How to Stay GDPR Compliant in Your Marketing
Riona Mulherin
12 August 2024The General Data Protection Regulation (GDPR) made huge waves in the marketing world when it came into effect in 2016. GDPR changed how firms handle personally identifiable data. Essentially, this includes any information that can be used to contact someone, whether that’s directly or indirectly. Crucially, this applies to contact details collected as leads and the methods firms can use to contact their customers directly. The financial industry, including financial advisors, faces stricter requirements under GDPR, making it really important to stay informed and compliant.
The Goals of GDPR Are:
- Provide individuals with more control over their personal data.
- Clarify how businesses can use that data.
- Require businesses to allocate more resources to data privacy and take increased responsibility for it.
Key Marketing Responsibilities Under GDPR
Under GDPR there are some really important responsibilities which will come under the marketing umbrella for your business. Whether or not you have a dedicated marketing team, it is still vital that you are aware of the following:- Clearly record opt-ins and opt-outs: Ensure that your audience knows exactly what they are signing up for. For example, when adding users to a mailing list, their consent should be clearly documented, such as through an explicitly labelled checkbox on a contact form.
- Outline and honour data subject access requests and deletions.
- Communicate any data breaches effectively.
- Regularly update your website’s privacy policy and terms & conditions.
Legal Bases for Processing Data Under GDPR
GDPR really clearly outlines the following legal bases for processing data. This means these are, legally, the only reasons your business should process someone’s data:- Contractual obligations
Based on a contract signed between the firm and the individual, you are carrying out actions laid out in the agreement. Most services a financial advisor carries out will come under this. - Legal obligations
Similar to the above, as a financial advisor you will often have a legal obligation to process a customer’s data as you carry out your services. - Vital interests
This includes any interests that are necessary to protect someone’s life – this is a very limited basis. - Public interest
This is most relevant to public authorities who carry out public services, such as governments or utility companies. - Legitimate interests
This is the most flexible legal basis, but it’s important to not assume it is the most appropriate. Essentially, it needs to be processed in a way that the individual would expect. For example, if a customer’s mortgage deal is coming to an end, it would be within their legitimate interest for you to contact them to let them know. - Consent
Most direct marketing activities will require direct consent, as when it comes to marketing, the need of the firm is usually greater than the need of the individual. Therefore you need to have documented explicit consent from people in order to contact them directly, whether that’s via email, SMS, or direct mail.
How does this impact your marketing?
Direct marketing involves contacting customers using their personal data, such as through email, telephone calls, or direct mail. When your firm carries out any direct marketing, it's essential to have clear, documented consent from the individual. A great way to do this is via contact forms with a checkbox that they have to tick in order to be added to your list.Inbound marketing has its own challenges. A lot of digital marketing methods, such as social media (both paid and organic), typically does not target individuals directly, you need to process any information submitted to you correctly. For example, when customers provide identifiable information like their name and contact details through forms, these processes must be GDPR-compliant.
Handling Issues and Complaints
If something goes wrong, any individual who has provided data has the right to file a complaint with a supervisory authority, such as the Information Commissioner’s Office (ICO). The ICO can act against a firm that fails to comply with GDPR, and individuals can seek compensation in court if they suffer damage due to non-compliance.When determining fines or compensation, the following factors are considered:
- The level of cooperation from the firm
- The categories of personal data affected.
- How the infringement became known
Actions Financial Advisors Can Take to Stay Compliant:
So, based on what we’ve gone through so far, what can financial advisors do to stay compliant?First, we’d recommend carrying out a review of any contact forms to make sure they are clear and understandable. Think about it from the point of view of the customer, is it clear what they are signing up for? Remember that under GDPR you can’t have any pre-ticked checkboxes or assume consent.
Your firm should have a process to manage any subject access requests you receive, including requests for data deletion. Go through all of your internal systems so you know where data is stored, and that it is all necessary.
Review your marketing campaigns to make sure any direct marketing is only contacting people who have given you consent. If you’re unsure, then it’s best to err on the side of caution.
Staff should also be kept up-to-date on the requirements and best practices, just in case anything else comes through. In a lot of financial services business, most team members will come into contact with personal information at some point, so it is important that they know how to handle it correctly.
Your firm should have a Data Protection Officer (DPO) or someone with responsibility. This person will be in charge of your GDPR processes and will be the main point of contact if there are any issues.
To enhance GDPR compliance, financial advisors should implement a few key practices. First, regularly review and update consent forms to ensure they are clear and easily understandable, specifying exactly what the consent covers. Additionally, establish a robust process for managing and documenting data subject access requests, including requests for data deletion. Regularly audit your data collection and storage practices to ensure that only necessary and relevant data is retained. It is also beneficial to provide ongoing training for staff on GDPR requirements and best practices, ensuring that everyone understands their role in protecting client data. Finally, appoint a Data Protection Officer (DPO) or assign responsibility to a qualified team member to oversee GDPR compliance and act as the point of contact for any data-related issues.
