What does the GDPR mean for healthcare IT marketing?

What does the GDPR mean for healthcare IT marketing?

Senior communications manager Rob Benson asks what the General Data Protection Regulation will mean for marketers; and what Highland Marketing is doing to get ready for the GDPR, which comes into force on 25 May.

The General Data Protection Regulation will come into force in May, forcing many in the marketing profession to rethink how they use (and sometimes abuse) people’s data. This direction, backed up by UK legislation, requires organisations that handle the data of EU residents to abide by a set of strict, but fair, criteria.

By introducing a consistent approach to data protection across Europe, and introducing ‘company killer’ fines for the worst data breaches, GDPR aims to embed the principles and practice of privacy by design into all aspects of the modern, data-driven business.

For UK businesses, the regulation provides a timely update to the Data Protection Act 1998, known familiarly as the DPA. If you have been compliant with DPA, then the move to GDPR should not be too onerous.

However, there are a few hoops to jump through. Crucially, if you are processing personal data, you need to identify the lawful basis for your activity. There are six available lawful bases for processing. Most require that processing is ‘necessary’ and reasonable.

You must determine your lawful basis before you begin processing, and then document this decision. Two lawful bases are likely to affect healthcare IT marketers – consent and legitimate interests. But please do note: this is not legal advice, and do seek expert input if you are concerned about GDPR compliance.

Consent is king – to a certain extent

One of the big differences between the DPA and the GDPR is a much-needed change in mindset. As far as the latter is concerned, personal data belongs to the person, and not the organisation. Anyone providing a service should have the permission of the people whose data it is using to provide that service to use their data.

If this sounds a bit daunting, it is in keeping with what marketing thinker Seth Godin called permission marketing. People are more likely to give you permission to use something of value to them (their personal data) in return for something of value.

Permission marketing supports the idea of more precise marketing, recognising that a lead conversion rate of 50% from an email list of 100 is better than a conversion rate of 5% on a list of 1,000. The number of conversions is the same, but the 50% conversion rate email is being ignored by fewer people, and is getting a greater rate of engagement.

This targeted approach makes for more effective marketing activity. So, the more consent you have to engage with customers and prospects, the better. And the GDPR sets a high standard for consent.

When asked to give consent to receive marketing messages, citizens will be required to select a positive opt-in, signalling the end of the pre-ticked box. Consent must be freely given, specific, informed and unambiguous. It must also be separate from other terms and conditions, and there must be simple ways for people to withdraw consent.

For many companies that undertake healthcare IT marketing, this may require an update to the privacy policy, and the Information Commissioner’s Office (ICO) has created a useful privacy notice checklist to use. Another option is a preference centre on your website.

Do you have to reconsent your existing database?

This is recognised as a confusing area. Flybe and Honda were fined by the ICO when they asked for customers to update their preferences.

But the short answer is “probably not”, if the database in question holds information about existing customers, and any activity with them has been conducted in accordance with present legislation.

Law firm Field Fisher notes that GDPR does not make opt-in consent a mandatory requirement for direct marketing – it acknowledges that marketing can be conducted in reliance on legitimate interests [see below].

It adds that much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in.  In these instances, “there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place”.

In this context, it’s worth remembering that another set of regulations, the Privacy and Electronic Communication Regulations 2003 (PECR) still apply. PECR restricts the circumstances in which you can communicate with people using electronic marketing messages.

It will be superseded by the new ePrivacy Regulation, which is due in 2019, and will be another key legislative measure that marketers need to look out for. However, the indications are that it is likely to continue with the approach outlined above.

Hurrah for legitimate interests

While the GDPR has turned a lot of attention on consent, the ‘legitimate interests’ justification is the most flexible lawful basis for processing personal data. ‘Legitimate interest’ is where you use people’s data in ways they would reasonably expect.

Legitimate interests can include commercial interests, and the GDPR itself says direct marketing is a legitimate use of personal information. However, the basis is subject to a three-part test, which is detailed on the ICO’s legitimate interest page, and which organisations will be expected to apply:

  • Purpose test: are you pursuing a legitimate interest?
  • Necessity test: is the processing necessary for that purpose?
  • Balancing test: do the individual’s interests override the legitimate interest?

The Direct Marketing Organisation, which expects many organisations to rely on legitimate interests for data processing, has published excellent guidance on legitimate interests. This includes a template for conducting the test, for marketers to use.

Is that it?

Sadly, no. The GDPR will have other implications for marketers. They may need to review how websites process contact information; how the CRM stores consent information, and whether they are meeting stringent requirements on data security.

Documentation is crucial. Even though SMEs are not expected to be as compliant as larger organisations, there are still requirements around IT security, staff training and data protection awareness. The ICO has created a useful guide on preparing for GDPR: 12 steps to take now.

What is Highland Marketing doing about GDPR?

Highland Marketing is gearing up for the implementation of the GDPR through a detailed piece of work. We are looking at how and where we store personal data, checking who we share it with, and how we let people know what we are doing when we process their information.

We are reviewing the data that we hold to make sure it is processed appropriately and abides by relevant legislation. Also, that we’ll be able to respond to further legal changes, in the future.

We hold a growing mailing list for our Healthcare Roundup newsletter. People often sign up for this at healthcare IT events, or during sales discussions. But it is possible to opt-out at any time.

We also carry out sales acceleration campaigns, where we contact people in relevant roles in NHS organisations to ask about their technology requirements. The basis of this work is legitimate interest; although we also gain consent for communicating in this way.

GDPR is a journey, and there will be areas in which we need to do things differently. But we know that, by complying with GDPR, we are going in the right marketing direction.

Useful links

What do health tech leaders want from the general election campaign?
Secrets from the algorithm: insights from Google’s Search Content Warehouse API leak
What will the general election mean for the NHS and health tech?
Back to (business school) basics
NHS finances: cuts get real