2020 GDPR Check-list for Marketing Team and Practical Practices
Wondering why you need to worry about GDPR, what is this, and what will happen upon its implementation? ?Then this article is for you; for all your questions on General Data Protection Rule. But we’ll start from the root cause.
The standard lifestyle in the current time is digital by nature, and every digital platform requires personal data. Gigantic databases record every website and individual visits with a computer or handheld device, every call they make with a phone, every location they visit, and all the pictures they click. Every piece of this data leaves behind a digital footprint, and this footprint has become one of the most prized resources for marketing organizations all over the world.The Economist in their May 2017 issue declared ‘personal data’ more valuable than even oil.
This should mean that this data is world’s most valuable resource. The data is of high value because it can help companies to learn to communicate better with their customers. This results in a substantial positive impact on overall customer experience.
This great value, however, also comes with some risks. Personal data is vulnerable to misuse, and theft and reports of such unpleasant incidents are abundant in the market. Naturally, savvy customers are raising demands for transparency. People have lack of faith in the efforts of the companies who promise to safeguard their personal confidential information. Hence they want to know exactly how the companies are storing their data.In a study on Consumer Privacy conducted in 2016, the NCSA learned that 92% of all online customers agree that data security is a significant concern for them.
The Chartered Institute of Marketing also reported that 57% of online consumers do not trust that online brands are using their data reasonably and responsibly.
Symantec’s State of European Privacy Report has made another such observation. The report found that up to 90% of businesses are of the opinion that to completely delete customer’s confidential information is extremely difficult, and 60% went on to say that they didn’t even have any mechanisms to do so.
There exists lack of balance between the demands of safety by customers in the online sphere, and the measures taken by merchant and corporations to ensure the safety of personal data.
The Challenges with Data Protection
Organizations face many challenges when it comes to the proper disposal of data once collected.As high as 41% of marketing agencies claim to have little to no understanding of the law and its implications. Click To Tweet
It is, therefore, extremely concerning that there is no clear understanding of appropriate practices for the protection of these data.
The people responsible for the handling of these data due to a lack of intentions, the business costs, and also simple education about the impacts of data misuse, fail to employ proper measures for its protection. All these agencies dealing with the personal data of customers should be educated, disciplined, regulated thoroughly and robustly. A breach in consumer trust, on the part of few merchants, can adversely impact the credibility of the whole market. It is, therefore, best if all the organizations that they adhere to proper regulations and store and handle the data appropriately.
A Brief Description of GDPR
GDPR is short for General Data Protection Regulation. It is a privacy regulation for digital data. It serves to standardize a range of privacy legislation in all member states of the European Union.
This is a regulation that ensures safe handling and disposal of data after taking customer’s exclusive permission to use it. In simple terms, the digital platforms where customers provide their personal information will require appropriate privacy settings right into the structures of the websites and other digital products. These privacy settings must be active by default on all digital platforms. You need to conduct regular privacy impact assessments, to strengthen yourselves against any breaches in data protection. The regulatory will also standardize the way these companies seek permission from the customer to use their data. It shall strive to remove any ambiguity in the language of these permissions
Further in line with growing awareness and demands for data protection GDPR is proposed as a regulation instead of a directive. This means that it is legally binding in all member states, and companies have no option or legal recourse to opt out. A compliance failure with this will result in a fine of up to €20 million or 4% of the company’s global turnover, whichever may be higher ?
If the impact of GDPR will be significant, market pundits hope that other countries will also follow suit. EU’s steps, in any case, are commendable, to say the least.
Why Marketers need GDPR?
GDPR can bring a dramatic change in the way data is handled in the EU. This is a paradigm shift for the users of the internet at a gigantic scale. Users shall feel respected and considered, as opposed to being treated as commodities and potential business leads. The individual protection GDPR provides customers is unparalleled.
It is a widespread belief that corporations tend to misuse the data they have. The permission they seek online is confusing, unclear and longwinded, discouraging people from reading them and exposing them to vulnerability. GDPR should keep companies of all sizes and types, under control and make them more responsible and reasonable with customer data. Regulators agree that large corporation has exploited personal data for unethical gains. It will introduce accountability and transparency in these dealings with the data.
Is this the right time for General Data Protection Rule?
To put it straight the EU’s data privacy regulations are outdated. The main reason behind this urgency is almost archaic Data Privacy Regulations. The EU’s current regulation was standardized in 1980 based on a document which may have been relevant about three decades ago but is all but useless today.
One cannot expect a law this old to cover the significant data platforms of our times, social media, phones, advanced web technology like artificial intelligence, online video sharing, and virtual reality, etc. Besides, the current regulation, given the simpler times when it originated, is only a directive. So, corporation always had an option to opt-out, and in many cases, they did that too.
Given the ever-increasing number of the users of the internet today, the sheer amount of data has grown exponentially, since the 80’s. And not just the quantities but the types of data have also changed considerably. These out date s regulations, along with the inevitable changes make the whole scenario of data protection a massive confusion, and prone to offenses.
Hopefully, GDPR shall change all these irregularities.
How will General Data Protection Rule Impact Marketing?
It is also natural that such significant changes will impact a substantial number of individuals and organizations. On the one hand, the consistency and standardization are a welcome change in the market; it poses a few challenges as well. For marketers, GDPR presents quite a few additional requirements regarding business continuity. And given a large number of corporations from all over the world having a representation in EU, this impact is quite massive.
For small businesses especially, GDPR may appear to be a little too demanding. Solo-practitioners, self-employed individuals or freelancers who have a well-established web presence may think that they need to go through additional costs, and professional efforts to stay relevant and in line with the new regulations.
The reality, however, is much simpler than it may appear at this point. Agencies handling personal data through any means need to focus on only three aspects of data protection: data permission, data access, and data focus.
1. Data Permission
It is that part of data protection that deals with continued contact with the individual once he has concluded the current transaction with the company. Email opt-ins to be precise, or people who have allowed the company to send them promotional emails.
The company cannot assume that these individuals would accept emails from anyone else as well. After the establishment of GDPR, the companies can use these contact details only after the customer has consented in a ‘freely given, specific, informed, and unambiguous’ manner to utilize their data for other purposes.
This means that customers will need to confirm physically, that they have no objection. Companies will need to seek permissions from customers, and not assume that it is ok to contact them. This will change the current scenario where a pre-ticked box that shows up to receive promotional material. Opt-ins will need to be deliberate choices, without any ambiguity.
Say for example, that while filling in their details on a registration page of a website, the company is not allowed to assume that the customer has given his consent to use his details for sending discount offers. Instead, the customer should deliberately fill their details before the company can contact them after the conclusion of the current transaction.
While this protects the privacy of the customer, it does have limitation to pose as well.Data protection will also impact 'Refer to friend' programs though they are not intrusive Click To Tweet
“Refer a friend” schemes require a customer to enter a reference’s emails to obtain some incentive from a company like a discount coupon or reward points etc. For the promotion to be successful, the company needs to send an automated email to the said reference. In this case, explicit consent cannot be gained before the referred person is contacted. To stay compliant with GDPR, data can neither be stored nor processed.
In short, a company cannot send any marketing related communication to the referee’s email address.
2. Data Access
There is a relatively new term that the discussion around GDPR has made popular. “The Right to be Forgotten” is one of the more talked about ruling that the EU Justice Court history has had. This right means people can have outdated and inaccurate personal data removed from the database of a website. Google is a prominent example for a demonstration of this ruling. Google had to remove several pages from search engine results to stay compliant with the ruling.
GDPR in line with this ruling, empowers individuals to have control over the usage of their data and allows them the ability to access and completely remove it, under the Right to be Forgotten.
This means that marketers will need to ensure their users can access their individual data efficiently and remove it or remove the consent for its further use.
In practice, this should not mean any substantial effort. Companies can just add an unsubscribe button or link, within the email template they use for marketing, and link this to the profile of the customer they are maintaining with them. This should allow users to decide whether they want further emails from the company or not.
