Now we've got a lot to cover in an hour and a half so I'm going to crack on. Just to say first off, please don't multitask. The usual webinar speech at the start of the training. But this is a really complex legislation and if you're trying to do it whilst you're half on Facebook, or listening to the radio, or whatever, you're not gonna get much out of it, you may as well not bother. So distractions off, pen and paper and do feel free to ask questions in the chat box. I will be glancing at them every now and then, although with the number of people on the call I'm not sure how many I'm going to be able to get to, but please do ask your questions in the box and I will glance at them and look at them at the end as well.

Okay. Good. All right. Let's get kicked off then, and I shall share my screen.

On this webinar we're going to be talking all about marketing and this is where the thrust of most of the questions are coming from but please of remember that GDPR affects so much more than marketing. If you've got employees, it affects your employment relationship, obviously there's the security side to think about, there's the data subject rights side, the enhanced rights that they have. There's a much bigger picture than marketing but because that is where the main interest lies, I've decided to do this webinar purely on marketing. Okay? Thank the lord.

Okay. What we're gonna be looking at. We are gonna do an overview of GDPR because I hope that the vast majority of you have watched my overview training that is in the pinned post of my Facebook group, but if you haven't I'm gonna do a very quick overview of what it's all about; the principles, looking at how the principles overlay the marketing and sales cycle; have a very quick look at the lawful grounds of processing; and then we'll get into the meat of it, which is talking about things like consent and opt-ins, whether you need to obtain fresh consent. If I had a pound for the number of times I've been asked about whether you need to obtain fresh consent, I'd be very wealthy right now. And legitimate interests and PECR and then we'll look at some really specific marketing examples. Okay, is that all good?

Okay, there's still a delay on your messages, so I'm still getting, "Yes, this is a good screen." "No, this is bad screen." "This is black." "Yes, we can see you." Et cetera. So I think it takes a bit of time for the messages to catch up.

Now I'm not gonna tell you who I am again, because hopefully you know all about me and hopefully you also know that GDPR comes into effect on May the 25th, 2018. Now it was adopted two years ago, so if you hear people say, "It's been in place two years already, we've just had a two year grace period." We haven't. It was adopted on the 25th of May, 2016 so in theory we have known the text of GDPR for two years, but of course what doesn't happen two years ago was we didn't have all the guidance notes, we didn't have ... I mean, they are literally just coming out. The guidance notes. I mean, we saw the working party guidance on consent only came out last week, well the final version for now. So we're dealing with a bit of a constantly moving feast here. So yes, we have had two years to, in theory, put it into effect but in reality, probably most of you have only found out about it in the last couple of months because the government haven't written to every business owner to tell them about GDPR, it's kind of been up to us to find out about it.

Now we've got just over a month to go, and there are definitely some steps that you need to be taking now in order to be working towards compliance and, not just on the legal side, but for your marketing side to be effective going forwards. Now for those of you who are on this webinar who are not based in the EU, then hopefully you're on this webinar because you've found out that it does affect you if you are outside of the EU but you're offering goods or services to, or monitoring the behavior of EU residents. So well done you for being on this webinar and working out that it does apply to you.

Now this nice lady here, Elizabeth Denham, is the lady responsible for implementing GDPR in the UK. What a job to have, is my view. But she says, "This is about more than legislative box-ticking. Accountability is at the center of all this. Getting it right today, getting it right in May and getting it right beyond that." So although I think there's certain steps we need to take before May the 25th, to get our ducks in a row, this is an ongoing obligation. It's not just a tick the boxes, put it in the draw and you're all done with it after May the 25th, it's an ongoing thing so it really has to... Privacy has to be, and data protection has to be, at the heart of the organization.

You all know about the fines, there's been lots of scaremongering headlines about the 20 million Euro fines, or 4% of global turnover. I was working out Facebook's, their global turnover for last year, if they were fined the maximum amount on the Cambridge Analytica case, and they'd be looking at a fine of 109 billion. Okay, so that's how much teeth this GDPR has, even if you don't have Facebook's turnover, you're potentially looking at fines of up to 20 million. Now saying that, you know my approach to this. If you've seen any of my videos in the group, you know that I am in no way a scaremonger, I ...

Okay. So, for you guys, as I've already said, the real risk is in brand and reputation damage. It's in customers complaining about you. It's about competitors trying to trip you up. It's about vindictive people trying to catch you out and just causing you sleepless nights, really, which, let's face it, we could all do without. So far better to take some simple steps, get your house in order and not have to worry.

The opportunity for us marketers. For me, I'm more actually embracing this as an opportunity to get better at my marketing than as a compliance tick-list to go through. I know that my own database is, it's not well tended. Let's put it that way. I have been, I hold my hands up, I have been a lazy marketer over the years and I have a fair amount of my list that is not engaged with me. Now I'm taking this as actually a really good kick up the bottom to think, "Okay, I need to be more actively thinking about what kind of marketing I'm giving to my audience. What's gonna really excite them, what's going to engage them? And for the people that really aren't that bothered about it then that's great, off you go. Because you're impacting on my email deliverability for the people that actually do want it."

So I think we've got to view this, as marketers, with two hats on. We've got to view it with ... Yes, it can be viewed as a pain to have to go through all this exercise to do with the law. But actually, if you look at it for what it is, it actually makes really good marketing sense, doesn't it?. So if we put in a bit of time and effort now, our marketing is going to be much better, we're going to comply with the law, we're going to have a competitive advantage and I think this is a really important point.

Okay, so this is the key point here is about competitive advantage. Now, as I did a video on recently, the ICO is, at the moment, doing a public facing campaign about ICO. Okay, so customers are going to become more savvy about data protection generally, about their rights, and understanding what you can and can't do with their data. Now if they start asking you questions about, "What are you doing about GDPR?" And you look blank, or even worse say, "Oh, that's a load of old rubbish. We're not going to be doing anything about that." That is not going to look great to your customers, is it. And we've seen that in the Facebook group already, there was somebody who went to, I think it was, Zippy Courses ... Direct Help and Zippy Courses ... Went to them a month or so ago and said, "What are you doing about GDPR?" And they basically came back and said, "Nothing to do with us." But because then they had 10 or 20 more queries from people about it, they thought, "Hang on a minute, we need to know what this is and start taking steps to compliance." And they did, all credit to them, they did do that.

There's a real opportunity here, and I hope that you've seen from my group, certainly, I'm here to encourage people to do the sensible thing, the proportionate thing. We can sit there and debate the academics of the, "Can you do this?" Or what you can't do. What I hope that I'm here to do, well what I am definitely trying to do, but what I hope you're getting from it is a risk analysis. A balanced approach. If you're asking me, "Should I be doing this in my business?" I'm not the kind of person that's going to say to you, "No, you can't do that." I'm the kind of lawyer that's going to say, "Here's what it says, and here's the guidance, but in my view the risk of anything happening in terms of a fine or anything like that is very low. So it's up to you if you want to take that risk or not." If you want an academic group where you spend hours debating the nth degree of the words in the act, it's not the right group. I want to give you sensible balanced advice that you can take forwards.

Alright, so, personal data, we know what that is. The information relating to an identified or identifiable natural person. So, names, email addresses, addresses, et cetera. it extends to cookies, IP addresses, et cetera. it's really broad. Processing; because for GDPR to apply, your processing personal data. That's what it's all about. Processing definition; really wide, okay? It includes just holding the data. So some people have said, "But I'm just storing the data, I'm not even sending any emails out." It doesn't matter, it's still processing.

Now what I would love you all to do is to get really familiar with the data protection principles because these are almost like your guiding stars. If you have a question about the minutia of can you or can't you do something, if you understand the data protection principles you won't go far wrong. So they are things like ... and I'll pop them in the group, they're in there in overview video already. But things like, particularly relevant for marketing, it's the fairness and the transparencies. The transparency, being you're telling people, you're being really upfront about what you're doing with their data, and that is of course what you'll have in your privacy notice and in any tick boxes that you have underneath your opt and of anything like. We'll get onto that bit in a lot more detail later.

But you have that in mind, just be really upfront with people about what you're doing with their data, you won't go far wrong. There are five other principles that I'm not going to go into on this training, but if you're not familiar with the data protection principles then go and watch the overview training, because like I say, they will inform your decisions about things that are on a finer level of detail that only apply to you.

I'm going to skip this slide for because we have had such a detail on the tax side of things, but is it's in the main overview training. And what I've done is I've overlaid the principles onto a sales and marketing life cycle. If you haven't seen that already, go check that out. Stage one; data collection, you're looking at the principles of transparency and data minimization. What does data minimization mean? It means you're only asking for as much data as necessary in order to enable you to fulfill the purpose that your processing that data for. So arguably if you've got a freebie, you've got a lead magnet that you want people's name and their email address. You don't want their inside leg measurement. So have a sense check on what is the data that you actually need to be able to fulfill the purpose.

Now, the slide that I would like you all to really pay some attention to is the legal grounds for processing, because as marketers we get very caught up on consent as a ground for processing. In fact, what I'm going to do ... I think I might turn my slides off and then you can see me instead. Lawful grounds for processing, we do get hung up on consent and opt-ins and all the rest of it, just remember it's not the only grounds of processing. As marketers, the other very relevant ground is legitimate interest.

Now I've done a number of videos on legitimate interest in the group, but just as a quick reminder legitimate interest is a; it is a legitimate interest because recital 427 tells us that direct marketing is a legitimate interest. So you have to find a legitimate interest. We're told that direct marketing is one, which is great, but then you have to carry out this balancing test, which is where you have to look at the impact on the rights and freedoms of the people that your sending the marketing to. So there is this fine balancing test. And if you bought my pack, you'll have seen that there is a legitimate interest assessment form in the pack and every time you decide to really on legitimate interest, because it is such a gray area, then you need to fill one of those forms out so that if there is every a complaint or an investigation then you have that form on record and you can show that as part of your decision making process.

But what there has to be for legitimate interest is a relevant and appropriate relationship, and you need to look at whether the individual would reasonably expect their data to be processed in the way that your processing it. So certainly in my view, for sending emails, marketing to existing customers, particularly where you're sending emails that are very relevant to the products or services that they've already bought, then in my mind that would fall under legitimate interest, because you've got that close relationship there. You've got that relevant and appropriate relationship. But as I say, it is a gray area. You also have to be mindful of the fact that people can object to legitimate interest processing and you have to give them the right to object to it.

With direct marketing, it is an absolute. So if someone says, "I object to you processing my data for marketing purposes under your grounds of legitimate interest," you have to stop marketing to them. So if you just think about that in the same way as an opt-out, you need to give it to them at the point that they give you their data and then remind them of it on every communication. But there's much more in the group about legitimate interests.

What we're going to be focused on is consent and some specific examples about marketing, but I just want to just again underline the fact that we're not just talking about consent here, there is legitimate interest at place as well. And again, it all depends on your appetite for risk. I'm quite a risk-taking lawyer, I would be quite happy to rely on legitimate interest for quite a lot of what I'm doing.

Okay, so, let's talk about consent. Now, as I hope you all know, if you've watched any of my videos, there is a higher standard of consent with GDPR. Let me tell you what consent is under GDPR. Consent should be given be a clear, affirmative act establishing freely given specifically informed and unambiguous indication of a data subject's agreement of processing of personal data. The key elements there are it's an affirmative act. So it's got to be a positive action, an actual action taken by the data subject. Pre-ticked opt-in boxes, you can no longer do that. opt-outs, you can't do that either and opt-out is where you say, "Unless you tick this box, we will do 'x' with your data." Because the data subject isn't actually taking an action. They might just not read it and that is no longer sufficient under GDPR.

The next element there that is interesting is 'freely given' and there's lots of guidance around what freely given means. Certainly if there is bundled consent in the sense of you might have a tick box that says, "By ticking this box you agree to us sending you details of goods and services that we feel may interest you, and also to our carefully selected partners also sending you marketing information." Now that would not be sufficient under GDPR because you haven't given people genuine choice and control about what they want to receive. They should have been two separate tick boxes. So you'd have one for the stuff from you and a different tick box for the receive from third parties. If you have it bundled together then that's not freely given.

It needs to be specific informed and unambiguous, and that's where you need to have a good privacy notice at the point of sign up that is telling people exactly what you're going to be doing with that data, and you would have a link to the privacy notice under where they are entering their details. Obviously there's a privacy notice in my pack. There's a number in there now and I think about to do another one and please, I don't care whether you buy it from me or not, but make sure that it is a reliable source and that you don't try and cobble it together yourselves because you'll miss a lot unfortunately. And also, please don't just copy them from the internet that can get you sued for breach of intellectual properties rights. This is one-off, get it right now and it lasts forever. So it's best to invest a bit of time and resources in doing it properly.

Okay, so, as I've said, no more opt-outs, no more pre-ticked boxes. You need to use clear, plain language that's easy to understand. You need to give them genuine choice and control, transparency about the purposes of the processing, and that's in the privacy notice. Wherever possible give this separate granular options to consent to different types of processing and don't make consent a precondition of the service. So what I mean by that is if you were ... say you went down to Home base and you were buying a ... No let's say a computer. So you've bought your computer and you're buying the extra guarantee that goes with the computer and there' a tick box there that says as part of the terms of conditions it says, "You consent to us sharing your data with third parties."

Now if sharing that data with third parties is necessary or the fulfillment of that contract, for example, if you need to share it with courier providers, people like that, because you need to actually get it delivered, then that's okay. But if you're tying up your consent as a precondition of the service, then that's not giving people genuine choice and control, it's not freely given and that's not okay under GDPR. Okay?

Now, the ICO guidance on this, they did say that .. and we have had a specific question about this is the group. I'll just mention it while I think about it. The ICO, which is the UK supervisory authority and it is what I mainly talk about. For those of you who are outside the UK but in the EU, then you might very well have a different supervisory authority, but in the main I'm focusing on the ICO. They accept that implied consent in some circumstances, such as dropping a business card into a bucket for a contest or submitting an online survey is okay. So the implied consent there is the act of dropping the business card into the bucket.

Now what you need to do in those circumstances .. the consent there, sorry, is that they are impliedly consenting to you processing their data in order to run that contest by dropping their card in. What they go on to say is that the consent would not extend to using the details for marketing or other purposes. What my question is the ICO and my thoughts on that is if you had a really clear sign that said that by entering into this contest we are going to be sending you details of ... follow up emails, follow up emails about goods and services that might interest you, then would that be okay under, for example, legitimate interest. Because you've got that big sign there telling them that's what you're going to do and they'd have the right to opt-out. You could have a notice saying, "If you don't want us to do this, fill in this form here," and get them to do that if you're actually there at a conference or something like that.

However, in saying that, best practice is get a tick box wherever you can. Get people, if they're submitting a form, get them to sign it at the bottom. Best practice is to put things beyond doubt and have that tick box or that signature. Me though, being a bit of a risk taker, I might be tempted to go for legitimate interest, but that's just me.

Just wanted to make the point about sensitive data. If you're processing sensitive data, there's an even higher standard of consent for that. And that's data that consists of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation. That requires explicit consent and the guidance on how you get explicit consent is that you have a signed statement or a double opt-in. They're just two examples of how you would get that.

So in my pack for example, for therapists who need to obtain sensitive data at the point of maybe the first consultation where you asked them to fill in a form, then there is a data ... sorry, there's a privacy notice for that deals with sensitive data, that gets them to sign the bottom of the form but refers them to the privacy notice overleaf. Do be conscious if you're processing sensitive data, the additional level of consent for that.

Okay. So, other things to note about consent are you need to keep a record of that consent. Now, this is important because obviously if you're ever challenged or if the ICO come and investigate, you want to be able to point to the consent that you've taken. Now there's no guidance on what that records of consent should look like. I think, and I use Infusionsoft, that captures the name and address of the person, what they're opting in for, the date that they did it and the time that they did it. And obviously, if they opt-out, it records all that as well. Now for me, that is sufficient. I've got enough records there to show that somebody has consented to the processing of their data for that particular purpose.

It would also be a good to do is to make a note somewhere of the form of privacy notice that you have between certain time periods so that you know exactly ... you know, someone opted into your list two years ago so if GDPR in force, say we're two years in future and they opted in for your list two years before that, you can look back and see which version of your privacy notice you had in place so that you know exactly what you've told them about what you're going to be doing with that data. So they're the kind of records that you need to be thinking about in terms of recording the consent that you have.

Refreshing consent. So this is a big ...in fact I'm going ... I'm reluctant to ask questions because there's so many of you. I don't think I'm even getting any questions through now. They seemed to have stopped for a while. But, does that all make sense so far guys? I'm now worried about a deluge of 'yes's or 'no's or whatever. But I don't like to just talk for two hours and not ask you questions and not engage. Do let me know if that all makes sense.

Okay. Good, alright, and I've just realized I've been looking at my chat box the wrong way, so that's awesome. Okay so now I can see more up-to-date questions. Good, good. I'm getting there. Okay, yes the pack includes a data breach notification procedure. You don't need to have consent if you've got legitimate interest. They're two separate grounds of processing, okay? So step one; are you processing personal data? Step two; what's your lawful grounds of processing? Consent and legitimate interest are just two of those. There's also contractual grounds as well and a couple of others that aren't really relevant to us. But the main ones as marketers that we're thinking about; consent and legitimate interest grounds. You don't need them both. You need one or the other. Legitimate interest is a gray area. If you're not brilliant at taking risks, you might not want to do that. You might want to play safe and get consent because that puts it beyond doubt. Hopefully that clarifies that.

How'd you get the pack? It's in the pinned post and I'll tell you more about that later. Yes, absolutely keep copies each time you update the privacy policy. So keep in a file the policy that you have at that time and at the top of it just make a note the date that it's been operational. And then when you replace it or update it because maybe you're doing something else with the data, you'll know what privacy policy was in place at that time.

Okay, alright, so I can't see any specific questions about what I've mentioned. There's lots of other questions about other stuff, but I think I'm going to cover that as we go on. So let's talk about whether you need fresh consent because this is a question that I've been asked a lot. Now, the answer to it is if you have GDPR compliant consent at the moment, then you don't need to go and get fresh consent. But, in my view, not very many people are going to have GDPR compliant consent because what that means is that you have not used pre-ticked check boxes, you've had those granular tick boxes that I've been talking about. That you've had a privacy notice that's told them everything that they need to know at the point of sign up. That you've kept accurate records of how they opted in and when, et cetera. You have ... and all of the other stuff that I talked about before.

So if you have, for some reason, already obtained that higher level of consent, and in the pack there is an ICO checklist that walks you through the things you need to be looking at to determine whether you have a GDPR standard of consent. If you do; great, you don't have to go back out to your list, but I imagine, as I say, that the vast majority of people are not going to have consent to that level.

So, we want to get our lists to re-opt-in. The first question to ask yourself is who needs to re-opt-in? Because it's probably not going to be everyone. Customers, I'd look at your existing customers. Now, there are certain emails that I'm sure you're going to need to send them that are not marketing emails so you need to make sure they're still getting those types of emails that they're contractually due to get. But even on the marketing side, my view is with customers is quite strongly that you would be able to rely on legitimate interest in that instance.

You also need to think about PECR, which is Privacy of Electronics Communications Regulations. And what PECR says is that you can't send unsolicited direct marketing to individuals. You can send them to limited companies. Individuals includes just consumers, individuals, but also sole traders and partnerships. So you can send unsolicited direct marketing emails under PECR to limited companies. You can't to individuals unless you've got their prior consent or the soft opt-in rule applies.

Now this is PECR, which works in tandem with GDPR. You need to have a mind to both things here. Now with the soft opt-in rule, what that says is that if somebody has previously bought a product or service from you and you're emailing them about a similar product or service and at the time that you collected their details you informed them of their right to opt-out and you have in every subsequent communication given them the right to opt-out, which you would typically. You know, it's on the footer of all our emails isn't it? If we're using a big email service provider. Then that soft opt-in rule means that you can send marketing emails to individuals without their consent. Those two things combined make me feel pretty confident that I can rely on the ground of processing of legitimate interest for my existing customers and I don't have to go and get the fresh consent of my customers for marketing.

Now if you are sending them an email that is completely different to what they've already bought from you, then I don't think that that would be okay. Alright? But if you're emailing them about stuff very similar to what they've already bought and you have reasonable grounds to believe they'd be interested in it then my personal view is legitimate interest would suffice and you could continue to market to them without asking them to re-opt-in. Remember, always carry out you're legitimate interest assessment form that's in the pack and keep it on record. But that's my view.

But if you do need to go back out to your list and get that fresh consent, then you need to do that by the 25 of May, because if you don't then on the 25th of May you will no longer have a grounds of lawful processing for sending those marketing emails to those prospects and you will have to cease that processing or you will be in breach of GDPR.

So what I would suggest you do right now, well not right now because you're listening to me on this webinar right now, but in the next week or so, because we've only got just over a month now until GDPR comes into force, is think about how you are going the get those opt-ins. Now don't just send an email out of the blue that says, "Hi, due to new European data protection regulations we have to get to opt-in again so please click here," because chances are you're going to lose a lot of your list that way. Loads of these emails are going out to people at the moment and if you're not making it enticing for people to actually take some action and opt-in, then you are going to lose half your list.

So please do go and watch the interview that I did with Karen Skidmore on re-engagement campaigns in the group, that'll give you some ideas as to how you can get people re-engaged before you send them that email, and get them really excited about the content you are going to be sending to them over the next few months, years, whatever. And now the email that you send to them, you need to send a link to your new privacy policy, so make sure that you've ... Sorry, privacy notice. Make sure that you've done that by the time that you send this email out, and it will take you a bit of time to prepare your privacy notice because you need to, before you do your privacy notice, you need to have done your data inventory, which is in the pack as well, and that just gives you a real overview as to what data you're actually holding, where it came from, what you're doing with it, and all of that will inform your privacy notice. You need to know that to be able to put together your privacy notice, okay? So don't just send a willy nilly email out saying "Please re-consent." Because you won't have done the job properly.

I'd say the email, the legal wording of the email that you need to send is also in the pack. Okay, so you can go and check that out but do put some enticing marketing speak around the legal words so that people are really excited about opting in.

Very interestingly, there was a bit of a discussion in my group yesterday about this exercise of getting people to re-opt-in and someone had asked the question about "Can you incentivize people to opt-in?" And my view, and you can go and watch that video, I'm not going to go into the detail of that here, but in my view if you are offering, say, a 10% discount off your next order if you opt-in to receive newsletters or things like that, then in my view that does not go against the guidance about consent not being freely given. If you penalize somebody, okay, for me is just that ... For me, that incentive is fine but go check out the post and watch the video for any discussions that you want to have around that.

Now, interestingly ... This is the interesting point. So the person that was having a very restrictive view of the interpretation of 'freely given', and who was saying in his view you couldn't incentivize people to opt-in, mentioned Manchester United who are doing a brilliant job of a re-engagement campaign and opting people in. They've spent a lot of time and money on it, now obviously we don't have the budgets of Manchester United, but we can certainly learn things from them. And, interestingly, what they did was that they had an 'opt-in' and an 'opt-out' box, and actually I've seen a couple of examples of this now. And actually I looked into this and psychology says that if you give people a either 'do nothing' or 'take some action' decision, they will err towards doing nothing. So if you send them an email saying "Click here to opt-in or if you do nothing we'll have to take you off the list." Then they'll, in all possibility, do nothing because that's the decision making process that they probably haven't got time to do, et cetera.

