Five years of GDPR: a refresher for communication professionals

Five years of GDPR: a refresher for communication professionals

The GDPR came into effect on May 25, 2018. Five years on, many companies have adapted, and consumers have also become more vigilant. As a result, the number of data breach reports is on the rise and more complaints are getting submitted by people who are dissatisfied with the use of their data.

The General Data Protection Regulation has an impact on communication professionals too. What if I want to contact journalists? How should I respond to a data breach? And when do I need to call on my marketing colleagues to request consent from the target market for a campaign? Jan Clinck and Gerrit Vandendriessche from law firm ALTIUS give us more insight into the legislation.

Jan Clinck, Counsel at ALTIUS: ‘You can’t simply send someone a newsletter. You must either have consent, or you must have a client relationship with that person.’

Can you give us a recap of what GDPR means?

Jan: Essentially, the General Data Protection Regulation (GDPR) is a continuation of former European privacy legislation. That means the rules already existed, but many people or companies were not familiar with them, and in May 2018, they were tightened up. The fines for breaches were increased, the former privacy commission received a new title, the ‘Data Protection Authority’ (or DPA), as well as more responsibilities. The legislation concerns personal data and essentially promotes its free movement. You may process data as long as you adhere to a few basic principles.

One of the popular misconceptions is, ‘I have to give my consent before a company can do what they want with my personal data.’ That’s incorrect. There has to be a legal basis for processing data. Consent is only one of them. In total, there are six legal bases. That means you could perfectly well process data based on one of the other grounds for processing, such as performing an agreement. For example, an employer must be able to process certain employee data under an employment contract.

When can you process personal data?

Gerrit: Another misconception is that the GDPR is only about privacy. People often think, ‘As long as privacy is not breached, GDPR does not apply.’ However, the GDPR relates in the first place to the processing of personal data, whether or not that has to do with privacy. The GDPR is a regulation that sets out a general framework and is directly applicable in the European Union member states.

However, in terms of e-privacy, there is a directive transposed into Belgian law that sets out rules for everything related to telecommunications. This is extremely specific legislation which, for example, determines that operators must store traffic data from telephone calls and the conditions under which they can be given to a public prosecutor if requested. The use of cookies comes under this too.

The GDPR promotes the free movement of data. You may process data as long as you adhere to the basic principles.
– Jan Clinck, Counsel at ALTIUS

How should the marketing department apply the GDPR?

Jan: In terms of direct marketing, the aforementioned legal basis comes into play. You cannot simply send commercial emails to people. You must either have consent, or you must have a client relationship with that person, meaning that they could expect you to send a particular message.

Gerrit: To obtain valid consent, you have to fulfill a lot of conditions, and those conditions are fairly strict. If you do not fulfill one of the conditions, the consent is not valid, and you cannot process the data. One of the conditions is that the consent must be specific, for example, ‘I give my consent for the processing of my email address for company A to send me a newsletter.’

Gerrit: ‘To obtain valid consent, you must fulfill a lot of conditions. One of the conditions is that the consent must be specific.’

So, if I have received consent from someone to send a monthly newsletter, I cannot use that email address for something else. Is that right?

Gerrit: Exactly. The consent you have received is specific. You cannot change the specified purpose (sending a newsletter) after the fact. This means that you need separate consent for each individual purpose. That makes processing personal data based on consent very challenging. If, for example, you do not agree to a cookie banner on a website, and you want to make it clear what you are giving consent to, you often get a lot of drop-down menus with sub-menus per purpose or provider. That is a consequence of this.

But if you have built a client relationship with someone, direct marketing can be based on legitimate interests in the context of that relationship. Then, consent is not necessary.

What do legitimate interests entail exactly?

