Unless you have been living under a rock, it has been hard to miss the ever-increasing media frenzy surrounding General Data Protection Regulation (GDPR). Although already law, on the 25 May 2018, the life of the marketer will change forever when the GDPR becomes enforceable throughout Europe.
The magnitude of these imminent changes has created a wave of uncertainty, with some marketers panicking about how they’re going to carry on communicating with customers. Others are burying their heads in the sand, trying desperately to delay the need to take action because, quite frankly, they don’t know what to do next.
If one message can be taken from the changes, it is don’t panic, but act now. The GDPR regulations are an evolution, rather than a revolution of the existing Data Protection Act of 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR), and long overdue.
So, it doesn’t really matter which camp you sit in. Whether you’re a worrying wreck – or you simply have been living under that rock – there is still plenty of time to prepare for GDPR. The key is to remain calm, get clued up and take these eight incremental steps to get GDPR-ready.
Knowing the basics
You can’t prepare for what you don’t know. So, the first crucial step is to make yourself aware of the key facts surrounding GDPR.
Between now and the enforcement date it is crucial for companies – and their marketing teams/agencies – to change the way ‘personal data’ is obtained, stored and secured, to ensure compliance.
For some, this may only mean a couple of minor tweaks to existing processes. For others, a complete overhaul of data-handling may be required. But whether the necessary actions are major or minor, this isn’t a legislative movement that is going to go away.
What’s more, penalties for non-compliance are very significant, with fines of up to €20m or 4% of global annual turnover for the preceding fiscal year – whichever is the greater!
It’s all in the detail
It may sound as exciting as queuing at the post office, but it is important to know the details of the regulations. This doesn’t mean you need to become the next Harvey Specter, but you do need to understand, for instance, what is meant by ‘personal data’. This includes detail such as:
- Email address
- Mobile phone number
- Bank account details
- Credit card number
- Driver/passport number
- Genetic or biometric data
The legislation covers indirect identification of personal data, as well as direct. This means marketers will need to think about psuedonymisation, which is the practice of keeping pieces of personal information separate which, when combined, could lead to someone being identified, such as a postcode used with a surname.
Consent can no longer be assumed when it comes to communicating with contacts! In practical terms, this means that marketers must explain clearly how they intend to use an individual’s data, and that person’s permission must be obtained at the point of data collection. This will mean the death of confusing opt in/out boxes.
Rolling out such channel-wide updates sounds tough, as does the sourcing of consent and the appropriate next-step action, but this doesn’t need to be the case. Universal rules can be applied via tech, and deep segmentation/bespoke journeys can dictate what people do and don’t receive, making it quite straightforward.
It must be noted that there are some differences when looking at B2B marketing versus B2C. For example, for a B2B contact, or publicly available email address, consent is not required – but they must still be given the option to unsubscribe.
Know your geography
Data protection rules have long been bound by recommendations to store and access information within the EU only. However, this requirement has certainly come into the spotlight as a result of the GDPR hype.
Many marketers think they’ve already ticked this box, especially if they have UK servers or domestic-only operations. But many marketing professionals have overlooked the fact that partners and suppliers often transmit/have access to data.
Take a marketing automation provider and their support team, for example, if that vendor – or their contact centre – is based in the USA, the data is pinging its way back and forth beyond the boundaries of the EU. This cannot be permitted!
If you work for a global company, there are restrictions on what data can be transferred between certain countries, however there are countries that lie outside of the EU that have been approved by the Information Commissioner’s Office (ICO) – these include Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Multi-level user permissions
Given that the whole purpose of GDPR is to better protect individuals’ information, it goes without saying that access to this data should be regulated too. From a marketing perspective this should mean creating multi-level user permissions – not only for the comms channel but also according to the topic and subject matter of each channel too.
This sounds like an administrative nightmare (we can almost hear the groans) but the use of technology, such as marketing automation platforms, can make the task much simpler to set-up and regulate!
Strive for a seamless data sync
Marketers will have to work tirelessly to ensure customer and prospect data remains safe and secure.
One of the key ways to do this is to maintain one central source of robust data storage, via a reputable CRM for example. Then, instead of exporting data out of the CRM and importing a spreadsheet back in to a third-party email marketing platform, the two technologies should be seamlessly integrated to ensure a smooth data sync.
Not only will this ensure security – it also removes the headache surrounding the maintenance of data accuracy.
In the eyes of the ICO there are two main players when looking at a company’s data, the data controller and the data processor.
The GDPR has also created a new third role within companies called a Data Protection Officer (DPO). The GDPR states that you must appoint a Data Protection Officer (DPO) if you: are a public authority (except for courts acting in their judicial capacity); carry out large scale systematic monitoring of individuals; or carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
The role of the DPO is to maintain compliance with the GDPR and other data protection laws, ensure that the organisation and its employees are trained and comply with GDPR and act as a first point of contact for data processing.
The right to be forgotten
The new GDPR rules provide data subjects with the right to request that their information is erased completely. This is not optional.
But, given the variety of ways data is now inputted, utilised, stored and archived, erasure is often easier said than done. It is therefore important to source a marketing automation platform, or similar, that enables – and evidences – full deletion of a contact. In other words, unlike and unsubscribe, where users may have remained on a database with a marker against them, they now have the right to be removed completely.
In truth, GDPR is a meaty subject, its primary aim is to give end-users more control over their data, what they see and receive, improve security and make steps towards stopping unwanted communications.
For marketers, it may be an initial headache, however, technology – combined with a little bit of preparation – can help solve the majority of problems that the regulations will present. At the end of the day, the regulations will leave you with much cleaner data of users who want to hear from you.
If you are ever unsure, the best way to think of the GDPR rules is to put yourself in the shoes of the users and think to yourself “what would I expect them to do with my data?” if you are:
- being very clear about consent to marketing communications at sign-up
- communicating to only those who have opted in
- sending relevant content
- giving users every opportunity to either unsubscribe or be forgotten
Then it sounds like you are compliant with GDPR – if you answer no to any the above, then stop what you are doing or risk the penalties – it may take just one complaint to start an investigation.
David Aspinall is performance marketing manager at BWP.