The Drum Awards Festival - Official Deadline

-d -h -min -sec

GDPR Bank of Scotland Halifax

Preparing for GDPR has completely changed Lloyds' digital marketing strategy


By Jennifer Faull, Deputy Editor

September 27, 2017 | 5 min read

Two years into preparing for the May 2018 GDPR deadline, Lloyds Banking Group has overhauled its CRM strategy across its major brands to focus on ‘how to’ content rather than product marketing.


Lloyds' preparations for GDPR lead to CRM shake-up

For example, in the run up to Christmas, Lloyds might have previously emailed customers about the latest credit card deals or rewards for opening a new bank account. This year, customers will instead receive information about how to shop safely online or what to do if they realise they’ve been the victim of identity theft.

This shift away from product-focused marketing and towards relevant content came as a direct result of its work to prepare for the new General Data Protection Regulations (GDPR), which began in force over two years ago.

Lloyds is in the minority of businesses to have committed significant resource soon after the directive was announced; unsurprising given the sheer volume of first party data it manages and potentially catastrophic consequences if it finds itself on the receiving end of a fine amounting to 4% of total revenue.

Tackling it head on, it gathered a group of experts who were divided into 11 'workstreams' to manage specific aspects of the directive - such as data privacy, the right to be forgotten, the usage of data, requests for information - and the impact of each cross the business.

Anna Hingston, the group’s head of CRM, has been leading a ‘customer and communication’ team, looking at how group-wide marketing will be affected by the changes as well as making customers aware of what the changes mean for them.

“We tend focus on customer consent with GDPR but there are a lot of other aspects,” she told The Drum.

“The first thing we did was a large-scale piece of research to find out what customers think of [Lloyds'] marketing today. Do they understand how data is used in very simple terms and what the regulation means for the autonomy of individuals?”

According to the research, customers said they trusted the company with their data but wanted the comms to be more relevant and help them deal with things like fraud, identity theft and password protection.

The Information Commissioner’s Office’s (ICO) draft guidance has said organisations "must ask people to actively opt in" and must not "use pre-ticked boxes, opt-out boxes or default settings" and that individuals have the right to withdraw consent at any time. Finally, consent reviews must be a regular process.

And so, Lloyds concluded that if it was going to avoid potentially losing a swath of customers, it needed to overhaul the CRM programme to better reflect what people actually want and need to know from its different banks.

This strategy recently launched with the Lloyds brand and will soon be rolled out with Halifax and the Bank of Scotland.

Hingston said it is now working on further research to understand the effectiveness of the new approach and how it should be tailored to each of the brands.

As the deadline nears, Hingston will also spend the next nine months ensuring that the group’s roster of agencies are equally prepared for the implications of GDPR.

A recent survey found that almost a fifth of marketing and advertising agencies would go out of business if they were to be hit by a fine for non-compliance of the legislation.

Some 70% said they wouldn't be certain of their ability to detect a data breach. Meanwhile, just 37% said they would be equipped to deal with it in the required timescale of three days.

Hingston said that, being a financial company, there are already a lot of compliance hoops that its agencies have to jump through and so is confident that come 25 May the transition will be a smooth one.

Digital shop Zone is one such agency it works with. Its director of CRM and data, Gianfranco Cuzziol, said it has embarked on a three-pronged plan to ensure it will be ready.

Firstly, educate – or facilitate the education – of the various client teams to ensure they are aware of the implications of GDPR.

“We do this by running GDPR sessions for our clients and by leveraging our relationship with the Direct Marketing Association to ensure for example that we keep up to date with the latest from the ICO,” he said.

Secondly, take stock of every website, email, app, database, privacy policy that is under a joint remit to understand what needs to be done between now and next year.

“We run audits for our clients to ensure we understand this,” he said.

And finally, ensure that any work being delivered is future proofed for GDPR – whether that be in terms of data collection or how data is to be used.

“Let’s not forget, if we don’t help our clients get this right, we won’t be able to deliver their marketing objectives let alone their business objectives.”

GDPR Bank of Scotland Halifax

More from GDPR

View all


Industry insights

View all
Add your own content +