We chatted to Elizabeth de Stadler, the founding director of Novation Consulting, about the GDPR and what it means for local marketers.

Between the EU’s General Data Protection Regulation (GDPR) and the Protection of Personal Information Act (POPIA), businesses are bombarded with information about protecting data. So where does this leave your marketing campaigns?

We unpack the impact of the GDPR, how to determine whether it applies to your business, and what you should do if it does.

More about the GDPR

The GDPR came into force on May 25, and will be closely followed by its local cousin, the POPI Act, in the first quarter of 2019. Both the GDPR and the POPI Act are set to dramatically change the way South African organisations do business – especially how personal data is treated and stored.

Why would the GDPR affect digital marketing in South Africa? The GDPR extends well beyond the borders of the EU. The legislation has so-called ‘extraterritorial’ applicability, which means the EU will enforce the GDPR outside its borders. It also prevents European organisations from sending data to other countries unless they are sure that GDPR-equivalent data protection laws are in place. This has a far-reaching impact on global communication and the way countries outside of the EU do business. If you don’t have stringent data management processes in place, and cannot illustrate that you obtained the necessary consents from your audience, you could face severe penalties or lose international business.

In countries like South Africa, where we don’t yet have comprehensive privacy laws, local businesses are being forced to conclude contracts in which they undertake to follow the GDPR. They are also often forced to demonstrate that they are compliant. If they can’t do this, the contract is awarded to someone else. This type of commercial force has been the true sting in the GDPR’s tail for SA companies.

If you use digital marketing you may already be experiencing the GDPR’s reach due to the clampdown on data farming and data management. Tech giants have already made moves to withdraw support for third-party ad serving in Europe, and limit the number of vendors that can measure ad performance on their platforms.

When will the GDPR apply directly to a South African company? This is an important question to answer because the penalties for non-compliance are severe. There are fines of up to twenty million Euros or 4 percent of total global turnover. Yikes!

Four questions to help you determine whether the GDPR applies

  1. Is your organisation incorporated in Europe? If you answered yes, you must comply with all European laws, including the GDPR. If you answered no, you must still answer question three.
  2. Is your organisation active in Europe through a ‘stable arrangement’ in the EU? If you answered yes, the GDPR will apply. This includes instances where a South African business is active in Europe through
    • an agent,
    • a sales office or,
    • a branch in Europe.

    The European Commission will look at factors such as whether the South African company has a website in a European language (other than English), whether it has equipment in Europe, or a European postal address.

    If you answered no, you must still consider question three.

  3. Does your business offer goods or services to individuals while they are in the EU? If the South African business is not established in Europe under questions one and two, the GDPR may still apply. When the European Commission determines whether the GDPR applies, they take factors into account such as:
    • whether these services are offered in an EU language (other than English),
    • whether payment can be made in an EU currency, and
    • whether your marketing material specifically mentions customers located in the EU.

    This does not mean that the GDPR will apply to European citizens while they are in South Africa. So, just because you have European customers doesn’t mean that you must comply. It will depend on whether you are delivering goods or services to individuals while they are in the EU.

  4. Does your business monitor the behaviour of individuals while they are in the EU? If the business does analytics on individuals while they are in the EU to create a profile of them, or to analyse their preferences, behaviour, or attitudes, the GDPR applies.

The GDPR applies; now what?

Your biggest concern will be to determine whether you need the consent of consumers to serve personalised advertising. While marketing via email and SMS requires consent, more specifically an opt-in consent, the digital marketing world falls within a grey area. This, unfortunately, means that there are no hard and fast rules. Whether consent is required will depend on what it is you want to do.

Given how impractical it is to get consent for personalised ad serving, it is important to remember that consent is not the only way to justify personalised advertising. In the EU, many digital marketers use the ‘legitimate interest’ argument where the impact on consumers’ privacy is measured against the interests of the business. Factors such as the level of the targeting (whether you are targeting individuals or clusters), and whether the consumer was notified that their data would be used in targeting, are considered.

Compliance with the GDPR, as with the POPI Act, is all about data management. Without it, you won’t be able to demonstrate that your use of data is, or was, compliant. This means that you must be able to record when, why, and how the information was collected, and that it was only used for the original purpose. This requires sophisticated systems and processes and will challenge your organisation to set up a dedicated infrastructure for data management.