What impact will the upcoming GDPR legislation have on digital marketing?
If you haven’t heard of it yet – and let’s be honest, how could you not have if you have a LinkedIn account?! – the General Data Protection Regulation (GDPR) is a new privacy regulation that is being introduced on the 25th May, 2018. Its purpose is to standardise a host of different privacy legislations across the EU into one central set of regulations that will protect users in all member states.
What this means for companies is that their digital products and websites will require privacy settings in operation by default. Beyond this, though, companies are required to conduct privacy impact assessments, consider how they seek permission to use the data, document how they use the data and communicate any data breaches.
Crucially, this is a regulation, meaning that it’s legally binding. Failure to comply could lead to a fine of up to €20 million or 4% of your global turnover! So, not one ignore, guys. Oh, and forget the rumour that Brexit will absolve us, it’s been confirmed that the regulation is going to be adopted post-Brexit as well.
How is GDPR relevant to digital marketing?
GDPR may seem onerous, but for marketers it really only affects 3 specific areas – data permission, data access and data focus.
Essentially, this boils down to email opt-ins, people who request to receive promotional material from your company. With GDPR, this means that they need to consent in a ‘freely given, specific, informed, and unambiguous way’ which is bolstered by a ‘clear affirmative action.’
This means the days of pre-ticked boxes are gone (either as an opt-in or opt-out) and any leads, customers, subscribers, etc. must physically take an action confirming they want to be contacted. It doesn’t go as far as double opt-in just yet, but many of the better sites have already gone this direction anyway and it’s generally accepted as best practice. If you still have pre-ticked boxes or implicit consent in place on your website, you still have a few months to become compliant – so get a plan in place and start making changes as soon as possible to ensure your visitors have to implicitly provide you with consent for you to use their data in any way.
It’s also important to remember that under GDPR a single consent isn’t necessarily going to cover you for everything and your plans for usage of the data need to be clear to the user when they’re giving you consent under GDPR. There are also changes to how data must be collected from children under 13 as well as data requesting information on one’s ethnicity, sexuality, religious or political beliefs. It’s also key to keep detailed records to prove that a user has consented and ‘opted-in’ to cover your business from hefty fines.
The right to erasure, or rather the right to be forgotten, allows for, under specific circumstances, an individual to have outdated or inaccurate personal data to be removed. In line with the right to be forgotten, GDPR has provided individuals with more control over the ability to access/remove their data.
For marketers, this means ensuring that processes are in place so that if a user requests to have their data removed, the company is able to do so ‘without undue delay’ and specifically, within a one-month time period.
Bearing this in mind, it makes sense to come up with a strategy and ensure your team is fully trained on how to deal with any ‘right to erasure’ requests appropriately.
This point is key for marketers, as rather than openly collecting as much data as possible, we now need to consider if knowing an individual’s favourite tv show (or some other random information) is really relevant before they subscribe to our newsletter or supply their information to download a white paper.
Under GDPR any personal data that you request and collect must be legally justified. While ‘legally justified’ can sound a little daunting, in reality it means dispensing with the frivolous additional information and focusing on what is truly needed. With that said, if knowing an individual’s TV show is something you can prove you need and will use in a way that will benefit your customers then you can continue collecting it.
What are the consequences of non-compliance?
Ok, so the question everyone has been asking…is GDPR compliance really something we all need to worry about? In short, yes.
The deadline is fast approaching, which in some cases has prompted panic amongst businesses and led to impulsive decisions (note Wetherspoons’ knee jerk deleting of its email database rather than taking the time to think through their approach to compliance).
The other consideration is that the Information Commissioner’s Office (ICO) have demonstrated their inclination to pursue misuse of personal data, in particular targeting Flybe, Honda and Morrisons for attempting well-known email activation strategies. These campaigns flouted the rules by emailing customers (including those who had previously opted out) to ask if they wanted to be contacted by email and to update their preferences. For this serious breach of compliance:
- Flybe were fined £70,000 for emailing 3.3 million people who had previously opted out.
- Honda Motor Europe fined £13,000 for emailing 289,790 who had previously opted out
- Morrisons fined £10,500 for emailing 230,000 members (131,000 had previously opted out) – a key point in this case was that it was the customer who reported it to the ICO
So, from where we’re sitting, it doesn’t look like they’re messing about here. This is coming and we all need to do something about it.
Which aspects of marketing are most affected by GDPR?
GDPR is wide ranging enough to affect the whole company, but who in the marketing department will it affect the most?
1. Email marketing managers
In marketing to B2B, email addresses are still the number one contact method for lead generation. You can forget buying email lists or scraping them from websites as under GDPR this will be strictly forbidden. Email marketing managers will need to ensure users opt-in to email campaigns and provide consent to be contacted, arguably already best practice but in 2018 this will be reinforced by EU law.
2. Marketing automation specialists
While marketing automation is a useful tool in the marketing tool kit, it also represents a costly risk under GDPR if the data is not accurate. If the system sends out emails to users who have opted out you put the business at serious risk. It’s imperative to have clean and accurate data signalling which users have provided permission to market to them. As soon as a user opts-out the system needs to be swiftly updated to prevent any further emails.
3. Public relations execs
Be conscious that if you are distributing product release information or company updates, journalists equally must have provided their consent to be contacted. There are sites such as HARO where journalists request they are contacted so make sure you have signed up, but be wary of programs where you are buying distribution list capability as an in-built feature for press release distribution.
There are many in the camp that actually B2B industries are slightly protected within GDPR, however, under the ‘legitimate interests’ clause. Basically, those of this belief are saying that if the processing of personal data is fundamental to your day-to-day business – and the reason you’re using that information is to share information and/or products that are relevant and helpful to the other person, then you are compliant.
This may very well be the case, however, it is important to remember that ‘legitimate interests’ is not necessarily enough to go on to guarantee compliance. All other aspects of GDPR must be complied with, such as only processing relevant data and ensuring you can delete requests efficiently and within the timeframe.
The next few months present a challenge for businesses to ensure they are fully compliant, but just bear in mind that rather than viewing GDPR as an oppressive restriction, it actually serves to ensure a rise in the quality of data held and should lead to a more tailored and individual approach to customers.
The basic principles are simple – avoid contacting customers unless they have asked to be, don’t presume they want to hear from you, avoid cold contacting them, don’t buy data and don’t send irrelevant information users haven’t implicitly requested.
If you’re concerned your marketing team isn’t ready for GDPR or you’d like us to run an audit on your current data collection methods or processes, we can help. Contact us to today arrange an initial chat.