GDPR & INFLUENCER MARKETING
To help us all better understand the incoming changes to data protection law, we spoke to Gemma Lockyer at Kemp Little about the new General Data Protection Regulation (known as the “GDPR”) and the impact this will have on influencer marketing and the wider digital industry.
The GDPR will take effect from May 25th 2018 and will be supplemented by the Data Protection Bill, which updates data protection laws in the UK. The change in data protection law caused panic for many as the impact on businesses was initially unclear. However, if your business was already processing personal data in compliance with the Data Protection Act 1998 the change in law does not need to cause you unnecessary alarm. The GDPR strengthens the principles we already had under the current law and which you should already be complying with, but for some there will be a significant effort required, and fast, to tidy up any current, less impressive practices and to become GDPR compliant.
In this article we wanted to take a look at the ways in which the GDPR will touch influencer marketing, aiming to give you a digestible overview of the regulation whilst making sure we provide industry specific commentary. The influencer marketplace is built on consumers and influencers willingly sharing data to justify value and forge relationships. Whilst this has the potential to include a lot of personal data, being transparent about this is important to stand out in the market and for GDPR compliance. With the GDPR coming in, we expect businesses may be more encouraged to move away from traditional marketing campaigns and look towards an outreach which doesn’t rely on harvesting potential customers’ data. We believe that influencer marketing rides on cultivated audiences who have willingly signed-up to be engaged with, rather than have been unknowingly absorbed into, content and so this transparent way of working shouldn’t be anything to shy away from.
What is the GDPR?
The GDPR is a law brought in to greater protect the privacy of an individual in the European Union, with the aim to hand greater control over to individuals about how their personal data is used. The GDPR will replace the Data Protection Act 1998 and those not compliant with the GDPR face much heftier fines than they would have done under the previous law, potentially up to EUR20m or 4% of global turnover, whichever is higher, which is part of the reason this change in law has caused so much panic. The potential for large financial penalties means that data protection has quickly become a management board issue.
What about Brexit? When the UK leaves the EU the GDPR will be incorporated into UK law under the European Union (Withdrawal) Bill, currently before Parliament. You should keep in mind that any business established within the EU or offering goods or services to EU-based individuals or monitoring EU residents’ behavior will also have to abide by the GDPR.
What does it apply to?
The GDPR applies to anyone who touches personal data. The GDPR applies to personal data. What constitutes personal data is really broad, it includes any information relating to an identified or identifiable individual. It includes the obvious things such as someone’s name but applicable for social media, in particular, it also includes location data and online identifiers.
There are two categories of people who handle personal data under the GDPR: controllers and processors.
Controller – “means the natural or legal person… which, alone or jointly with others, determines the purposes and means of the processing of personal data”. In simpler terms, this is the person who says why and how the data is used and could be a blogger, agency or brand.
Processor – “means a natural or legal person… which processes personal data on behalf of the controller”. This is the person who does something with data under the instruction of the Controller, such as a hosting company.
If you are either of the two, controllers probably being most relevant to you, you will need to comply with the GDPR. Each data controller will have responsibility for the personal data they collect and they will need to make sure they collect this information in a fair and transparent manner. The GDPR includes a requirement to provide certain information to individuals at the time when personal data is collected. You will therefore likely see updates to privacy policies and consent notices to take account of this.
What Do I Need to Consider?
There are various themes under the GDPR for you to consider. We’ve picked five to discuss very briefly here but this isn’t an exhaustive list and some of these are not new:
Principles relating to processing: Personal data must be processed lawfully, fairly and in a transparent manner. It is important that it is collected for a specified, explicit and legitimate purpose and that the data is adequate, relevant and limited to what is necessary. The data must also be processed in a manner that ensures appropriate security of the personal data. If you’re collecting and processing personal data then you need to keep these principles in mind at all times.
Lawful basis for processing: Personal data must only be processed if the processing satisfies one of the five lawful grounds or basis. We expect the following lawful basis will be most relevant for influencer marketing and you will need to consider and document your lawful basis for any data you process: the data subject (the individual the data relates to) has given consent to the processing; the processing is necessary for the performance of a contract with the data subject; or the processing is necessary for the legitimate interests pursued by the controller or by a third party and this does not override the interests or fundamental rights and freedoms of the data subject.
Data subject rights: Under the GDPR, data subjects have enhanced rights, such as: the “right to be forgotten”, the right of access, the right to restrict processing and the right to data portability. If you process personal data you will need to make sure you have the right procedures in place internally to deal with requests made by individuals in relation to these rights.
International transfers: The GDPR restricts the transfer of personal data outside of the EU without proper safeguards in place. This may be relevant where you are working with an international brand or influencer.
Contract requirements: When a processor carries out data processing on behalf of a controller there are specific requirements that must be included in the contract for it to be compliant with the GDPR.
Where influencers use tools, such as Google Analytics, to collect insights on your blog or website you will have needed to notify and collect the necessary cookie consents from your users.
You may have recently received an update from Google letting you know about their new “Data Retention Tool” which has been introduced to ensure compliance with retention policies (you shouldn’t be holding on to data for longer than is necessary and you should have a written policy on how long you will retain data for). We recommend you log in to your Google Analytics Account to check what data retention period has been set and update this, if appropriate.
When brands are deciding which influencer to work with on a campaign, they are likely to look at a variety of statistics, for example: their relevance, authentically grown audiences for individual campaigns, their channel growth and their own USP. All of these help the brand to determine whether an influencer would be suitable for the campaign. Where any of these statistics contain personal data, the influencer will need to have a proper basis for having collected and then sharing this information with a brand.
You will likely have seen lots of businesses going through re-consenting processes for marketing lists. You don’t need to do this and can rely on the consents you’ve already obtained provided that those consents were given in line with the GDPR. This means that when you collected the email addresses for your subscription list, for example, the individual must have opted in and the consent they gave must have been unambiguous and demonstrable (i.e. auditable).
The e-Privacy Regulation is coming into force to change the law around this process but, based on the current draft, broadly keeps the same rules in relation to e-marketing. However, note that in the current draft e-marketing now expands the definition of direct marketing to include communications sent or presented to an individual and not just sent, this would therefore include a targeted ad in a social media website.
In the influencer marketing industry, followers actively sign-up to blogs because they want the updates in the first place and so we don’t think any new consents you might need to collect would cause a huge decline in subscription numbers. Being open and transparent in relation to your use of data will become the norm and you may be able to find a way to do this in a user friendly way which can become your USP.
In advance of the GDPR coming into effect in 6 weeks, we’d advise taking stock of what data you collect and how you use this. Use this as an opportunity to spring clean your data protection practices and make sure you are clued up on the GDPR requirements.