The General Data Protection Regulation (GDPR) comes into effect on 25 May, 2018. This is designed to give EU citizens more control over their personal data — how it is collected, stored, and processed by companies.
Here’s what it essentially means for marketers:
- Across our sign-up forms and landing pages, we have to tell our audience why we are collecting their personal information;
- For every piece of marketing communication we send out, we have to make sure that people actually agreed to receive it;
- This agreement has to be clearly documented, preferably with a double opt-in process.
While great marketing teams would already be following some of these practices, we have to set up formal processes around these to ensure GDPR compliance. So, how should we go about it?
Marketing Week Editor, Russell Parson tackled this issue in a recent webinar. Parsons assembled an experienced panel that has worked extensively to create GDPR compliance strategies at their organisations.
In an hour-long discussion, the panelists explored several key aspects of GDPR, and what was evident was this: for businesses yet to map out their GDPR compliance roadmap, the two biggest obstacles are:
- How do we put together a GDPR compliance strategy?
- What exactly is ‘consent’?
Figuring Out a GDPR Compliance Strategy
On the topic of getting started with a GDPR compliance strategy, the panelists talked about the specific processes adopted in their organisations. Arriving at a GDPR compliance roadmap can be broken down into three key steps:
- Map out existing data available across the organisation. John Mitchinson, Director of Policy and Compliance at DNA, urged enterprises to consider every department and identify what data they collect, and how.
When it comes to marketing, review how contacts enter your database. If all your contacts are there because they filled out a particular form, that’s great. If you’re using personal data of EU citizens from other sources, you might not be able to continue using it.
- Once you have your data mapped out, you have to create data collection practices that are GDPR compliant.
For data collected by marketing teams, here’s what you need to look at:
- Inform your visitors why you need their data, and what they can expect to receive, every time they fill out a form;
- Set up double opt-in. Send out an email asking visitors to confirm that they have, indeed, agreed to join your email list, or receive a case study, or any other marketing communication from your team.
- Ensure that GDPR is not a siloed exercise. So while marketing teams look like the ones most obviously impacted, and can lead the charge towards GDPR compliance, it has to be a company-wide exercise. Steve Ford, Director of Online Product and Marketing at ITV, emphasised that companies need to approach it as more of a cultural change that gets embedded throughout their business.
What is ‘Consent’?
A lot of businesses are still struggling with the exact definition of consent. This can become particularly complicated when it comes to whether or not you can send a particular piece of email, or offer, or e-book to a contact. So here are some pointers that simplify the concept:
- Your visitors should be able to actively agree to receive marketing communication from you.
For example: if they are filling a form to receive a case study, they have ‘consented’ only for that. You cannot add them to an additional email list, without informing them. However, your form can have opt-in boxes that visitors can check if they want to receive other kinds of communications – mails, offers etc.
- All communications you send must have an ‘Unsubscribe’ option.
- If a business is a corporate entity, you won’t need prior consent to contact them or send an emailer. But you have to include active Opt-in and Unsubscribe actions, so they can choose to accept or reject further communication.
My key learning from the discussion around consent was the understanding of ‘legitimate interest’. This is something that businesses are having an especially hard time with.
Legitimate interest is when you perceive that using someone’s personal data in a particular way is in the interest of your business, and will also provide value to the person.
For example, if someone signed up for information on new laptop models, sending them information about laptop accessories, or profiling them by age-group and sending them laptops that are popular with that age group, can be clubbed under legitimate interest.
The ‘legitimate interest’ argument does allow you to send across communication using personal data, but you have to stay above-board. ‘Legitimate interest’ should not be used as a grey area, or a loophole to get around active consent.
All said and done, if your audience resides in the European Union, you have to get started with planning for GDPR. An interesting point made by Rob French, and one I think companies should pay special attention to, was that the key to having a working GDPR compliance strategy is to get excellent advice.
Whether that’s from an in-house team or an outsourced consultancy, if would be worth the effort to sit down with experts and truly understand the ways in which GDPR is going to impact their operations. The heart of the matter is that businesses have to get behind the idea of giving people control of the data they share. Once they embrace that idea and work towards ensuring GDPR compliance, they will increase transparency and build greater trust with their customers. And in a market where a lot of organisations are still resisting the change, actually championing GDPR could become a huge differentiator for your brand.
Note: This is the first of a two-part series on GDPR.