3. Data Focus
GDPR also ensures that the information collected by a company is entirely justified and in line with the transaction the customer is having with them. By legally justifying the processing of such data companies will ensure that their transaction with the customers is as professional and as little intrusive as possible.
This means that the data collected by the company is concise and to the point. For example, the marital status of the customer may not be a significant detail, when they are applying for a newsletter from an automobile webzine. In this example, GDPR will require marketers to legally justify such a field in the subscription form or completely remove it to stay compliant.
The Penalties and Costs Involved in Non-compliance
GDPR was implemented in May 2018. GDPR is essential because it follows the general EU data protection rules and creates various new rights for the individuals who process personal data. It has caused several companies to stay alert about their unauthentic database. Every company is making efforts to remain compliant with the regulatory.
In case of GDPR mistakes can cost marketers dearly. With the Information Commissioner’s Office (ICO) clamping down harder than ever on the misuse of data, marketers need to know all the aspects of what they can expect and work accordingly.
The email campaign run by Honda is an interesting example of such a mistake. In order to give the individuals in their database an option to opt out from receiving emails, they reached out to their database. But the only way they could reach out to these individuals was through emails itself!
This severe error resulted in them sending out emails to individuals who had previously opted out already. This serious breach of compliance cost Honda Motor Europe a fine of £13,000.
The bottom line, therefore, is that if the customers don’t give marketers their explicit consent to send emails to them, then not sending an email is the best thing to do. Emailing even to seek consent is classified as a marketing effort, and if done without permission it is a breach of GDPR regulations.
The effects of GDPR on Marketers
GDPR applies to companies and their employees. In simple terms, any company that has customers is in the purview of GDPR. Not to mention the people working in the company ?
There are three specific positions within the marketing department that will see the most significant change in everyday work.
1. Email Marketing Managers
Email addresses are an essential resource for B2B marketers, who depend in this for all of their lead generation campaigns. Before GDPR, businesses would actually buy lists of email addresses from other companies or copy them from other databases.
But, GDPR regulations forbid you from purchasing such lists or collecting details from any other source than the individual himself.
Even today it is a best practice to get explicit consent before a company starts sending out promotional material to them. From May 2018 onwards it will be against the law for companies to add individuals to their email list, and then force them to opt out in order to stop the promotional emails.
2. Marketing Automation Specialists
Marketing automation is an undeniably powerful tool, but, with a little lack of caution, it can land a marketer in serious trouble after GDPR comes to power.
The systems send out emails on behalf of a company’s CRM system. With GDPR, if an email is sent out automatically to someone who has already opted out, then the ICO can charge you hefty penalties. Corporations will need to ensure that every single name in their CRM database and all the emails listed in their automation systems have given them explicit consent to market to them.
This also means that the marketers should be quick to update their systems with people who have opted out and, ensure that their names are promptly removed and that no further emails can be sent to them.
Under the regulation of the GDPR even if an email is sent out because it was scheduled before receiving the opt-out request, it will still be a compliance failure.
3. Public Relations Executives
The idea of privacy that the GDPR is primarily rooted in covers all individuals in all situations. It is a common practice that PR execs to reach out to individual representatives of media houses to pitch for new product releases and popularizing of newsworthy company information. GDPR will require that only those journalists who have given exclusive consent to be contacted are receiving such emails.
While it may be possible that media databases like PRweb and MyNewsDesk, are liable for such consent, journalists will still need to give consent individually to before a corporation can contacts them. This should end the traditional outreach programs, and PR execs will need to be extra careful.
GDPR allows taking this consent to through their party platforms. HARO, for example, is such a platform where journalists ask corporations to contact them. Further, permission given through social media platforms is also acceptable. And apparently, if a journalist has reached out directly to you, then you should understand that they have explicitly demonstrated an interest in talking with you.
How GDPR is a Golden Opportunity
GDPR can sound a little intimidating and assertive at the moment. The fines and penalties declared for the breach of compliance themselves are enough to become a concern for responsible individuals. These factors alone are enough for marketers to rethink entire marketing strategies. The real implications, however, are in fact, quite positive for marketers. GDPR offers excellent opportunities for marketers to create focused marketing campaigns, better than they have ever done before ?
Learn from Experts: In this webinar below, Richard Campo, an experienced data protection and information security consultant with IT Governance, talks about how the GDPR may affect your business, some of the crucial principles of the GDPR, and the data flow mapping for the EU GDPR.
At this stage, it is easy to think that GDPR will change things and make them more complicated, but, this regulator will actually make marketing campaigns more rewarding.
Let’s see how!
1. By receiving consent
The customers have every right to know the information they have on them, who shares it and how they process it and for what purpose. GDPR gives an opportunity for the customers to decide what interests them.
Through consent, marketers can gain an insight into each individual’s interests. This enhancement is not only compliant with GDPR, but it also helps marketers further segment customers based on individual interests.
2. With Right to be Forgotten
If a customer requests, a business should remove all data they have about them. A CRM system, can be employed, to manage such requests instead of saving the data in different places.
When customers switch consent on and off on different campaigns, marketers can learn more about their customer’s preferences and interests. This should help them in creating more relevant campaigns for specific customer groups.
3. With Transparency
A GDPR compliant organization owe to be more trustworthy for customers. Building this trust comes with apparent transparency in an organization. GDPR gives a company to show how ethical they are.
A Customer demands a responsible usage of their data and GDPR lets marketers assure their customers of this. The personal data of an individual deserves respect and security. This commitment will help a marketer strengthen trust and improve engagement with their customers.
Practical GDPR Tips for Marketers
Let us give you some straightforward tips on how to stay GDPR compliant ahead of time.
1. Audit your mailing lists, today!
Simply remove anyone whose opt-in records are not there in your database. Also, while making new subscribers, in line with the upcoming GDPR regulations, make sure that your potential subscriber has confirmed that they want to receive emails from you.
2. Carefully contemplate your current data collection process.
Let’s be frank; you need to stop buying mailing lists. It is an age-old practice and needs to go. Not only from an ethical point of view but the rewards it fetches are nothing compared to penalties non-compliance to GDPR may attract. While this new approach is out of your comfort zone, it will guaranty that you have an engaged and interested reader base even if it is comparatively smaller.
3. Learn to tailor your content according to the profiles of your potential customers.
Invest in the creation of useful content like white papers, eBooks, and webzines that your visitors can download in exchange for their contact information. Based on what they are downloading you can easily understand their interests, and you can further create relevant campaigns for them too.
4. Learn to attract visitors to your mailing lists.
5. Learn about social selling techniques.
GDPR covers email, and intrusive solicitation through emails. Social media is still free and comparatively way less regulated. Sales reps, therefore, can connect with potential leads on social media platforms, instead of sending risky emails ?
6. Get a CRM System and chuck spreadsheets for storing customer data.
Provide your users the access to their data in your customer database and also to make necessary changes to it. A responsive CRM system is the only way to give such access to your customers. It not only ensures you are compliant with GDPR it will also ensure that you have the most updated data any given time.
7. Learn the details of your customer data.
By asking for only what is necessary you will ensure that you are compliant and your customer database will become infinitely simpler. B2B marketers in most cases, for example, need only the full name of an individual along with their email address and company name.
8. Push notifications instead of email notification!
Marketers can spread information through push notifications on different platforms where their users come in contact with the company. To display this notification mobile apps and websites can be used. There is no personal information involved and hence no GDPR violation.
GDPR does not ask marketers to do anything they are not aware of already. It merely standardizes ethical practices and enforces them more robustly.
To stay compliant
• Never contact someone without their permission.
• Do not take the liberty of introducing yourself.
• Don’t cold contact someone, and
• Do not send information that is irrelevant to them, hoping that they may buy what you are selling.
There is nothing to be scared about GDPR. In fact, it makes your communications more pleasing to your customers and thus rewarding for your businesses ?