Electronic direct marketing, or EDM marketing, involves creating a database of subscribers and using both online and offline channels to communicate with specific potential clients. This strategy is designed to cultivate personal connections, generate leads, and increase sales, ultimately building an audience for the company.
The fundamental objective of EDM marketing is to disseminate targeted messaging to the intended audience through a variety of marketing channels, including print, SMS, social media, and primarily email.
Direct marketing focuses on identifying individual targets and promoting or persuading them to request more information about a product or service, which may include additional promotional content beyond just the product or service itself.
GDPR and e-Privacy Regulations
Email marketing and newsletter distribution are essential parts of the internet marketing world. Although processing is prohibited, the basic rule that it is based on possible authorization also applies to personal data used to send e-mails.
The General Data Protection Regulation (GDPR) permits processing only with the consent of the data subject or where there is another legal justification. The General Data Protection Regulation expressly states in Recital 47 that the processing of personal data for direct marketing purposes is in the legitimate interests of the controller and subject to the law.
The new e-Privacy Regulation, currently under consideration by lawmakers, aims to support, supplement and add to the standards of the GDPR. Its geographic scope is the same as that of the GDPR in that it extends outside the EU to cover data collected from data subjects in EU countries by international organizations. It also applies to any electronic direct marketing.
Businesses receiving direct marketing will be protected under the new regulations in the same way as regular customers. Although not covered by the e-Privacy Regulation, email marketing is subject to the GDPR. GDPR also aligns with penalties and consequences for non-compliance.
When conducting direct marketing communications, the GDPR imposes some basic standards that must be fully compliant with:
- Principles of Lawfulness, Fairness, and Transparency,
- Principle of Purpose Limitation,
- Principle of Data Minimization,
- Principle of Accuracy,
- Principle of Storage Limitation,
- Principles of Integrity and Confidentiality.
- Accountability of Controller.
Principles of Lawfulness, Fairness and Transparency
Processing in a lawful, fair, and transparent way means that data subjects are informed about how their personal data is processed, held, used and collected, and are able to make informed decisions about whether to opt in, based on facts. The approach to fully sharing that information is through the Privacy and Cookie Policy.
Information provided to data subjects must comply with the concept of transparency and be concise, clear and easy to understand.
Consent
Consent and legal interest are the two most important legal bases of lawfulness.
Obtaining valid consent upfront is a key component of any direct marketing strategy. The new e-Privacy Regulation and GDPR’s enhanced consent rules support stronger requirements and higher hurdles that marketers must clear before consent is granted.
In addition to these more stringent requirements, the application of consent rules can also be applied to more sensitive social media platforms, such as social media platforms, instant messaging, webmail, or sending private messages, collectively known as Over-the-Top (or “OTT”). Expanded to include more technologies. communication service.
In this kind of app initiative, marketers may have previously used implied permission as a way to deliver direct marketing without approval. New requirements include that permissions must be freely provided, accurate, informed, and unmistakably declaring individual preferences.
Clear and affirmative steps must be taken to indicate consent to the processing of personal data. New accountability requirements, including the ability to prove that a person consented and that consent is easily identifiable from other topics, require stronger controls over consent records.
However, there is a “soft opt-in” exemption for obtaining consent to allow an entity to send direct mail marketing if:
1) the recipient’s contact information has been obtained during the sale of goods or services (or, under the e-Privacy Directive, only in connection with negotiating the sale);
2) the company is only promoting its own similar products and services (not those of third parties or group companies).
3) the recipients have been provided with a simple option to decline or opt out of receiving direct mail marketing when first collecting the recipient’s contact information.
Legitimate Interests
Processing is necessary to further the legitimate interests of the data controller or a third party. Fundamental rights and freedoms of a data subject requiring protection of personal data, especially if that person is a child or minor, override such interests.
According to the GDPR, processing personal data for direct marketing purposes may be justified by legitimate interests.
Right to Object
The data subject shall have the right to object to such processing at any time, irrespective of the original or future processing.
Article 21 of the GDPR states that the right to object to the processing of personal data concerning the data subject for direct marketing purposes exists where the personal data are processed for such purposes. If the data subject has exercised their right to object to processing for such purposes, their personal information will no longer be used for such purposes.
Opt-in consent is not required before sending marketing emails, but the GDPR requires that recipients always have the option to stop receiving emails.
Purpose and Storage Limitation
Purpose limitation refers to the idea that personal information can only be collected and used for specific legal purposes. In accordance with Article 5(1)(c) of the GDPR, personal data must be adequate, relevant and limited to what is necessary to associate it with the object processed. In other words, companies should collect only the information they really need and keep it for as long as they really need it.
Data Minimization
Adhering to the data minimization principle requires determining the minimum personal information necessary to achieve the purpose of data collection and to collect adequate, relevant and essential data. According to the accountability principle, it must be possible to demonstrate that the necessary procedures are in place to ensure that only necessary personal data is collected and stored.
Principles of Accuracy:
At a basic level, compliance includes:
- confirm that the pending information is true and not misleading in a way that could harm the data subject; and
- strive to keep personal information up to date where practical and appropriate.
- investigate any issues with the accuracy of personal data and, where necessary, correct or delete it.
- if an error is found, promptly attempt to correct or delete the false data.
Principles of Integrity and Confidentiality
Confidentiality is required to be fundamentally trusted. In accordance with GDPR principles, controllers and processors must establish appropriate technical and organizational measures to protect the security of personal data. This includes protection against unauthorized or unlawful processing, accidental loss, deletion or damage. When data subjects provide personal information, there is a legitimate expectation of security that only those individuals with a need have access to that information.
Accountability of Controller and Data Subject Rights
The GDPR provides data subjects with a range of equally important and complex rights. The organization’s data processing operations are affected by the exercise of such rights and include processing activities for marketing purposes. Despite the fact that marketing obligations often do not include the fulfillment of data subject rights, few do.
The accountability principle requires organizations to take responsibility for what they do with personal data and how they comply with the other principles, Article 5 (2) GDPR.
There are two key elements. First, the accountability principle makes it clear that the organization is responsible for complying with the GDPR. Second, organizations must be able to demonstrate their compliance. For this, they must have appropriate technical and organizational measures and records in place to be able to demonstrate their compliance.
Accountability obligations are ongoing. Organizations must review and, where necessary, update the measures they put in place. If they implement a privacy management framework this can help them embed their accountability measures and create a culture of privacy across their organization. Being accountable can help the organization build trust with individuals and may help to mitigate enforcement action.
For more information, checklists and courses on privacy, marketing, technology and compliance topics, visit our website: HERE.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com
