With 11 days to go before the General Data Protection Regulation (GDRP) is implemented, every major marketing publication has weighed in with their thoughts, interpretations and suggestions; including advice as to what companies should be doing to mitigate and limit any potential negative consequences regarding their customer data.
If you were a marketer that had just awoken from a year long sleep, you might think we were in a GDPR apocalypse after reading some of the most recent claims:
“The data audit, conducted by W8 data, found that only 25% of existing customer data meets GDPR requirements.” – Campaign Live
&You Marketing is a data driven strategic marketing agency who have been following the ICO guidelines and analysing various interpretations of said guidelines to cut separate wheat from the chaff, so we can allay common concerns and give you a clear idea as to how prepared you are.
Concern 1 – What if we aren’t compliant in time for the deadline?
According to the Direct Marketing Association (DMA), in November 2017, 60% of marketers feel their organisations are on course to implement their plan to be GDPR compliant by May 25th 2018. 17% of companies are behind on their plans and 15% still do not have a plan.
The scariest monetary consequence for a company that is non-compliant is a upper limit fine of €20 million or 4% or annual global turnover – whichever is higher. This is crippling on obviously cause for concern for unprepared marketers.
The fact of the matter is, is that as long as you are taking steps to prove that you are compliant and can prove this, you probably won’t bring your organisation to it’s knees.
“This law is not about fines. It’s about putting the consumer and citizens first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point” – ICO Website Blog
If you do feel underprepared for the incoming change in regulation, make sure you at least are thinking about how you are collecting and storing customer data. If need be, call on an external consultant to look at your organisation from the outside. Showing a willingness to take steps to become compliant is likely to be acceptable in the short term, as the overall aim is to improve the communications experience for the customer.
Concern 2 – I won’t be able to communicate to most of my customers!
If you don’t have the right permissions to communicate to your customers then you shouldn’t be sending them marketing comms anyway.
Use GDPR as an opportunity to take a look at your customer base and have a detox! Create pots of customers dependent on how engaged they are with your brand and then see if they are opted in. You should end up with a smaller percentage of customers that you have permission to communicate to under GDPR – and for the rest, see if you have legitimate interest based on previous engagement to re-permission them.
When you are re-permission customers remember the following:
“GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. You’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of GDPR.”
After sorting your customers in to pots and gaining new permissions, you will have a more engaged base with whom you can build from.
Concern 3 – I won’t be able to profile my base or use any 3rd party data
For direct marketers, profiling the customer base is a useful tool to understand the demographic groups your customers’ sit in.
The current guidelines currently specifies “The GDPR provisions, discussed in more detail within the body of this paper, focus on profiling that has a “legal” or “significant” effect on individuals, rather than profiling that has little or no impact.”.
This guideline is pointing to an individual company using multiple data they hold on an individual to use modelling or profiling to make a decision about that individual which will result in a negative impact for them.
This does NOT include
In short, if you have a profile of the types of customers you would like to purchase contact data for, that is completely fine as you are not affecting any of your individual customers.
In this case, the 3rd party you are buying data for will be responsible for collecting the correct opt in to then be contacted by you in an acquisition campaign, and you have a duty to confirm that the 3rd party supplier is GDPR compliant.
The new regulation is an evolution in data protection, not a revolution.
It has been put in place to make organisations more accountable for their personal data and enhances the existing rights of individuals.
If you embrace the change, and prepare correctly, the end result will be better engagement from your customers, and better marketing from the customers’ perspective.