GDPR - Are you ready?
There is no doubt that the General Data Protection Regulation (GDPR) is currently one of the most spoken topics in digital marketing. The most significant change in legislation in the last decade it has a right to be! Of course, the risk of enormous fines for getting it wrong is what makes the headlines, but that's not the primary focus of the new regulation. Putting customers back in control of their data is what the GDPR is designed to do, it has been formulated to bring back privacy by design that has sadly as recent news of Facebook's and Cambridge Analytica's activities has appeared to have been lost.
If as marketers, we learn anything, it is that consumers are quick to educate themselves, lose their trust and are prepared to walk away if they feel their data has been misused. The changes in legislation should be viewed as an opportunity to reconnect with your customer, be transparent and instil trust for all business that collects personal data from people residing in the European Union.
This applies even if your business is based outside of the EU. The personal information collected is any data that can be identifiable to a single person. It also includes the GDPR data that when combined identifies an individual too. This includes ‘pseudonymised data' or information that has been encrypted but if manipulated could identify a person.
This blog post shouldn't be taken as legal advice, and you should consult with your legal counsel. However, you can use the below three key focus areas in your readiness to be prepared ahead of the 25th May 2018.
Be clear, transparent and explicit in the information you provide a subscriber. This is best practice today and an action that will ensure your attracting quality sign-ups that are interested in what your business does. Forget the vanity email marketing list number and always approach your email marketing activity with quality in mind for maximum success.
Provide your customers with a choice to say no to subscribing, and once you've collected that data, you can only use it for the purposes that it was initially intended. The purpose cannot be exaggerated later on down the line without the consent of the customer.
2. Provide a choice
At the point of subscribing to your email newsletter, review the options that you are providing the customer, prospect or subscriber. Review whether these are genuine choices or have these choices been bundled, coerced or challenging to bring to fruition. As an example, if you’re running a competition, don’t opt every entry into receiving your email marketing just because they have provided their email address. Provide a clear choice to the entrant utilising the tip one above and ask the entrant if they'd like to also subscribe to your email marketing. Don't bundle in options or ask the entrant to opt out. In doing so you'll not only be noncompliant with the GDPR, but you'll also be growing a poor quality email marketing list. This can be an opportunity to be innovative and creative too like Man United’s approach with their video campaign asking fans to opt into their email marketing and the benefits those fans receive by doing so.
3. Keep a record
The ability to record the information you are presenting to customers at the point of sign up and documenting with a date stamp when and where a subscriber signed up are crucial to being compliant with the GDPR. You need to be able to record this information in such a way that you can demonstrate it later if required at the request of an DPA (Data Privacy Authority) or the subscriber. It’s also essential to test accessing this information – how easy was it to retain the information you needed quickly? Could you obtain everything you required or are there gaps? Document this process and ensure that everyone in the organisation is clear on your data collection, storing and documenting policy.
For the processing of personal data and direct and digital marketing data, you must understand your legal basis for processing, storing, and collect that data and be able to explain it. The ability to do both is key. The risk of fines is real for both a breach and for not demonstrating that you have the right processes in place. Carphone Warehouse is an example of an organisation that received the highest ever fine for a UK data breach because of the things they did wrong.
Because without the right processes, you are putting the customers’ data at risk instead of being its guardian.
Keeping a record isn’t just for you as an organisation to do, it is also vital that you ask your suppliers and agencies to demonstrate and provide information on their data handling policies too. You need to prove that you have acted with due diligence, be a champion for the protection of customers data.
The 25th May 2018 is vastly approaching, don't delay in making sure your business is prepared for collecting, storing and processing customer data. Use it as an opportunity to create a trusting relationship with your subscribers by demonstrating that you have the security of your customer's data at the heart of your business. It is a privilege to obtain information about your customers that they have consented to provide and it should be respected as one.
Author: Jenna Tiffany