A data audit conducted by W8 data, found that only 25% of existing customer data meets GDPR requirements.

“It’s unsurprising that repermissioning campaigns are rocketing as marketers are waking up to the realisation that much of their data will be useless come May 2018,” Dave Lee, director at W8 Data.

The most important change that comes in from next may is that, permissions must be “opt-in”, with a clear affirmative action required. Consent must be granular and failure to opt out will no longer constitute sufficient consent.

In order to continue using existing data you MUST have a fully documented permission trail, which includes the source of the data and the appropriate level of consent.

Marketing regulation under the GDPR

Marketing under the GDPR (email, post, phone, etc) is regulated like any other data processing activity. What this means is that you have to show that you have a lawful basis under Article 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In many circumstances, it often won’t be.

Whilst there are many restrictions, GDPR acknowledges that direct marketing will often be a “legitimate interest”  (non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR. Recital 47 of the GDPR states:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

This means, for example, that if your business wishes to do a campaign about a new product relevant to your customer base, you can often do so in reliance on ‘legitimate interests’ – you generally do not need your customers’ consent about this mailing. You will, however, always need to offer them a specific opt-out (Art 21(2)), about that particular type of outreach i.e. new products.