The EU's General Data Protection Regulations (GDPR) came into effect this summer and associations are concerned about which marketing materials they can and cannot send to members, prospects, and exhibitors.
There are two key things to keep in mind when considering the processing of personal data for marketing purposes:
First, associations do not always need consent to send information if it can be proven that it is a "Legitimate Interest" or is required to deliver "Contracted" services, and second, the GDPR states in recital 47 that direct marketing can be considered a "Legitimate Interest".
According to the GDPR, a legal basis for processing (using) personal data must exist. While most organizations are focused on "Consent”, the GDPR text provides several categories for legal basis. For marketing meetings and services to members and prospects, "Contracted" obligation and "Legitimate Interest" are key.
Associations can start by asking questions like:
What benefits were members expecting when they agreed to become a paid member of this association?
Did members join so they can market their products at the annual meeting or do they join because they want access to the wealth of information gained through membership?
What communications may be directly linked to the fulfillment of these expectations?
What is the impact on the recipient if this information is sent to them?
Answers should be documented to demonstrate the methodical approach for selecting "Contracted" obligation as the legal basis for processing personal data, and sending information to members and interested parties.
The GDPR recognizes that direct marketing may be necessary for growth by stating in recital 47 that it may be used as a "Legitimate Interest." This does not, however, mean it is a free for all. In order to use "Legitimate Interest" as a legal basis, it is necessary to validate that the benefit to the association outweighs any possible risk to recipient.
When using "Contracted" and "Legitimate Interest" as a legal basis, negative impacts should be minimized and recipients should be provided with the ability to opt out of future communications. So who says associations can’t continue direct marketing and remain GDPR compliant? The key is following a process to identify the legal basis and documenting this action for future reference.