In March 2018, the EU’s General Data Protection Legislation (GDPR) will come into force, drastically changing the ways in which marketers will be able to collect, store and use customer data. While 2018 may seem a long way off, given the massive variety of use-cases and applications that this legislation is set to impact, 18 months is barely any time at all to completely rethink and restructure an organisation’s entire data-marketing strategy
While a lot has been written about the GDPR, for many marketers, data storage regulation is still generally seen as an area controlled and owned by the IT department. As the role of marketing changes however, and ownership of customer data changes hands, many businesses are now turning to their marketing directors and CMOs in order to work out what their GDPR data-strategy should be. Unfortunately, a lot of marketers still don’t have a plan, with many being entirely unaware of the GDPR and how it could impact their customer databases.
With this in mind, here are four things that all marketers need to know about the GDPR now, while it’s still early enough to alter their existing customer data practices:
1. What does it actually mean?
The EU General Data Protection Regulation is a reform of the European Commission’s 1995 Data Protection Directive and is due to come into force in April 2018. Essentially, it is a fundamental shift towards catering to the concerns of consumers over the desires of corporations.
The GDPR will affect every business that deals or trades with European customers and requires that any business wanting to market to a consumer must have that person’s “unambiguous” consent.
For any sensitive personal data the Regulation goes as far as to insist on “explicit consent” across each and every marketing channel. As a result, it will no longer be acceptable to send marketing emails or promotions to a customer if you do not have an audit trail proving their consent to receive it. For example, hotels that collect email addresses from the use of Wi-Fi will not be able to send customers promotional emails, as they will have not have provided “explicit” consent to use their data in that way, (unless, of course, the relevant box is provided, and ticked, as part of the sign-in procedure).
By using a ‘Data Subject Access Request’, consumers will also now be able to request all the data that marketers have about them, including how they are using that data within their campaigns. This information must not only be made available faster, but must also be provided entirely free of charge. In short, the GDPR is going to force marketers to justify every piece of data that they have collected, demanding clearer consent at the point of collection and the ability to identify the origin of each piece of information within their customer data platforms. It will also mean a drastic restructuring of marketers’ databases to ensure that customer data can be retrieved on demand as and when requested.
2. Will Nordic companies outwith the EU be exempt from GDPR?
No. Businesses offering services to EU-based citizens or collecting data on customers inside of the EU will still need to comply with the GDPR rules. The same is true for Switzerland, for example, and any other nations that deal within Europe but are outside of the EU.
As a result, marketers throughout the Nordics need to reorganise their databases and rethink their data collection methods.
But is that really such a bad thing?
At the end of the day, marketers have been clawing ownership of customer data away from the IT department for years. The GDPR provides the perfect opportunity for marketers to start owning this space, incorporating their own marketing-led customer data platforms rather than relying on the outdated Microsoft Access databases of the IT department. Yes, GDPR will change the way that marketers reach out to their customers, but a greater degree of permission can only mean more receptive (if smaller) audiences and ultimately more targeted results. The most savvy marketers will be embracing this change, taking the initiative rather than waiting to be dragged along once the government regulation is enforced.
3. How can we as marketers prepare for it?
Marketers need to start understanding the regulations, the changes and the impact now. If they do not take action then they will end up either risking a fine or needing to wipe large percentages of their databases where consent cannot be proved.
So where should they begin?
As an initial step, marketers need to review their existing consent statements, considering how they are currently being stored and processed within their customer data platforms. This process should include a full audit of the information provided to ensure that it meets the minimum requirements of the GDPR.
Second, marketers need to review their CRM solutions and their customer data platforms to ensure that both are appropriately certified and comply with the standards of the GDPR. This should also include a full review of contracts with third party data processors, providers and related data sources. Even if customer data is incorrectly collected by a third-party provider, an internal marketing department could still be held responsible for its misuse.
Finally, marketers must rethink their approach to data collection, ensuring that they empower customers to opt-in and opt-out at all possible stages. This includes providing full disclosure of how that data is likely to be used in future at the point of capture.
4. What happens next?
The GDPR will force marketers to move away from practices of persistent bombardment by changing how they collect, use and share customer data.
Across the board marketing departments will also need to maintain cleaner and more accurate databases and provide more transparency as to how their customers’ datasets are being handled. Marketers will also need to review the consent options they provide on a regular basis, ensuring that their collection methods are leaving enough room to develop new ideas without stretching the definition of how existing data is used.
Data providers will also no longer be able to sell data in the way they do now. This will mean that marketers will need to work considerably harder to obtain permission for using someone’s information within their campaigns.
As a result of this explicit consent, marketers should expect to see a significant drop in the volume of customer data available to them. At the same time, as campaigns become smaller they will also grow more targeted, with marketers having to use their datasets more intelligently as a result. Through this change, customer care and ‘permission marketing’ are set to become a top priority. This will not only lead to better marketing, but also to stronger, long-term relationships with genuinely invested customers.