From 25th May, the General Data Protection Regulation (GDPR) will come into effect. Its goal is to create a standardised ‘best practice’ for the way personal data is handled, providing greater transparency and control to individuals.
Brexit or no Brexit, this will have huge implications for Marketing teams across the UK. All organisations that process personal data and operate within, or sell goods to, the EU are impacted by the GDPR. Any company with customers in Europe will, therefore, need to comply.
If your marketing efforts engage with European customers in any way, you should brush up on the requirements of the GDPR to ensure your firm will be compliant by the implementation deadline – the ICO can impose fines of up to €20 million or 4% of your worldwide turnover if not. In terms of marketing, your top considerations are likely to be the following:
A lot of companies rely on a kind of ‘catch-all’ format for digital and physical forms, whereas much data is captured about an individual, ‘just in case’. This is no longer going to be accepted. Marketers are going to have to clearly detail exactly what each piece of data is going to be used for so that individuals are able to provide ‘informed, specific, unambiguous and revocable’ consent.
Under GDPR, your marketing team will only be permitted to collect data that is relevant to the intended collection purpose. Collecting and storing unnecessary data is not acceptable.
Opt-In vs. Opt-Out
Currently, your marketing team can email anyone that has given implied consent for them to do so (also known as a ‘soft opt-in’). For example, a customer might have entered their email address to complete an online purchase, supplied it when registering for an event or given it to a shop assistant to receive a digital receipt.
As of May, you can only contact people that have expressly elected to hear from you, such as individuals that proactively tick a box on your organisation’s website to receive marketing communications. It’s recommended that companies actually use a ‘double opt-in’ system where customers receive a ‘click to confirm’ follow-up email, just to be sure that their data is being appropriately collected.
Organisations are going to have to keep clear records about the consent each client has given, including what exactly the customer agreed to, how consent was given and under what terms. It will be good practice to send reminders to each contact periodically about the consent they have provided and whether they wish to review their choices.
Proving ‘Legitimate Interest’
There is some leeway around consent if you can prove that your customer has a legitimate interest in the information you are sending them. The example provided by the Information Commissioner’s Office includes security issues, such as threats or breaches and fraud prevention. Be aware that you need to adhere to other GDPR requirements and may need to back up your reasoning if challenged.
The Right to be Forgotten
A significant aspect of the new legislation is giving individuals the ‘right to be forgotten’. In the past, when a customer asked that a company no longer uses their details, their CRM entry may have simply been marked as ‘do not contact’. Once GDPR comes into effect, customers will be able to explicitly request that all personal details are completely deleted, with firms being legally obliged to comply. Where you operate from multiple databases, it might be worth investigating tech stack integrations to make sure that data can be removed from all platforms simultaneously.
Customers will also have the right to see a copy of all of the data you have on them (known as a Subject Access Request), to check what you are processing and its lawfulness. You will not be able to charge customers a fee for accessing their records (unless the requests are ‘manifestly unfounded or excessive’), and a response must be given within a month unless the request is particularly complex. Your response will have to contain the data you have on them, how you are processing it and any other relevant information, such as your retention period policy.
Third Party Compliance
The onus will be on your teams to check the GDPR compliance of any third parties that process the personal information of customers on your organisation’s behalf. This could be a CRM system or email service, a marketing automation platform or any other database. Contact your partners now to find out how they will be adapting their systems to meet GDPR requirements.
The good thing about the GDPR is that it’s widely accepted as a good thing. Giving control of data and privacy back to the individual will create a better dialogue between marketers and consumers, rebalancing the power in the relationship.
Cleansing your old data and getting rid of redundant files will make help to ensure that your organisation’s marketing efforts are fully targeted at a willing audience. In return, you’ll find that focussing on your most relevant customers will help improve engagement and give your conversion rates a healthy boost.