Whereas if you send them an email that says a 'yes' and a 'no', that prompts the mind to think "Oh, crikey. I've got to make a decision." Now in reality, if they did nothing. If they didn't click 'yes' and didn't click 'no' then that would be an opt-out, because you wouldn't be able to process that lawfully after the 25th of May. But psychologically, giving people the option of a 'yes' and a 'no', statistically, and unfortunately I can't share the statistics with you. Maybe I'll dig it out and post it in the group. But statistically, people are much more likely to tick a 'yes' if you've got a 'yes' and a 'no' option. So you might want to think about incorporating that into your email that is getting re-consent.

So some people have said, "Do I only get one bite at the cherry at this? If I send out my one email and they don't do anything, do I have to take them off my list?" The answer is 'no'. Before the 25th of May, you can have as many emails as you like about asking them to opt-in. Now, of course, if you do that in a way that's going to really piss people off, then they're not going to opt-in anyway. So you've got to do it in a really creative, imaginative, fun, whatever way is going to work best for your audience. But you don't just have to do it once, you can have a sequence of emails that are guiding people through it. Obviously if they have actually ticked that box and said "Yes, I want to opt-in." Don't keep harassing them with your sequence of emails about "Do you want to opt-in or not?" Because that's the quickest way to get them to opt-out.

But think creatively about how you can do that because otherwise, you know, we do risk losing loads of people off our email list, which, after working so hard and spending so much money on building them, is not an ideal position to be in.

Yeah, so don't forget to add the privacy notice actually, saying it in the text of that email, "Here is our new privacy policy" in terms of, "Your data protection is really important to us." Use that competitive advantage. "And we've spent a long time putting together a privacy notice that's going to tell you exactly what you need to know about how we're using your data, linked to the privacy policy." And then you obviously need to obtain your consent from that email as well. Yes. So send the email before the 25th of May, if no reply you can keep asking up until the 25th of May but don't piss people off, and then at the 25th of May, if they've not replied at that point, you have to opt them out of marketing. You don't need to completely delete their record, but you do need to opt them out of the marketing. Okay, I think that's all I need to tell you about that.

Let me see, if there's any questions about that. So Ann says, "Can we assume that if they opt-in for a lead magnet, that it is consent to receive further emails from us or do we need to be explicit about it?"

Okay, well this was one of the examples on my slides that you now can't see that I was going to deal with, because this is a very common question as well, which is, the lead magnet. You have your email box saying, "Sign up for my" ... we'll use, my free checklist as an example. "Sign up for my free checklist." And obviously what I want to do, the reason that I have spent many, many hours, if not days, putting that checklist together is because I want to be able to tell you about other stuff that I'm doing and if you want to buy my pack, that's great. If you don't want to then I hope I provided you with value anyway. But in the very least, I would like the opportunity to be able to tell you about that. And of course that's what we all do, that's what we all hope happen. We're not in the business of just giving away free content and not making any money.

So what do we need to do? Okay, so there's a few things to think about. So at the point where you have your email sign up box, your opt-in form, you need to have a link to your privacy policy there. So you would have words that say something like, and this is all the wording to this is in the pack, but it would be something like, "We will protect your data in accordance with our" ... "We will protect and use your data in accordance with our privacy notice." And then link through to the privacy notice. That's got to be at the point of sign up. At the moment it's arguable that it's okay to be on somewhere on your website, okay? So a lot of people have it on the footers, and that's arguably okay at the moment. But I think with GDPR you have to be really transparent and upfront so that privacy notice link needs to be right at the point of sign up. Okay, that's the first thing.

Now, I've argued this in the group and it's not black and white, it's a gray area, so I'm going to tell you the 'absolutely okay' position and then I'm going to tell you the 'what I think you might be able to get away with' position, okay? And the backdrop to all of this, of course, is that there is not a fast data protection police force going round that are going to be checking everybody's, you know, every single opt-in form, every single ... They're just not going to do it, are they, they're not going to go round and check everything. You're only ever going to come to people's attention if a customer complaints or there's a competitor or some vindictive person that wants to trip you up. But, that could cause a bit of worry. So definitely, to put it beyond doubt, what you need to do is have a tick box, under your opt-in. Now obviously you've got the implied consent to send them the lead magnet, okay, so I've got the implied consent to send people my checklist because otherwise they wouldn't have given me their email address. So I've got that.

Now, best practice, putting it beyond doubt, you would have a tick box underneath that that says, "By ticking here, I agree that I would also like to receive your follow-up emails about goods and services that I might be interested in." Or you could rephrase that and say things like, "I'd also like to receive further value added emails about this subject together with details about your goods and services." And have a tick box. Now some might even say that that's bundling consent. So in that case, if you want to be really, really super above board about everything, you could have two tick boxes there. One is the, "Yes I'd like to receive your follow up value sequence." And the other is, "Yes, I'd like to receive details about goods and services."

I think, my own view is, it would be fine to put those together. And I'd even go one step further and say that there is an argument that ... There is an argument that legitimate interest could be used as a ground to send them follow up marketing, if it is absolutely specific to what that lead magnet is all about. But you'd have to do your legitimate interest assessment form very carefully and you would have to make sure that you're adding a lot of value. You're just minimizing the risk of complaints basically, okay, because I suspect ... you know, look. If the ICO came and investigated that, there's no risk, in my view, there's no risk of you getting fined for that at all. But you just don't want the worry do you?

So, you want to be above board? Use your tick boxes. If you want to be a bit more of a risk taker then, in my view, rely on legitimate interest and fill in your legitimate interest assessment form and say why you think that people will expect to receive those follow up emails. You might say, look, it's completely ... In the industry that you're in, it's completely normal and usual for people to receive follow up emails for that lead magnet. So that's the kind of thing that you'd need to have on record, there's minimal impact to the privacy of the people that you're going to be marketing to. You should also pay attention to the frequency that you're marketing to them, so if you've got a really heavy hitting campaign where you're emailing them twice a day, that's not as likely to be as acceptable as it is if you're email them maybe once a week, something like that, about that particular opt-in. And obviously you'll always give them the right to opt-out.