Gerrit: Legitimate interests mean that you as a company weigh up whether the purpose for which you want to use the data seems legitimate. This is based on several steps:

  1. Do I have an interest and if so, what is it? This must be a current, legitimate interest, and not: ‘These data might come in handy one day.’
  2. Are the data I need in fact necessary to achieve that purpose?
  3. Do the disadvantages for the data subject outweigh my own legitimate interests? How can I maintain the balance in one way or another with the data subject?

Jan: As long as you as a company can give good reasons, and the interests of the company take precedence over the interests of the data subject, the legal basis of legitimate interests can be invoked. So, if a client has used your products or services, you can for example send a newsletter to that client after the purchase with the reasoning, ‘You had an interest in my products, so I can keep you updated on similar products in which you are also potentially interested.’

If you have built a client relationship with someone, direct marketing can be seen as a legitimate interest rather than consent.
– Gerrit Vandendriessche, Partner at ALTIUS

Are there different rules for B2B or B2C marketing campaigns?

Gerrit: No, the GDPR makes no distinction between whether personal data are used for marketing campaigns for businesses (B2B) or consumers (B2C). The only exception is direct marketing to non-personal email addresses of legal entities, for example, ‘info@…’ email addresses. For advertising by telephone, for example, telemarketing, other rules can sometimes apply too.

What if I am responsible for communications at a company and I have obtained the contact details of a journalist online? I want to send this journalist a press release. Can I?

Jan: Yes, if you are not sending the journalist direct marketing but rather getting in touch with them regarding some news, you can invoke legitimate interests. Particularly, if this journalist has placed their personal data online, the intention behind that is clearly to be contacted.

Gerrit: If you are not advertising and you contact the journalist in a professional capacity due to their profession, you can justify this based on legitimate interests. You cannot of course suddenly send promotional emails to this journalist.

That does not mean that you, as communications manager, can simply do what you want with the journalist’s data. It depends on the case. There are various relevant questions to ask yourself, including:

  • In what capacity are you processing these data? Are you the processor or the controller?
  • What did your client ask of you?
  • What is the aim of processing the data?
Gerrit Vandendriessche, Partner at ALTIUS, ‘In the case of a data breach, you need to make a risk assessment. Is there a risk that the data could be used to commit identity fraud or to steal money?’

Another case: crisis communication. The company I work for had a data breach. What must I, as the communications manager, do?

Gerrit: In a nutshell, you need to conduct a risk assessment. That means you must evaluate whether there is a probable risk that the rights and freedoms of the data subject could be harmed, for example, because there is a risk of identity fraud or because money could be stolen.

If there is a probable risk, you are obliged to inform the Data Protection Authority within 72 hours. If the probable risk is considered to be very high, you must inform the data subject themselves too. In such a case, there are a number of things you have to communicate such as:

  • What are the circumstances of the data breach? (How did the data breach occur? Did the data come into the hands of an unauthorized person?)
  • What and how much data is concerned?
  • How many people are affected?
  • What are the consequences for those people?
  • Can the people themselves take measures?

If you are not advertising and you contact a journalist in a professional capacity due to their profession, you can justify this based on legitimate interests.
– Gerrit Vandendriessche, Partner at ALTIUS

Should you also inform other stakeholders in your business?

Jan: In the event of a probable high risk, you must, in any case, inform the authority and the data subjects. Other stakeholders do not, in principle, need to be informed, except in very specific sectors such as telecommunications, energy, air or rail transport, healthcare, and the banking sector.

What if there is no probable risk?

Jan: If there is no probable risk, there is no need to inform anyone. What you must always do, however, is keep a register of all incidents with personal data, irrespective of whether they exhibit a low, normal, or high risk.

Gerrit: Even if there is no probable risk and you do not have to report the incident for example, you still have certain obligations, such as taking measures to resolve the data breach and ensuring that something similar does not happen again in the future.

You must keep a register of all incidents. As soon as there is a probable risk that the data could be used for example to commit identity fraud, you must inform the Data Protection Authority.
– Jan Clinck, Counsel at ALTIUS