What do Digital Marketers need to know about GDPR?
Collecting data has always been a little bit of a grey area in both digital and direct marketing. With data protection laws being outdated by digital advancements, it is clear that the digital age – where big data has become big business, is not effectively monitored under current Data Protection legislation.
What does GDPR Legislation Cover?
6 top-level areas that GDPR covers are:
Right to access: This means that you must be able to provide a free copy of someone’s individual data if they request it. They are allowed find out what data you as a data controller/company has, where the data is held and why the data is being used.
Right to erasure: The right to be forgotten allows for the individual to request that the data controller/company deletes the data and request both your company and third parties cannot access or process the information.
Data portability: Under GDPR people will be able to request their data in electronic format so that they can transfer their data to another data controller/company. (eg. Switching electricity providers)
Data breach notification: If your company has any breach of data such as a leak, hack lost paperwork, missing USB etc. all relevant parties such much be made aware or notified within 72 hours.
Privacy by design: Any new systems such as organisational and technical processes must now be designed with data protection in mind. This is to ensure data is being held securely but also that only relevant and necessary data is utilised.
Data protection officers: A key new obligation under the GDPR is the requirement that certain data controllers and processors appoint a Data Protection Officer (DPO). The DPO takes responsibility for an organisation’s data protection compliance.
How has data been collected in the past?
Marketers have always been clever in how they’ve obtained your personal information. Think of every competition you have entered for the latest piece of tech only to suddenly start receiving the weekly newsletter that you didn’t sign up for. Think of every interesting white paper you downloaded but had to fill in personal information to obtain it. Marketers have been collecting data in this manner to try target campaigns after identifying your interests/organisation etc.
What does the GDPR mean for marketers?
GDPR will require a major overhaul for how we handle data as marketers. If an organisation cannot prove why or how they obtained consent for personal information – the likelihood of being fined is high.
The data collected must be relevant to the purpose it was collected for. For example if you run a competition that requires people to enter their email addresses. This information can now only be used for the purpose of the competition. If you wish to use the email address for the weekly newsletter – you require further consent from the data subject. This means that marketing teams should be advised to start cleaning up their marketing lists as soon as possible to be compliant.
At the end of the day though, your customers who have genuinely given consent are your most valuable customers. They have consented to engage with you. Just make sure the information has been granted lawfully and is being used for the legitimate purpose.
In What Ways Will This Impact Everyday Digital Marketing/Sales?
Here are the main things that marketers should be aware of going forward for GDPR compliance:
The common soft opt-in option is no longer viable for marketers. Currently we as marketers can email so long as the party receiving the email has the option to opt out, if they don’t opt out that implies consent. With GDPR this consent needs to be far more explicit. Data controllers/companies must be able to prove that someone’s email address was not added to a list by default. A best practice option going forward might be a double opt in option – similar to what Mail chimp provides. In other words – they opt in and then receive an email with a link confirming the same.
Marketers must make sure that any forms are made compliant. All online forms must be hosted in a format that is GDPR compliant and now that opt-in is mandatory, data utilised in these forms must comply. Everything must be hosted in a format that complies with the new regulations.
Your CRM System
CRM systems that allow someone to be marked as “do not contact” is no longer compliant with GDPR. This information will now have to be fully deleted on request to comply with the “right to be forgotten”. Any databases that feed into your CRM or third parties will also have to ensure that the relevant data is deleted.
Third Party Compliance
Marketers need to consider how their suppliers process data provided by them. It is impossible to be 100% certain of how other companies use the data you provide them. However, you can request in writing how suppliers store and process data.
Make sure your appointed data protection officer is made a point of contact with the data protection officer in the third party company to handle any beaches to handle the reaction time of 72 hours.
Make sure the data they are collecting from you is legitimately required and being used for intended purpose. Make sure you are able to download any data on request and be sure that should you switch providers that your customer data is deleted.
Any data collected at events – which is usually paper trailed must show opt-in evidence for any post-event marketing activities. Any paper information should be stored securely and compliant.
Marketing With ‘Legitimate Interest’
Opt-in is now 100% compulsory for all of your marketing efforts. However, there is another perspective on the opt-in option where digital marketers may feel is a grey area. The first perspective on opt-in is consent which is compulsory. The second perspective is advertising to those because of the assumption they have a legitimate interest (the assumption still holding that they have an opt-out option available).
However, this might not be the get out of jail free card that marketers are looking for. It might be tough to prove legitimate interest in a court of law. Marketers will need to be clever about who they market to, why they are marketing to them and have they consent to do so.
Add value for customers when you use their data
Marketing has changed in the digital age. Customers want relevant information. The younger generations have a keen eye for spam and are well accustomed to ignoring it. By wittling down your marketing list to those who are genuinely engaged and relevant to why you are engaging with them will only provide more impact on your sales funnel. It is essentially pointless to market to those with no interest in your company or no need for your services. If your data is compliant –then your marketing list is strong and effective.
The deadline for compliance with GDPR is the 25 May 2018. Marketing is only one area of your business that needs aligned to the regulation. The extent of work required to develop policy and process as well as to ensure you have the right I.T infrastructure in place to protect data flows throughout your organisation needs careful consideration. My advice is to start the process as soon as possible to avoid being caught out.
Marketing is only the tip of the iceberg when looking at compliance for your business as a whole. Start the process as soon as possible. The deadline for GDPR compliance is the 25th of May 2018