So in terms of the impact to the individual, it's not huge is it? At the very ... you know, what do they do? They opt-out. If they don't want that chain of emails, opt-out. It only then becomes a problem if they've opted out and they're still getting the emails, they've opted out five times and emailed you and they're still getting the emails. That is the point where things are going to escalate. So it really does depend on your approach to risk on this, but I just wanted to outline those two positions for you. There's the 'belt and braces, put it beyond doubt, get the tick boxes in there' or there's the 'legitimate interest ground' which is arguable. Okay? Hope that makes sense.

Let me see what else we're talking about here. Okay. All right. So I'm going to come on to some, just conscious of time, so I'm going to come on to some specific examples of marketing questions that I have been asked. Cold emailing, cold calling, cold posting, whatever you like. What about prospecting? Are we still okay to email people, you know, maybe you've found some people in a database or however you found them. Maybe you've, I don’t know, even seen a list of names at an event that you've been at and you think that they might be interested in your products and services. Are you okay just randomly reaching out to them and emailing them. That's what I call prospecting.

There's two things at play here again, in prospecting, the first is GDPR. The second is PECR, the Privacy and Electronic Communications Regulations. Now, just to say actually, for those of you who are outside of the EU, PECR does not apply to you at the moment. But it probably will next year. So PECR at the moment, the scope is just people within the EU.

So, GDPR and PECR affect this. Now, GDPR the first question is, "Are you processing personal data?" Well, yes you are because you can identify that person from their name in that email address. Actually, I'm come on in a minute because sometimes there's a case ... So, actually that's the point. If you've got to be able to identify them from their email address. If you're sending an email that you've just got off a contact form of a website or something like that, and it's 'info@' whatever, then that is not personal data. It's not caught by PECR and you can quite merrily send as many of those emails as you like. Okay? So the 'sales@' such a company, 'info@' such a company, okay, that's fine. Because it's not personal data.

Now if you are using email addresses that have personal data within them, it's got their name in it and you know their full name that goes with that email address, then you need to look at what is the lawful ground of processing. Now you're going to be emailing them before you've got consent, okay, so consent isn't going to be a ground here.

So the question is, "Can you rely on legitimate interest in order to process that data and email those people?" Now, as I said, it's a gray area. You need to do the balancing test. Are those people going to be adversely impacted if you use the data in that way? Now if you, in my view, if you were to reach out to that person and introduce yourself and say, "Hi, I'm Suzanne. I'm a lawyer teaching people about how to comply with GDPR. And if that's something of interest to you then click here." Or, "let me know" or however you want to do it. But it's really an introductory email before you launch into the direct marketing, then arguably that is not a direct marketing email in the first place, it's more of an introduction email and it's much more likely that legitimate interest would apply as a lawful ground of processing.

And plus, it's just a much better way to do things, isn't it? You know. It's gonna lead to less complaints if you reach out respectfully to people, make that introduction. Say, "Hi, I've been looking at what you're doing. It seems to me that you'd really benefit from 'X'. If you'd like to talk about it more, let me know." And then maybe send one follow up, that's probably okay. Just, "Hi. Hope you got my email." Because people are busy, at the end of the day. "Hi. Hope you got my email. Just let me know either way. No worries."

Now that of course is a completely different scenario to people who just start sending you full on email, you know, hard hitting emails about marketing emails from day one. Which is just annoying. Just always envisage yourself on the other end of that marketing, and if you're cool with it then chances are most other people are going to be too. So that would be my view. You know, yes. For B2B, if you're not using personal data. If there's no personal data involved in the email address, then yeah you can carry on sending your brochures and whatever else you're doing. But if personal data comes into it, then GDPR applies. PECR, actually just a tweak on that, is that you can't send unsolicited direct marketing emails to individuals and individuals, as I might have said before, includes sole traders and partnerships. Okay?

So, even if ... actually under PECR, even if you had a email that was info at whatever it is. Now if they're a sole trader or a partnership then you need to get their prior consent. But if you know it's a big company, if you're not using personal data, then you're fine carrying on sending those marketing emails and your brochures and everything else. If it's a smaller company and there's a risk that they're a sole trader or a partnership, or if you're using personal data, then you need to think a bit more carefully about it.

Just on cold calling, you can make live unsolicited marketing calls. PECR governs this. But you can't call any number that's registered with the telephone preference service unless the individual has specifically said that they don't object to your calls. So do check the telephone preference service if you're cold calling. Also for corporate subscribers there is an opt-out there, which is the corporate telephone preference service, or CTPS. But GDPR doesn't cover that because if you've just got a phone number and this just maybe a first ... even if you've got a first name, then first name plus a phone number is not, by itself, going to make a person identifiable. With email preference service, PECR doesn't cover that either and you're not required to screen against the mail preference but it's good practice to do so.

Facebook advertising. Let me just see if there's any questions relevant. So Rose says, "How about business emails including a name, eg. johnsmith@business.com. I thought it was personal email/sole trader et cetera which was the issue?" Okay, I think I've explained that now Rose. So, the johnsmith@business.com, the significance of that anyway without regard to whether it's a company or a sole trader or whatever is the fact that that is potentially personal data. If you can identify someone from their name plus the place they work, then that is in itself personal data, and the GDPR comes into play.

PECR is the regulation distinguishes between individuals/sole traders/partnerships on the new hand and limited companies on the other hand.

Tony says, "What are your thoughts on B2B prospecting by post with a name of a director of the only person identified at the registered office address, is that legitimate interests?" Yes. So if you can identify a person from that personal data that you're using. Now interesting, so taking a step back, GDPR only applies to ... let me just read it to you, do want to get this right. The regulation applies to the processing of personal data, wholly or partly by automated means. And to the processing other than by automated means of personal data, which form part of a filing system or are intended to form part of a filing system. So unless you are processing that posting by automated means or there is some part of a filing system involved in it, then arguably that falls outside of the scope of GDPR and the only think you'd need to think about then is PECR, which doesn't cover mailing and then there's just the check of the mail preference service, which is optional but good practice to do it.

Okay, Peter says a question about cold emailing, "I'm a sole trader, I'm clearly in business, I've got no issue about emailed once as an introduction. Why can't I do the same?" Well we have to just follow the law Peter, I'm afraid. I mean, as I say, there's not a vast data protection force around there so ultimately it comes down to are you going to have any complaints from people that you are cold emailing. As I say, if you do it in the right way then chances are you're not going to get any complaints.

