By John Kennedy on 2017-06-26 20:24
In less than 12 months the new General Data Protection Regulation (GDPR) will be in force. As GDPR is a regulation, not a directive, it will be immediately enforceable as law in all EU member states on May 25, 2018. So the finish line for GDPR is fixed and getting closer, and the risk of businesses not being compliant is significant.
Only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant by the deadline. According to the survey nearly a quarter of companies have not even started preparing yet, and consent for email marketers is the biggest cause for concern, cited by 70% of respondents.
GDPR was designed to protect the free movement of personal data belonging to EU residents while also protecting the fundamental rights and freedoms, including data privacy.
As a result of the GDPR, businesses will need to be far more transparent with what they do with the personal data that they manage and process. GDPR will affect every company that processes personal data from EU residents. If you’re collecting email addresses and sending emails to subscribers in the EU, you’ll have to comply.
If you store and/or process EU personal data then you must employ strong measures to protect the data you hold, regardless of where your company is located in the world. Regulatory compliance may be viewed as an administrative task, but if your company is found to be in breach of the regulations you will face steep penalties and may be fined 20 million EUR or up to 4% of annual global turnover. And the loss is not only financial, from a marketing and PR perspective, any breach carries the risk of damaging your company’s reputation at the expense of customer trust and loyalty.
So What Is GDPR & Should I Be Concerned?
It is hard to think of a business today that does not collect or use personal data in some manner. Whether you have staff, customers or supplier relationships – if the data you hold relates to an individual you will need to comply with GDPR. Personal data is any information relating to an identified or identifiable natural person or ‘Data Subject’. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Organisations can start to prepare for GDPR by assessing the compliance of their own data policies and processes. One challenge may be to change the attitude to working with data. It is not enough for employees to say their job is not directly related to data compliance. Most of us do use data in our work and need to learn how to take responsibility for the protection of data we use and not rely on others.
As a business now is the time to start to develop transparent and easy to grasp data policies for your employees, customers and third parties - for them to understand what you are doing and why to achieve compliance.
The GDPR or General Data Protection Regulation (click to read all 261 pages of the directive) is designed to unify data privacy laws across the EU, giving EU residents far more control over their personal data.
Where sales and marketing are concerned this does mean a review of how personal data is handled. The onus going forward will be on businesses to demonstrate how they meet the GDPR conditions. If you cannot prove how consent was obtained for a particular contact in the data base, then there is a strong likelihood that this will be perceived as being non-compliant. GDPR touches a number of aspects in email marketing, especially how marketers seek, collect, and record consent of their data subjects.
Customer data is an increasingly valuable tool for businesses, for example to personalise an offering, engage customers through a loyalty programme or to leverage points of differentiation through a marketing campaign. The introduction of marketing technology has enabled over the last few years companies to collect personal data on a large scale, allowing businesses to track and evaluate customer behaviour to direct their sales and marketing efforts.
The key for email marketers is to focus on collecting data they can use, rather than gathering data just for the sake of it. Businesses need to fully understand how to use what insights they have and the rules that govern it. As the data privacy regulations become more severe, consumers are also far more savvy about their legal rights and are wary of the risks that come with data breaches.
Marketers Need To Restore Public Confidence
Under the EU’s new rules, consumers have the right to know how their personal data is being used, the reason it is being processed, have the right to access and correct it, restrict further processing and to request that all their data be erased.
As a marketer now is a good time to assess your current marketing programs where you engage with your customers, for example your; email strategy, blog subscriptions, e-newsletters, landing pages and forms, calls-to-action, etc.
While there will be focus on compliance, taking the time now to reappraise how you do things could also be a catalyst to change the way you interact with your customers. Time to consider a change to selling how the customer wants to buy and build a higher level of trust.
Some Of The New Rights For EU Residents
GDPR establishes a burden on organisations processing an individuals data that they must be able to demonstrate that the data subject has consented, which requires maintaining records of that consent.
GDPR stipulates that data subjects have a right to withdraw, also known as a "right to be forgotten". This provision means that an individual can withdraw their consent at any time and the organisation who originally collected the information has a duty to remove all information related to the data subject to protect the privacy of that individual.
Individuals will have more information made available on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier to move an individuals personal data between service providers.
Companies and organisations must notify the national authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures.
Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules, built into products and services from the earliest stage of development.
The biggest concern for most marketers about GDPR is consent. You must be able to show that you got the consent in the correct way, stored it properly and have an audit trail that the contact is who they say they are. If your contacts are silent or you take inactivity as a yes, you will be non-compliant.
Today many marketers use a range of crafty, soft opt-ins seeking consent to communicate with a contact. Going forward if your message around consent is a little fuzzy (on purpose) these will be deemed non-compliant with GDPR.
A good habit to adopt sooner rather than later, is to be strict and go down the route of a double-opt. You will not in the future be able to send to a B2B contact an unsolicited email for marketing unless you have their specific consent to email.
What Is A Double Opt-in?
A double opt-in email feature gives you the ability to require that your email recipients confirm they want to receive email communication from you when for example filling out a form. When you enable this feature, typically the workflow is to first send out an opt-in request email after someone fills out one of your forms. From this email, the contact will then have to click on a link in the email to confirm that they want email communications and to confirm who they say they are.
When using a double opt-in your emailing lists will become better qualified, although you may end up with a smaller list - having a contact willingly opt-in is a strong sign of engagement. There is of course also the protection against spam bots and fake subscribers.
Consent & Data Processing
Email plays an important role in many B2B marketing activities, and the most effective email campaigns tend to use personalisation. But unless companies have clear consent to use the data in a specific way, it may in the future be non-compliant. Because the data has been collected through automation such as with IP address tracking, where consent can be difficult to obtain.
With GDPR in place, marketers will only be allowed to send emails to contacts who have specifically opted-in to receive them - it won’t be legal to just add those email addresses to your mailing list. GDPR further specifies the nature of consent that is required. It must be freely given through a clear and easy to understand process, and users must be informed of the purpose for which their data will be processed and it must be just as easy to withdraw consent as it is to give it.
Where consent has previously been relied upon to justify processing activities, businesses will need to carefully assess whether their existing consents meet the new GDPR conditions and, if they do not, new consent may need to be obtained.
An example of the GDPR consent provisions at work is the following:
If I was a technology B2B company with a loyalty programme, and I wanted to enrol John Smith in my programme, I would need John to sign up for the program and consent to us gathering specific information about him. I would also have to seek John's consent to use the information he is providing to undertake specific activities. If we at a later date wanted to use the information I held on John for another purpose that we had not previously specified in the original agreement, for example sending an email marketing campaign for a new tech B2B product we have just created, I would first need to gain specific consent for the use of the information in that way. Further, if John called the company and withdrew his consent, we would have the duty to remove any information related to John completely from all of our systems.
Data Processing requires that a business collects personal data in a lawful and transparent way. The key word here is transparent. For many years, businesses have collected information in a covert way to help facilitate marketing campaigns or other activities at a later date. According to GDPR, all the data that is collected on an individual must be carried out in a transparent way and what is collected should be necessary only for the task at hand and not kept for an unduly long time.
Getting Your Existing Data Up To The New Standards
Many businesses will face the challenge of getting their existing database up to the new standards, possibly having to run re-permissioning campaigns before the GDPR goes live.
What businesses cannot forget is that GDPR applies to all existing data that is being stored. If your database includes subscribers whose permissions haven’t been collected according to the GDPR’s standards, or if you can’t provide an audit trail of consent you won't be able to process this data and be compliant. You will need to bring all data contacts up to the correct standards.
Many organisations will need to design or update their data protection compliance practices. With regards to sales and marketing we already know that the industry as a whole is subject to suspicion from consumers and may be wary of practices with regards emailing, profiling, tracking, etc. All of which will add more pressure to getting the compliance right for GDPR.
We will not be able to replace the need for legal advice, and this blog cannot be used as legally binding advice. It is important that you discuss GDPR and its implications for your organisation with appropriate legal advisors.
Businesses need to take advantage of the lead time before the GDPR comes into force, and consider the following initial steps to prepare themselves:
- Conducting an audit of current data protection practices
- Performing a gap analysis to identify the areas requiring changes to comply with the GDPR
- Start to implement the changes now in time for the GDPR
- Revisit processes for obtaining personal data from individuals (such as privacy policies and registration forms for loyalty programs) to ensure compliance with the GDPR
A great source of information if you want to start reading more about GDPR is provided by:
- The ico (Information Commissioners Office) in the UK.
- European Commission Fact Sheet: Questions and Answers on Europe’s Data Protection Reform
- European Commission: Protection of Personal Data
Image source: www.freepik.com