Any organisation that uses data at the centre of their sales and marketing activities – and that’s just about everyone - will be impacted by the forthcoming EU General Data Protection Regulation (GDPR). The upcoming data protection legislation was put in place to standardise existing laws that call for transparency surrounding the way that companies collect and store personal data about EU citizens. In this blog post we dig into the details on the new regulation and translate them into what these mean for a marketer.
What is EU GDRP?
The EU General Data Protection Regulation (GDPR) is around 200 pages of reforms that seek to bring data and privacy laws into the digital age. They focus on the key themes of transparency and governance. To clarify this further - it’s not a specific privacy or data protection law — it’s a data governance law. GDPR requires companies to be transparent about what data they collect, take responsibility for what they do with that data and know what their partners do with it.
Historically, the way marketers have obtained consent to personal information both within direct and digital marketing has often been a grey area. The Data Protection Act 1998 was predicated around the Data Protection Directive (DPD), established well over 21 years ago. GDRP's core principles are designed to tackle these issues in the digital age.
The core principles of the regulation
The regulation formalises eight key principles and individual rights. We'll explore what these mean for key marketing channels later on, but getting to know the core of the regulation is a great place to start:
- The right to be informed: your obligation to provide ‘fair processing information’, typically through a privacy notice, emphasising the need for transparency over how you use personal data
- The right of access: the right of individuals to obtain access to their personal data
- The right to rectification: individuals are entitled to have personal data rectified if it is inaccurate or incomplete
- The right to erasure (aka ‘the right to be forgotten’): to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing
- The right to restrict processing: when processing is restricted, you are permitted to store the personal data, but not further process it
- The right to data portability: allows individuals to obtain and re-use their personal data for their own purposes across different services
- The right to object: the right of individuals to decline their data’s use for processing and direct marketing (including profiling)
- Rights related to automated decision-making and profiling: individuals have the right not to be subject to a decision when it is based on automated processing
GDRP applies to all marketers - not just those in Europe
The key consideration as a marketer is to make sure your marketing practices comply with the GDPR. Whether you are a B2B or B2C marketer, the GDPR will almost certainly affect your marketing activities in some way. It is also important to note that irrespective of whether or not you are based in the EU, if you want to process the data of EU citizens you will need to be GDPR compliant! The key thing you’ll need is a double opt-in for all your lists and have a provable, recorded database that confirms who agreed to what communications and when.
What does GDRP mean for your marketing practices?
Just think about all the channels that you collect customer data through (e.g. website, emails etc.). Now consider all the repositories you use to store that data (CRMs, MAPs etc.). They will all be impacted by the upcoming regulation. So let's take a look at few of the more crucial areas.
GDPR and your website
Ah, cookies (website cookies, not actual cookies)! They revolutionised marketing itself - collecting data on visitors’ onsite behaviour helped marketers better inform their efforts and tailor marketing messages and entire campaigns based on behavioral analysis. Cookies has been a game-changer for digital marketing and allowed us to provide much better customer experiences. But cookies also require... well, consent.
What you need to do next is not just make sure that your visitors know and understand this better, but also make it easier for them to opt-out:
- You’ll need to have consent for cookies on your site. It needs to be clear, specific and unambiguous
- You need to have a way for your user to withdraw their consent as easily as they’ve given it
GDPR and your CRM
A huge part of the GDPR regulations are about how you collect, process and handle data. Another big area of impact is your CRM and other customer data-management tools. You’ll need to consider:
- What kind of data you need to collect and store: you’re now obligated to ensure that you’re only collecting what’s necessary, so you need to refine what that is and be able to justify it
- How you store that data: you need to consider encrypting stored data as a way of mitigating the risk that data will be accessed or processed without authorisation, even if it ends up in the wrong hands
- How you process that data: the GDPR requires that the processing of personal data should be conducted in ‘such a way that the data can no longer be attributed to a specific data subject without the use of additional information’
- How you transfer that data: encryption can be a key means of making sure that you’re compliant
- How that data is accessed: this is where you’ll need to look closely at your business’s structure and outline clearly who has access to what kind of data
GDPR and email marketing
This is where everyone expects to see impact as the GDPR steps in to stop the flow of unsolicited email marketing. Better marketers have operated this way for a while, but the rest will be going from the ‘opt-out' world to the ‘opt-in' world:
- You need to have clear documentation that your recipient has consented to receive email from you and have their data used to inform how you market to them
- If you’re buying email lists from a third-party provider, you need to have similar documentation
GDPR and your software
If you’re developing software, you’ll need to make sure that your product incorporates ‘privacy by default’ and ‘privacy by design’. What does that mean? That the strictest privacy settings automatically apply once a customer acquires a new product or service, and that data protection safeguards are incorporated into the product at the earliest stages of development.
With less than 9 months to go, you need to make sure you meet the new regulatory compliance rules and assess how GDRP will affect your marketing campaigns. As with any regulations, we recommend you seek professional legal counsel to ensure that your marketing activities are compliant.