Okay, there's so great questions there but I'm just looking at the time and there are other areas that I need to cover so let's hold those. I'll copy all of these comments and then do individual videos on each of these areas, or direct you to the videos that I've already done that answer them.

So I want to talk briefly about Facebook advertising. It is a complex ... well, it seems a complex area actually, but once you understand the real basics of it, it's actually fairly straight forward. What you've got to get your heads around with Facebook is that there is two instances of the data use here. One is where Facebook is the data controller and is deciding what to do with the information, and the majority of GDPR obligations are on the data controller. And the other is where you are data controller and Facebook is the processor.

Now if you're the data controller then you have to have the lawful ground of processing. So where Facebook is the data controller, they have to have the lawful ground to processing. So where that is consent, for example, then Facebook has to have gone out and got that consent. Where you are the data controller, you have to look at your grounds of processing and if you're lawful ground of processing is consent, then you need to have gone out and have got that consent.

Facebook Pixels, for example, that you might have on your website, they are ... Facebook is the controller. We don't actually get to access that data, it just goes straight into Facebook, and Facebook gets consent to the use of those pixels through its own privacy notices. So we can continue to use Facebook Pixels on our website. What we do need to do is update our cookie policy, and that is my pack, and you need to have in there the fact that you are using ... I think there's some guide wording in there, but essentially that that's what you're doing. That you've got these cookies on your sight for the purposes of the Facebook advertising.

And then there's other thing where ... in fact let me just find my list of things where Facebook is the controller. So certainly for look-a-like audiences, for example, we don't get to see that data. That's just data that Facebook has said, "Okay well judging by your interests that you've listed here and the other criteria that you've used, these are people that we think would be interested in seeing the ad." So look-a-like audiences, anything like that, Facebook is the controller and Facebook gets the consent to that through its privacy notices.

Now I actually spent some time the other day looking at their privacy notices and it's actually very clever the way that they've done it because I thought ... I went in and I was thinking ... I can't find it, that's a shame. I had it all printed out. I was thinking, "Okay I'm good. This is great, I'm going to go into Facebook, I'm going turn all the ads off, happy days. I can see more posts from my friends and my family." And you go in and the way that it's expressed it says ... where, effectively, it says, "We're going to send you some adverts." Now they're quite entitled to do that because we're using their platform for free. "However, if you don't want us to use your personal data to target the adverts, so that we can deliver adverts that are of more interest to you, then you can turn it off."

So the targeted advertising, because that's where they're using your data. But it makes absolutely clear that what I'm going to end up with is just a load of nonsense untargeted adverts, and to be perfectly honest if I'm going to get some adverts, I’d rather have them that are targeted. Because a lot of people, I think, were thinking, "Well how is Facebook going to carry on? Because surely most people are going to opt-out of ads?" But actually when you put it in that context, probably the vast majority of people who get as far as going to look at the preference center are going to remain opt-in, because most people would want targeted ads rather than just a chain of completely unrelated ads.

So, where you are the controller ... for example if you're uploading a list of emails into Facebook for the purposes of retargeting or something like that, then you are the data controller and you need to have a lawful ground of processing for doing that. Now, if you've got my pack you'll see that in my privacy policy ... in my privacy notice. Must keep calling it a privacy notice. Someone asked before what's the difference between a privacy policy and a privacy notice. In reality they are used interchangeably but there was a chap in the group who quite rightly said that a privacy policy or a policy is more internal facing and a notice is more outwardly advising people about what you're doing. So I am using the terminology 'privacy notice' going forwards.

So in my privacy notice that I've drafted for you, that is down as legitimate interest, justified like that to you. If you look in the table of what we're doing with your information, one of them is being able to send you targeted adverts about things that we think you'd like. The grounds of processing is legitimate interest. Again, on that, my view is and certainly other lawyers that I have talked to about this is that you will not need to go out and start getting tick boxes for people in order to be able to upload your list for Facebook marketing purposes, which I'm sure is good news to a lot of you.

There is more on Facebook. I'm going to do a separate video about Facebook. For those of you who are concerned, who understand the concept of transferring data outside of the EEA, you have to have an extra level of protection in place if you do that. Facebook is based in the states, they are certified under the privacy shield framework, so that's all good. We can freely transfer data to Facebook, we don't need to put in place the standard contractual terms or any of the safeguards there.

In terms of a processor agreement; you do still need a processor agreement regardless as to whether it's going outside the EEA or not, but with big companies like Facebook, they are going to have their own that they will incorporate into their advertisers terms. So don't be sending your privacy agreement, sorry, your processor agreement to Facebook because they won't be entering into that with you. And that goes the same for people like MailChimp, AWeber, big softwares like that. They've got it all sorted out and the processor agreement will be in their terms of business. There's lots of videos in the group about processes. If this is new to you, then go and check those out. And the processor agreement is in my GDPR pack for those of you who need it and probably the vast majority of you are going to need a processor agreement.

Just very quickly, if you are using a processor to process the personal data that you hold on your data subjects, then you need a processor agreement in place. A processor is someone who processes it under your instruction. So it could be your accountant, your bookkeeper, your payroll provider, your email service provider if they're smaller and don't have their own processor agreement, et cetera. and the obligation is on the controller to put that agreement in place.

Okay, what else do I want to talk about? Lists, purchasing lists. A couple of people have asked my in the group about can we still purchase lists and the answer is yes you can but you just have to be extremely careful about it because you're going to need to be absolutely certain that those emails ... that there was a lawful ground of processing in terms the collection of that data and also the transfer of that data onto you. I'd only be dealing with absolutely reputable companies who are all over GDPR and who know exactly what sign ups they need. I'd be looking at their privacy notices to see what they told people at the point of sign up.

