The management and use of consumer data is experiencing an influx of regulation globally, with the implementation of Australia’s Notifiable Data Breach (NDB) legislation just last month being no exception.
The European Union’s General Data Protection Regulation (GDPR) that will come into effect in May is set to follow suite. These changes are necessary in more ways than one for the protection of consumers, but they also have far-reaching implications. Data-driven decisions are central to the daily activities and success of marketers, so it’s essential to consider what these changes will mean.
What’s really behind the new data regulation?
Understanding the intentions behind these new regulations is an important place to start when it comes to being compliant. To begin with, marketers don’t own customer data, they borrow it. This personal information is essentially ‘on loan’ from the customer, on the condition that it will be used to provide them with personalised and relevant content that delights them to the point of purchase, rather than feeling exploited. Unfortunately, one too many brands have broken the trust of the customer by selling email lists, opting customers in for unwanted email communications, and not providing safeguards for consumers to opt out or be forgotten.
While customer exploitation has arguably been the primary catalyst for these changes, the legislation is ultimately there to protect consumers and allow them to have a say in how their data is used. Legislation around these requirements has historically been vague and unregulated in Australia, which is why the NDB is likely to have a significant impact on businesses that haven’t previously employed strict data management and protection policies. While the NDB and GDPR are similar pieces of legislation, GDPR is more stringent and broader in its impact. This is why marketers that are effected by GDPR in Australia ought to aim for compliance with GDPR first, as it effectively guarantees compliance with NDB, too.
How will GDPR impact Australian marketers?
While GDPR was created to protect EU citizens from privacy and data breaches, it will also impact Australian organisations that have an establishment in the EU. For brands, and more specifically marketers, GDPR will change the way we communicate with clients, and how we handle data. It will reduce the risk of personal information being exploited or misused by limiting the amount of data that may be collected by companies, the way it can be used, and the amount of time that it can be stored. With this in mind, Australian marketers need to consider how they can prepare for these changes.
Firstly, the way marketers collect data will shift. GDPR requires that consent is “freely given, specific, informed, and unambiguous”, which means the way in which customers are ‘opted in’ needs to be far more deliberate than it has been previously. The bar will also be raised when it comes to attaining consent across the board. For instance, marketers will not be able to hide consent for data processing with generic statements like “we may process your personal data to improve our services”. Instead, it needs to be clear to customers what data will be processed, how, when and for what purpose.
Secondly, the legislation applies to both new and existing data. This means that marketers need to ensure customer databases are updated with data of customers that are new, current, lapsed, active, or inactive, and that each of those customers have consented to their data being used by the business. Consequently, marketers need to be mindful of how long a customer relationship is considered to be valid, and whether they have the ability to prove this consent. When collecting data and consent, marketers must ensure they capture and store the date and time of consent, method of consent and a referential copy of the sign-up form, including its wording.
Finally, before sending any marketing communication to an existing database, marketers must ensure that all that data is compliant. This includes checking that there are existing consent records that prove marketing had permission to send communication to each individual contact. Not only that, but this permission needs to be explicit across each channel, not just email.
It’s worth being compliant
GDPR will have serious implications in Australia, not least because of its prospective fines for non-compliance of over AU $30 Million, or 4 per cent of annual global revenue. However, the intentions of these changes will direct businesses toward the evolution of data protection that ultimately puts consumers back in control of their data. What’s more, for companies already obeying existing data protection laws (namely, the NDB), they are most likely well on their way to compliance. Marketers will now need to be more creative in the ways they endeavor to reach the customer, while ensuring the customer’s data is protected and marketing activities are consented to. Further to this, GDPR serves as yet another opportunity for optimisation, ensuring marketers are using good quality data effectively and simultaneously protecting customers.
There has been a lot of scaremongering about this legislation but the reality is, GDPR, alongside Australia’s NDB, is nothing more than a way to help consumers reclaim their data. Those that embrace the legislation will see the improvement of their data quality, and with it, the insights that can be gleaned from it. It’s worth taking seriously, for the sake of your customers and your business.
Heath Barlow is market lead for Australasia at Emarsys