In May 2017, The Economist called personal data “the world’s most valuable resource’ ahead of oil. Because personal data is so valuable, it’s vulnerable to theft or misuse and this has led to consumers demanding to know how companies use and store their personal data. Consumers are not convinced companies are doing enough to protect them.
What is GDPR?
GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy. The reforms are designed to reflect the world we’re living in now and bring laws and obligations – including those around personal data, privacy and consent – up to speed for the internet-connected age.
Companies will now be required to build in privacy settings into their digital products and websites – and have them switched on by default. Companies also need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the ways they use personal data and improve the way they communicate data breaches. And, because it’s a regulation and not a directive, it is legally binding and failing to comply could lead to fines of up to €20 million or 4% of your global turnover.
Why introduce GDPR now?
GDPR is ‘the most far-reaching change to data protection in a generation’ and is a dramatic shift in the way the EU wants personal data to be managed. GDPR now demands that companies are transparent about how they were data. Prior to this change, the EU data privacy regulations were based on a document that was first adopted in 1980 (later updated in 1995). This is a long old time if you think just how far technology has come over that period! This was the era before social media, smartphones and artificial intelligence.
How does GDPR impact marketing?
On the surface, GDPR might seem extreme, especially for smaller businesses or solo-practitioners however no business will be immune to the new rulings. As a starting point, here are the 3 key areas that marketers need to worry about – data permission, data access and data focus.
1. Data Permission
GDPR will force marketers to relinquish much of their dependence on behavioural data collection. The stipulation that will perhaps cause most angst is the requirement for consent to be active. Data permission is about how you manage email opt-ins –people who request to receive promotional material from you. You can’t assume that they want to be contacted. In the future, they need to express consent in a ‘freely given, specific, informed, and unambiguous’ way, which is reinforced by a ‘clear affirmative action’. In practice, your entire audience needs to physically confirm that they want to be contacted. You need to make sure you’ve actively sought (and not assumed) permission that they want to be contacted.
Gaining consent has its advantages: With GDPR, you need explicit consent to use an individual’s data. Your customers can also ask you exactly what information you have on them, who it is shared with and the purpose it has been used for. Look at this as an opportunity. Instead of a simple yes or no option when asking customers about data, you can now provide them with a range of options so that you can find out what they’re actually interested in. Through consent, you can gain insight into everyone’s interests and provide them with information that they want to receive. This not only helps to be compliant with GDPR, but it also helps you further segment your customers and focus your communication on specific interests, rather than sending a “one size fits all” email campaign.
2. Data Access
The right to be forgotten has become one of the most talked-about rulings in EU Justice Court history. It gives people the right to have outdated or inaccurate personal data to be removed. The introduction of GDPR offers individuals a method to gain more control over how their data is collected and used – including the ability to access or remove it – in line with their right to be forgotten. As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use. Practically speaking, this can be as straightforward as including an unsubscribe link within your email templates and linking to a user profile that allows users to manage their email preferences. This is not just practical but something all marketers should have been doing already.
3. Data Focus
The collection of data needs to be relevant for the purpose. This means if you have run a campaign or competition you can only use the information for that purpose. Creating another purpose to use that information will need further consent from the data subject. This is bad news for marketing as common practice has been to grow databases using these methods. GDPR requires you to legally justify the processing of the personal data you collect.
As you collect data, consider – what is this for and how will I use it? If you are asking for data, you will need to prove why you need it. All too often, we are asking customers to fill out lengthy forms with data that might not even be used. It’s annoying for your customers and probably provides no real business value back either.
The cost of failing to comply
The Information Commissioner’s Office (ICO) has warned on tougher sanctions for the misuse of personal data. Failure to comply with GDPR can result in steep fines (as mentioned above). Fines will depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.