Now if they have just scraped company names and emails addresses, then that goes back to the conversation we were having about prospecting before where GDPR and PECR come into play. And you need to think about if it is a bland email like info@johnsmithslimited.com, then yes you can be fairly confident that you can use that data subject to the proviso about it not being a sole trader or a partnership, because then under PECR you would need that prior consent. Just be really ... if you want to use bought in lists or bought in data lists then just be really careful about using them. Ideally I'd have an agreement with the people who were selling it, giving you lots of warrantees about how they collected the data, the fact that GDPR compliant, et cetera. so just be really careful about that.

Okay, I'll just have a quick look at the question box here. Yes, so Victoria's asking about new purposes. Yes, absolutely. You only have consent for the purpose that you've told people about. So if you start a whole new thing or it's a new purpose or a new processing, then you need to advise people of that and get their consent. So you would again send then an email and ask them if they would like to know more about it and get them to opt-in that way.

Cloud products like Dropbox; can we assume they're keeping data safe? I don't think you can assume it. There is a spreadsheet in the group, if you look in the file section, people have been updating it when they've got information from some of the big software providers and cloud providers as to their responses about whether they are GDPR compliant and whether they're in the privacy shield, et cetera. so go and have a check at that. There's been lots of talk in the group about Dropbox, so if you go in and just search 'Dropbox' in the search box in the group then lots will come up on that.

Adam, the privacy shield has been confirmed as adequate. It's currently being challenged by Ireland, so we're keeping a watching brief of that. But at the moment it's okay. So Martin asked a good question about look-a-like audiences to Facebook. He says, "Do you upload an email list for that?" Yeah, so, the email list that you upload in order for look-a-like audiences to be formed, the email list that you upload, you are the controller of that data. You need to have a lawful ground of processing for that. So you need to have got consent ... not consent, you need to have had the lawful ground for that and as i said in my privacy notice, that ground is legitimate interest. When Facebook work their magic and then decide who ... they create that look-a-like audience that's from their own data and they are the data controller in relation to that and they have to have their own lawful ground of processing for that.

Mike's saying, "Surely explicit consent is required from our customer in order for them to be re-targeted?" As I say, I have spoken to a number of lawyers about this point. My view is that they don't, that legitimately you can rely on legitimate interest. If you personally feel that that's too much of a risk for you then by all means go and have your tick boxes and get consent.

Okay, there's too many questions there to go through and it's hard to see because it keeps moving. Now what else do I want to talk about? Leads from marketing companies; again that might be a similar thing to purchasing lists but again what you need ... and actually a point I didn't raise when talking about purchasing lists was in your privacy notice you need to explain where your data has come from. And if you look at my privacy notice you'll see, I think it's section three, talks about where we've got people's data from. And if it comes from third parties, you need to be clear about where that's come from.

In your privacy notice you'd say if you've got leads from a marketing company or if it's from a list, you'd say that, and then you need to, obviously again, with leads from marketing companies, similar principles, you need to make sure they've got lawful grounds of processing for the collection and use of that data and then transferring onto you.

Alright, so I think unless you're going to be crying out, I think I've covered most areas that I wanted to cover. Contact forms on the website, actually I'll just touch on that. I think I've done it in the group, but just to include it in here for the sake of completeness. If you've got a contact form on your website and people are in actively emailing you and saying can you send me this or I'm interested in 'x' or whatever, then your lawful ground of processing for that is legitimate interest, okay? So you don't need to worry about getting their consent replied back to them. By them emailing you, pretty self-evident they would like response from you.

What you can't do is just because they have emailed you about something, you can't just then pop them on you mailing list. You'd need to get them to ... you'd either decide if it's a legitimate interest ground, maybe because they've asked about something specific and in the course of that conversation you said, "Oh well, I'll send you some emails about that," and you put them into a specific sequence and you've got that aural consent. Now aural consent is actually fine if you're maybe talking to someone over the phone. You need to make a record of it after the event. Emails back and forth, then obviously you've got that record of consent on the email. You probably want to keep it somewhere more easily accessible than the email and so I'd start a separate spreadsheet and record it there.

So contact forms, you can very much reply, just then don't think that that's carte blanche to be able to start marketing to them, okay? Alright, so I'm conscious that we're at 2 o'clock. Can I go on longer? Let me just look at my diary? I'm always happy to go on as long as we need. Oh no I can't, I'm afraid I've got a call right now. So, what I'll do is I will take a copy of the questions that have been put in the group. I just want to remind you that my ... if you do need any of the documents that I've been talking about in terms of the privacy notice, the cookie policy, the processor agreement. If you need some helpful, some checklists, like a marketing checklist, the consent checklist, the legitimate interest assessment form.

If you have any employees then do watch the video of GDPR and employees in the group and also in the pack there is an employee checklist and documents that you need to have for the employee side of things. That is a really big side of it and one that I feel we don't talk about enough. So if you do have employees then please do go and have look at that because there's things you're going to be needing to be doing there right now as well in the context of employees. You can't wait until the day before the 25th, you need to get that sorted out now.

And so, the pack at the moment is 147 pounds. It's going up to 197 pounds on the 25th of April, which is a month before GDPR comes into force. It incentivizes people to actually take action now and not leave it to the 11th hour. And yeah, I think that's going to be it for now so my huge apologies everybody for the technical problems at the start of this webinar. Very frustrating for everybody. I will look to run another version of this webinar in the not too distant future, and we'll have a tech person standing right here to sort me out. I'll pop the slides in the group anyway. I'll probably do a rerun of this webinar. I'm going to copy all your questions from the chat box here and I'll look through them. If I haven't addressed them in previous videos I'll make sure I do some videos on those.

But for now, that is all I'm going to say. I hope that's been useful for you. Continue to ask brilliant questions in the group, although please not the same ones all the time. Just please go and read the pinned post, you get the answers there. Thanks again for sharing it, we've still got a huge backlog of people trying to get into the group. But thank you for just being incredibly engaged. I still get huge amounts of pleasure from it, because I was a lawyer it's very rare that people are often this excited about things. So thank you all for playing your part in that and I hope that I am providing lots of value to you and making it easier for you to navigate this rather complex regulation that is GDPR. Thank you guys and I'll see you in the group.