Last year, the European Union confirmed new tougher data privacy laws that are set to come into force around May 2018. But what do these mean for digital marketing – and marketers themselves?
Disclaimer: this post doesn’t constitute legal advice – seek professional legal counsel to ensure that your activities are compliant!
The GDPR explained
The EU General Data Protection Regulation (GDPR) is around 200 pages of reforms that seek to bring data and privacy laws up-to-speed for the digital age, with key themes of transparency and governance.
In a nutshell; you’re moving from an ‘opt-out’ world to an ‘opt-in’ one, with more rules governing what kind of data you should collect, how you should store it and document your processes pertaining to it.
The new regulation has implications for all kinds of businesses, and marketers will be among those to feel the impact throughout what they do. The price for non-compliance can be high – so it’ll pay to be prepared ahead of 2018.
In this article we’ll dig into more of the details on the new regulation and translate them into what these can mean for a marketer.
Important note: if you’re selling into the European Union (even if you’re based on the other side of the world) or if you’re in post-Brexit United Kingdom, these regulations will still apply.
The core principles of the regulations
The regulation is formalising eight key principles of individual rights that you’ll likely already have heard about. We’ll explore what these mean for key marketing channels later on, but getting to know the core of the regulation is a great place to start:
- The right to be informed: your obligation to provide ‘fair processing information’, typically through a privacy notice, emphasising the need for transparency over how you use personal data
- The right of access: the right of individuals to obtain access to their personal data
- The right to rectification: individuals are entitled to have personal data rectified if it is inaccurate or incomplete
- The right to erasure (aka ‘the right to be forgotten’): to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing
- The right to restrict processing: when processing is restricted, you are permitted to store the personal data, but not further process it
- The right to data portability: allows individuals to obtain and reuse their personal data for their own purposes across different services
- The right to object: the right of individuals to decline their data’s use for processing and direct marketing (including profiling)
- Rights related to automated decision-making and profiling: individuals have the right not to be subject to a decision when it is based on automated processing
Governance and accountability
There’s more to take into consideration other than your customers’ relationship with the data you have about them. The GDPR takes previous Data Protection laws and elevates them, so that what you’re required to do in terms of governance and accountability is now much clearer.
The good news is that there’s little that’s radically new here, so you should therefore already have a lot of the necessary processes in place. The real news is that you’re now required to be able to show how you comply, so you’ll need to be able to document clear processes.
GDPR and your website
C is for cookies…and consent. Many marketers are collecting reams of data about their visitors’ onsite behaviour in order to better inform their marketing efforts; this has been a game-changer for digital marketing and allows us to provide much better customer experiences.
However, what you need to do next is not just make sure that your visitors know and understand this better, but also make it easier for them to opt-out:
- You’ll need to have consent for cookies on your site. This can be soft opt-in or explicit opt-in, but it has to be clear, specific and unambiguous
- You need to have a way for your user to withdraw their consent as easily as they’ve given it
GDPR and your CRM
A huge part of what’s outlined in GDPR is about how you collect, process and handle data. While we’ve covered collection in part through discussing cookies, a big impact will come in your CRM and other data-management tools like your DMP (if using). You’ll need to consider:
- What kind of data you need to collect and store: you’re now obligated to ensure that you’re only collecting what’s necessary, so you need to refine what that is and be able to justify it
- How you store that data: this is where you can consider encrypting stored data as a way of mitigating the risk that data will be accessed or processed without authorisation, even if it ends up in the wrong hands
- How you process that data: the GDPR stipulates the processing of personal data in ‘such a way that the data can no longer be attributed to a specific data subject without the use of additional information’
- How you transfer that data: once again, encryption can be a key means of making sure that you’re compliant
- How that data is accessed: this is where you’ll need to look closely at your business’s structure and outline clearly who has access to what kind of data
GDPR and your email marketing
This is where everyone expects to see impact as the GDPR steps in to stop the flow of unsolicited email marketing. Once again, you’re going from ‘opt-out world’ to ‘opt-in world’:
- You need to have clear documentation that your recipient has consented to receive email from you and have their data used to inform how you market to them
- If you’re buying email lists from a third-party provider, you need to have similar documentation
GDPR and your product
If you’re in the software game, you’ll need to make sure that your product incorporates ‘privacy by default’ and ‘privacy by design’. What does that mean? That the strictest privacy settings automatically apply once a customer acquires a new product or service, and that data protection safeguards are incorporated into the product at the earliest stages of development.
Reasons to be cheerful
What you’ll find is that a lot of what the GDPR does is try to protect the consumer and their experience: ensuring that they don’t get an email they didn’t ask for and helping them get away from brands they’re no longer interested in.
On the whole, this is a good thing. While in the short-term, having to implement new measures internally and externally to ensure you’re compliant might be difficult, the pay-off is happier, better-engaged customers and a strong brand reputation.
At Yieldify, we believe that you should always be thinking about your marketing from a customer-first perspective before you consider even the product that you’re pushing. The GDPR, while stringent in places, is a good nudge to think about adopting this approach further.
With one year to go, here’s what to do
There’s no time to waste in getting your marketing team (and your wider organisation) ready for GDPR. This skim-through is by no means exhaustive and you’ll have to think about your own businesses practices first and see how the rules apply. A great place to start is this handy guide from the ICO: