With the largest Facebook group currently giving advice on GDPR, business lawyer Suzanne Dibble discusses actionable points for performance marketers to become compliant and to see the GDPR as an opportunity for their business.

To start off with, could you tell us a bit about your role and work you’ve done so far around data protection?   

Suzanne Dibble: As a 20-year qualified, multi-award winning lawyer, I have worked with businesses at both ends of the spectrum – multi-nationals and micro-businesses. I was voted runner-up in the Solicitor of the Year Awards for my work with Virgin on their data protection compliance. I am currently consulting with multi-nationals on their data protection efforts to become GDPR compliant. But where my passion lies is in helping small business owners to navigate the complex GDPR, as they are often not able to access traditional legal services on a one-to-one consultancy basis due to budgetary constraints.  

GDPR is under a month away. Why is it so important for businesses to get this right for their practice?  

SD: GDPR and the increased fines signifies the importance of data protection. Of course, we have existing data protection laws, but they are being updated to reflect the advanced ways we process data and the increasing value of data. The Economist stated that data is now the most valuable asset in the world.

GPDR brings much more substantial fines and gives enforcers more investigative authority and there is the risk of civil actions from people whose data you hold. Saying that those fines will be reserved for the most serious non-compliance. The real concern to small businesses is sleepless nights worrying about whether they will be investigated or sued and brand damage.

You currently run a GDPR Facebook group, offering advice and tips to small business owners on the legislation. What have been some of the standout concerns from those within the group in regards to GDPR and how have they been dealt with?  

SD: I set up my Facebook group to help small business owners as I was frustrated at the misinformation being shared in the small business community and the scaremongering headlines of the €20m fines. We now have over 20,000 members and are the largest GDPR group on Facebook and I am providing members with a sensible, balanced approach to GDPR compliance.

The main questions have been around whether businesses need to obtain fresh consent for marketing, use of lead magnets, advertising on Facebook, use of special category data, the content of privacy notices, transfers of data outside of the EEA and what agreements you need to put in place with processors. I post daily videos on these areas with practical examples for businesses to see GDPR applied in a practical context. I’m not sure the EU legislators even know what a lead magnet is…

In the performance marketing industry, there have been a number of people approaching GDPR either through consent, legitimate interest or data handling. For those in the industry who are still undecided on their approach, what actionable points can you suggest to give them some peace of mind and prepare for the regulation?  

SD: If you are marketing to existing customers, then my view is to rely on a legitimate interests ground of processing and the soft opt-in under the Privacy and Electronic Communications Regulation [PECR]. This will mean that you send your existing customers your new privacy policy and inform them of their right to opt out.

For prospects [not customers], then in my view, the safest thing to do is to process on the grounds of consent.

If you already have a GDPR Standard of Consent, fresh consent is not necessary. However, in my view, most businesses are not likely to have this higher standard of consent in place and will need to obtain fresh consent.

Saying that there’s no vast data protection police force checking every element of your operations; there will, however, be customers who are happy to lodge complaints with authorities should they think their personal data may be compromised and customers are becoming a lot savvier in this area.

A recent study found that half of UK consumers have yet to receive opt-in GDPR emails from brands. What tips can you share for businesses who are ‘re-permissioning’ their mailing lists in order to target audiences appropriately?  

SD: Firstly, get those emails out before the GDPR enforcement deadline [May 25] ideally as part of a re-engagement campaign that will excite your prospects about opting into your marketing. You don’t just have one bite at the cherry and can request consent as many times as you like before the deadline, but obviously, don’t annoy people or they will be even less likely to opt-in.

Psychologically, people are more likely to take action where they have a choice between two options rather than a choice between making a decision or not making a decision, so you may want to consider asking people to click on either an opt-in or an unsubscribe button rather than presenting them with just an opt-in. Saying that, if they took no action at all then after May 25 you would need to opt them out of marketing [and delete their data if you had no legal ground to store it].

There have been so many questions about GDPR but overall should businesses see this as an opportunity?  

SD: Absolutely! As you’re going through the process of re-permissioning people on your list [asking them to opt-in or opt-out], you might feel like you’re losing contacts. In reality, you’re not losing anyone who was truly interested in your brand to start with. A small, focused list of engaged individuals is always better than a watered-down group of disinterested people who will never buy from you.

Additionally, the new regulations will give small businesses brilliant opportunities to create touchpoints with the existing members of their list, to demonstrate an interest in protecting personal data. This is a fabulous way to build trust in your brand—particularly with all the news about data breaches that consumers are bombarded with every day.