Legal, compliance and data management teams should by now have been all over the GPDR before most of us understood what the abbreviation even meant, but as we get closer to the deadline, it seems it’s the turn of our colleagues in marketing to worry about what life will look on the other side of May 2018.
The new legislation comes with significant challenges around information gathering, analysis and profiling, and marketers across the EU are asking the same question: Are we really going to erase decades of progress and revert to meaningless generic messaging?
It’s a fair question, given the gravitas of the proposals, but it doesn’t have to be the case. Marketing is just one branch of an organisation, and a solid GDPR-compliance plan across the business should incorporate the changes marketers need to adjust to. However, it’s easier said than done, because within the new regulations are changes that strike right in the centre of current marketing strategies.
Similar to the ‘right to be forgotten’, and ‘legitimate interest’, when you read what’s suggested and put yourself in the consumer’s shoes, it’s clear the directive is working hard to put them at the heart of the changes. By outlining the right to object to profiling, it aims to give the individual more control and minimise the risk of anyone being adversely affected by profiling and automated decision-making.
What does the GPDR propose?
The regulators have defined profiling as: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Quite the mouthful, and it goes further.
Article 22 of the Regulation provides people with a qualified right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
What does that mean for marketing?
In a nutshell, strict regulations on profiling and automatic decision-making and a consumer right to object at any time to any form of profiling, including direct marketing.
The legislation impacts marketing, such as email marketing, in several ways, particularly how marketers seek, collect, and record consent. It means:
- Stricter regulations for collecting consent
Come May 2018, marketers will only be allowed to send email messages promoting their brand or service to people who’ve given explicit consent or opted-in to receive messages. This is already the case in most European countries under the EU Privacy Directive, but as with most things, the GDPR goes further and specifies the nature of consent that’s required for commercial communication.
Businesses must collect affirmative consent that is ‘freely given, specific, informed and unambiguous’ to be compliant. That means silence, pre-ticked boxes and inactivity can no longer be assumed consent – the more relaxed approach currently used by thousands of businesses across the EU.
The GDPR clarifies that an affirmative action signalling consent may include checking a box on a website, ‘choosing technical settings for information society services’ or ‘another statement or conduct that clearly indicates consent to the processing’.
It’s about giving unquestionable permission with a full understanding of what they get in return and what their information will be used for when it’s processed.
With profiling for example, if you intend to use the person’s information to determine which offers they’ll receive, you’ll be obligated to tell the customer that up-front, allowing them to accept or refuse consent with full disclosure.
How will that work in practice?
If you offer visitors to your website the opportunity to download an eBook or enter a competition in order to grow your database and ask for an email address in return, you’ll be required to tell every person who provides an email address that you now intend to send them marketing messages and get their permission to do so. Otherwise, you’ll be breaking the law.
And, if down the track (or the next day), they ask to be removed from your mailing list, you’ll also be required by law, to make that happen too, and quickly.
- New requirements for consent record keeping
The GDPR not only sets the rules on how to collect consent, it requires companies to keep record of this consent too. The burden of proof that sufficient consent has been given will lie squarely with the business. That means you need to hold reasonable evidence that you complied with all the steps if there is ever a dispute, or the regulator comes knocking.
Countries such as Germany have been doing this for a while, but it’s a new challenge for UK-based companies, so storing consent is something data owners will have to think about now, as a full back-up will become a legal requirement.
Some suggest taking a screen grab of the page or app where consent has been given, but it’s unlikely that’s something your platform is doing right now, so most companies are going to have to look at how they can tick this new box to keep their marketing channels open and remain compliant.
What about existing data?
How we collect and store consent going forward is only half the story. The GPDR also applies to existing data, so if your database includes subscribers who signed up outside of the new standards, or if you can’t provide sufficient proof of consent… you guessed it… you might not be allowed to send email to those customers anymore.
There’s little or no allowance for data captured before GPDR and the penalties are the same, so without explicit consent and proof, processing data – even if it was collected within the law at the time – will no longer be an option.
That’s a game changer and a massive wake up call for any business fuelling their marketing machine with personal information.
Will my entire marketing and consumer email programme need to be redesigned?
The GDPR currently has the full support of the British Government, so even if you’re thinking Brexit might save your skin, if you want to talk to customers in the UK or across the EU, you will have to comply.
And, because every business’s marketing policies, processes, procedures, IT infrastructure, network and controls are unique, that might also mean a unique approach to system change.
Meeting stricter privacy laws and opt-in regulations, providing proof of consent, bringing existing data up to par, safely purging what you no longer have permission to hold, improving your data protection, and updating your IT systems to cope - all while keeping your business going day-to-day - is an enormous challenge and requires expert knowledge and expertise.
What are my choices?
There are two routes basically.
- If your business is global, you could separate the sign-up process for subscribers coming from different parts of the world, giving EU sign-ups the GPDR treatment, and using a simpler process, where possible, elsewhere.
- You can bring your entire database up to GPDR standards and go belt and braces on the lot. It will mean changes to your opt-in processes and re-permission campaigns will inevitably reduce your database in the short-term, but it will pay dividends in the long run. You’ll also have a sparkling clean data bank with a list of subscribers who really want to hear from you, which could improve the quality of your marketing overall and positively influence performance on open rates, click through and calls to action, thus improving your business efforts.
What if I just keep my head down and carry on as is?
It’s not just the rules that have gotten stricter: the punishments for failing to comply have soared too. Businesses that don’t play by the rules are open to fines of up to €20 million or 4% of global annual turnover (whichever is greater), and it’s expected that the regulators will encourage consumers to report breaches to help them focus on the violations that are causing the most upset.
We’ve all been at the sharp end of a disgruntled customer, and with fines so high, it’s hard to understand why a business would risk the huge financial impact and brand damage to market to customers who might not even want it.
How a certified GDPR consultant can help
A GDPR expert can help you implement and manage whichever route you choose, paving the way for simpler, GDPR-compliant processes, that keep your business operationally fit and risk-free.
As with all things GPDR, the devil is in the detail, and marketing teams are urged to step back and take a long-term, strategic view on this one, because there are so many ways to fall foul when you consider the full end-to-end process on data collection, management and use across an organisation.
Your GDPR consultant can help the business ensure:
- Codes of practice around profiling are ship-shape and the language used with customers is in plain English
- All processing and practices are fair and meet the requirements of the new legislation
- Personal data is maintained as accurate and up to date
- The logistics around consent and storing data are secure
- A best foot forward approach on re-permission campaigns
- An ability to understand what personal data you have, where it is, and who has access to it
- An ability to respond competently to data requests, objections to data use, the right to be forgotten, etc
- An ability to handle data breaches and data loss in line with regulations
- Data security is 100% reliable
GDPR does not just impact on marketing, just as it is not simply a challenge for the IT team to solve – it is an organisation-wide endeavour that needs to be met head-on. By seeking the help of a GDPR consultant, your business can find out exactly what needs to be done to be compliant, and how best to do it.
At pebble.it we can provide the hands-on, practical advice you need to ensure your marketing strategy, and overall business systems, are in line with regulations.
Discover the steps that will put you on the road towards compliance, and how we can help you get there, by downloading our GDPR-readiness checklist:
