As a marketer, you cannot fail to have noticed all the media attention being given to the new General Data Protection Regulation (GDPR), which comes into force on 25th May 2018.
The law represents a significant change to the current data privacy laws and will necessarily mean you having to adjust your marketing set-up. The rules affect your email marketing, direct marketing and CRM systems, and will almost certainly require you amend your website and other data collection methods.
Data collection and consent
A core principle of the new legislation gives individuals greater choice over which companies they receive information from. This is done through the tightening up of data collection and the giving of consent. Consent must be “a freely given, specific, informed and unambiguous indication of the individual’s wishes” (as clarified by the Information Commissioner’s Office).
So, a “soft” opt in is no longer allowed; subscribers must specifically opt in rather than opt out. This means that you cannot have pre-ticked boxes that then have to be unchecked by your contacts. Consent to receive marketing information also cannot be bundled in with other agreements, like agreeing to terms and conditions, for instance. Many companies will have to reconfigure the data collection and consent aspects of their websites to meet these requirements.
Consent also affects other areas of your marketing. No longer can you assume, for example, that the people from whom you collected business cards at a trade show have given their consent for you to add them to your CRM system or email newsletter database; they have not given their specific permission for this activity.
B2B email marketing
Currently, you can send an email to a business contact without prior permission. So, business email is considered to be opt out. Only once the person or company opts out must you stop emailing them. It is only for individuals where you need to obtain their prior permission to email them.
A big change with the GDPR is that the new regulation does not distinguish between individuals and businesses. So even for business email marketing, you must obtain consent where the data refers to a person.
Clarity of your privacy notices
Under GDPR, data subjects have the “right to be informed”, meaning they must receive fair and transparent processing information from you. Essentially, this means that your privacy notice should clearly state what data you collect and how you will use it.
Right to be forgotten
The GDPR gives data subjects the “right to be forgotten”. Up until now, legislation has only gone as far as giving people the choice to opt-out of receiving communications from you. So, if requested, you have to remove someone from your email list, for example. However, under GDPR legislation, individuals have the right to have their data completely erased from all your systems. This means that, not only will you have to know where their data is stored, you will also have to completely remove it from your system.
So, that may mean setting up a process to find and delete data from your CRM, website, email databases, and any third party companies or applications that hold data on your behalf. No longer is it sufficient to label a prospect as “do not contact”; if requested, you need to fully remove all records about them.
One of the most stringent aspects of the GDPR is that you need to be accountable. You need to demonstrate that you are compliant. For example, you need to be able to verify that you received consent from a data subject. One of the best ways to do this is ensure you only collect data using a double opt-in method, thus providing the electronic signature you need to prove consent.
Audit trails for your data collection, storage and erasure are also important, so that you can prove your compliance. And if you outsource to third-parties such as email marketing companies, then you are still ultimately responsible for the data they hold for you. This entails careful checking that your partners are GDPR-compliant and that any erasure requests or requests for individuals to access their data are processed properly.
You have until May 2018 to ensure that your existing data is compliant. This affects any data you’ve bought from direct marketing suppliers, or data you have collected without proper consent, and even data you have where you cannot prove you’ve obtained specific consent. Many companies are starting to clean up their data now, in advance of the changing regulations.
You may decide to clean your data by obtaining consent in a way that is compliant with the GDPR. Or you may well have to delete large portions of your database. But that’s a good thing really. Marketing gains the best results when it is aimed at prospects that truly want to hear from you. If you currently scattergun-email thousands of contacts but only see small open and click through rates, changing from this strategy and concentrating on smaller numbers of more engaged prospects may bring greater returns.
It’s likely that the introduction of the GDPR will see a shift in marketing tactics for many businesses. With smaller databases of prospects, there will almost certainly be a greater emphasis on inbound marketing than outbound marketing. This will help to attract prospects into your company. But numbers of prospects gained through inbound marketing are smaller than the numbers companies tend to use for outbound marketing. So it’s also probable that retention strategies will begin to play a more significant part in your marketing efforts than acquisition marketing.
Time to get your act together
According to a YouGov poll of 2,000 businesses, taken back in May, only 29% of companies surveyed had started preparing for the introduction of the GDPR. This is a startling fact, given the size of the fines that can be applied for breaching the GDPR. With the prospect of a minimum €10 million fine, companies not making certain that they abide by the new legislation are opening themselves up to potential financial devastation.