The General Data Protection Regulation, which all companies processing personal data of EU citizens need to comply with by 25 May 2018, affects every branch in your organisation that in some way or the other handles personal data. One department that is very much depending on using personal data in their everyday work is marketing. We’ve gathered 11 things you in marketing need to face as a result of the GDPR.
1. Prepare for an online opt-in culture
You will, in general, only be allowed to market to individuals who have given unambiguous consent on an informed background for one or more specific purpose(s).
Online, this can still be done by having the individual ticking a box when visiting a website. But the box needs to be accompanied by easily-consumed wording that clearly states that by ticking the box, the individual agrees to have his or her personal data used for a specific marketing purpose, for instance to be email marketed to. The box cannot be pre-ticked as the user needs to make an active choice about you collecting and using his data.
Opt-in marketing will need to replace opt-out marketing in the post-GDPR world.
2. Getting consent in contracts – needs to stand out
It will still be allowed to let individuals give their consent as part of a contract, but you need to make sure that the consent section of the contract is “clearly distinguishable” from the rest of the text. The consent cannot be conditional if it is not necessary for the performance of the relevant contract. In that case it won’t be given freely as the GDPR requires.
3. Gathering data on events – remember documentation
Other types of data collection, such as on face-to-face occasions, will be a bit more tricky. Imagine you’re at an event where you draw winners of prizes among the people who hand over their business card at your booth. In such situations you will need to inform people that their data will be used for specific marketing purpose(s). One can argue that by giving out their business card, they’ll indirectly accept that. However, you need to have their unambigious consent and be able to document it. Verbal consent is lawfully acceptable, but you need to remember that you will have to display documentation when authorites request so. In the face-to-face meeting, you will do well to ask for some type of written consent.
4. Different consents for different purposes
Consent also needs to be purpose specific. If you would like to use someone’s data for other uses that the collected consent allows you to, then you need to get a new consent for it. Note that you cannot simply create a "I agree to all future use of my personal data" consent phrase.
But what you can do is list several purposes in one consent statement, so that you take into account all the expected data purposes. Therefore, you need to be farsighted when you collect consent the first time, but at the same time not too ‘data greedy’, because asking too much may scare off potential customers and also conflict with the data minimisation principle. This principle says that “personal data collected shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
5. Buying data lists – YOU have data protection responsibility
If you buy a list of personal data, you are considered the data controller in the eyes of GDPR. That means you’re legally responsible for the data protection and you need to make sure that the individuals on the list has given consent per the GDPR. It’s not enough that the list supplier – the data processor – gives you assurance. You will need to receive proper documentation.
You also need to know the origin of the data – where was it collected, by whom, what was communicated to the data subjects about purpose and storage period. Individuals will have the right to know these facts if they ask. And you will be lawfully obliged to hand out that information.
These factors will complicate the processes in the list industry to a potentially very high extent. Some experts have even predicted that the GDPR could be the end of the European data list industry.
6. Your customers can refuse to be analysed
When the GDPR sets in, individuals will be given several new rights, one of them being “the right to object.” This means they have the right to say no to profiling – for instance to having their buying patterns analysed. If individuals object to their data being processed, it can no longer be used for marketing purposes. Remember, that any marketing communication needs to offer the right to object to profiling.
This means if you’ve lawfully collected data from a certain amount of customers and want to use that data analytically to derive shopping habits and create sales personas, then you need to have consent to do so (and if you haven’t included ‘profiling’ in your original consent statement, then you need to collect a new one). If someone declines, you’ll need to withdraw those particular sets of data from your analysis.
How many will use this right is impossible to predict now, but depending on the quantity, it could potentially complicate the personalisation of customer experiences, that organisations have been hunting the last few years.
7. You will need to integrate all your customer data touchpoints
Are your systems talking to each other? Are they integrated so that when you update a customer data profile in one system, it is automatically changed in another? If not, you will need some sort of system that aligns your customer data touchpoints. Imagine someone opts-out of your marketing. If that isn’t registered in all systems, and someone (or some system like a marketing automation system) sends that person an email, you could be in a data breach. Connecting your systems, keeping them updated and applying proper data governance is one of the main success factors for GDPR compliance.
Your customer database also needs to provide the ability to carry greater and complex metadata nuances and details than what most databases do today. For instance you may want to add complex “purpose” and “opt-in to X”, “opt-out to X”, “data collection history” fields etc.
This is also important in order to be able to demonstrate compliance. The GDPR itself says that you need to “implement appropriate technical and organisational measures” to be able to “demonstrate that processing is performed in accordance with this Regulation”.
8. You can collect only a minimum of data and keep it for a minimum of time
Your customer database needs to be dynamic, as outdated data needs to be eliminated. The GDPR states that personal data collected has to be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, and that personal data has to be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.
9. You need to change the way you communicate to individuals
Once the GDPR sets in, gone are the days where privacy policies was something hidden somewhere deep down on your website or written with very small letters at the end of your email. Post-GDPR data communication must be “concise, transparent, intelligible and easily accessible” and in a “clear and plain language, in particular for any information addressed specifically to a child.”
You will need to inform individuals exactly how you use his data, for how long you store it, who he can contact if he wants to use some of his data rights and what those rights are.
10. Employees will have to be trained
Every employee with access to personal data needs to have data protection and privacy in mind with every project and campaign. To make sure, most marketing employees will need to be trained and effectively taught how to secure compliance.
11. Your customer database will most likely shrink
Several experts have predicted that the size of European customer databases will decrease with the introduction of the GDPR. So far, the number of individuals in organisational customer databases has only gone one way: up, and data profiles have rarely been removed. But from May 2018, businesses will start to see data leave the system, as people ask to ‘be forgotten,' and as data that has fulfilled its purpose needs to be deleted. The amount of data going into your system will most likely also be reduced as the opt-in requirements automatically decrease the number of individuals that are willing to do so. That means that marketers will have less useful data to work with.