If you are an email marketer in the U.S., you are probably wondering what is this GDPR (General Data Protection Regulation) why should I care? Yes, there is this “compliance thing” (compliance begins May 25, 2018) to it if any of your customers are located in Europe or will be, but what you really want to start with is why you and your company want to embrace it.The fact is, the modern digital platform the world has embraced is based on gathering data that people willingly give up in order to get the “free” services and information provided. Even in light of all the data breaches and misuse, there is no mass exodus of belonging or using these platforms. That does not mean people don’t care about their personal data, because they do.
According to Mark Riston of Marketing Week,
“The real eruption of consumer anger taking place around Cambridge Analytica is not to do with how the company accessed data from Facebook but that:
a) such things are even possible,
b) they are impacting how people are targeted by marketing, and
c) it apparently works.”
GDPR is the opportunity for us to get back to the what’s the foundation of our success, our relationship with the customer. Our products are here to serve the customer. We win their business when we “listen” to them. It’s a business opportunity to win and build consumer trust to gain a competitive edge.
Foundation of GDPR
In legal terms, your customers and contacts—including the people you interact with at events from whom you capture data—are "data subjects." Your company controls their data, and are appropriately named "controllers." Any third party you use to "process" that data is a data processor and must also comply. GDPR provides a set of rights to your customers and imposes a set of regulations on both your company (controller) and your processors. Here are my seven keys to implementing GPDR.
Explicit consent is the cornerstone of GDPR. It means that people need to clearly opt-in to receive marketing messages and permit their data to be analyzed and stored by an organization. To get GDPR ready, every company will essentially need to run a marketing campaign to gain opt-ins for future communications.
Keys to Implementing GDPR
1. Invest in data management - If you can’t manage your data you will never be able to comply nor maintain a relationship with your customers. Invest in a solid CRM and marketing software that provides the infrastructure to implement. You must be able to create a data flow map of the data you collect, how you use it and, process it within the company.
2. Obtain Valid Consent - This means:
- Consent must be freely given, specific, informed and unambiguous.
- A request for consent must be intelligible and in clear, plain language.
- Silence, pre-ticked boxes, and inactivity will no longer suffice as consent.
- Consent can be withdrawn at any time.
- Consent for online services from a child under 13 is only valid with parental authorization.
- Data cannot be sold to third parties unless expressly consented to by the individual.
- Companies must be able to evidence consent.
- Delete all contacts in your database you cannot justify legitimate interests for keeping.
- Failure to implement an individual’s request to “opt-out” exposes a company to legal recourse.
3. Maintain the integrity of the individual’s data - This includes the data is:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and kept up to date.
- Stored only as long as is necessary.
- Stored with appropriate security, integrity, and confidentiality.
- Given to the individual when a copy of what is held is requested and delete the data when they request such.
- Corrected when determined inaccurate.
4. Be transparent and conspicuous with privacy notices - Companies must be clear and transparent about how personal data is going to be processed, by whom and why.
6. Conduct a cyber attack/data breach review at least annually - Your assessment should include:
- Assess the overall risks in the cyber world you operate.
- Identify what data you collect, where you store it, what format is it in, how it is accessed, and how might it be misused.
- If you have third-party vendors who use your data to provide services, determine if they might be a link to access your data in a cyber attack.
- What regulations apply to your business regarding data security?
- Do you have an end-to-end incident response process?
7. Have policies and people in place for implementing and managing - A company may need to designate a Data Protection Officer, have accountability procedures in place and adopt governance measures to ensure your company is complying. Data collected on individuals in the EU cannot be transferred unless you have at least an approved certification mechanism in place, e.g. EU-US Privacy Shield in place.
GDPR is basically what consumers have been asking for. Based on findings from Accenture Interactive consumers want three conditions met in return for giving you their data.
It’s time to rebuild trust with our customers and prospects.
- "20% of US consumers believe they have been affected by data misuse."
- ".... nearly half the consumers we surveyed believe that companies are neither being honest about their use of data nor taking adequate steps to protect it."
- "71% to 79% of the surveyed consumers said they would be unlikely to share or let data about them be used by a company they did not trust."
- "In the US, customers who are aware of and concerned about a data misuse reduce their spending by about a third in the first year."
The above are findings of a new 8,000 sample survey from the Boston Consulting Group (BGC).
Misuse of Data is Costly
GDPR will be fully enforced from May 2018 and, yes, failure to comply could result in a €20 million fine or 4% of global turnover. The operative word is ‘could’, the regulation was not envisaged as a stick to beat up companies.
Rather, the point of GDPR is to create trust between companies and people regarding personal data. Consumers do not make a decision that a company is handling their data privacy based on whether it is complying with legal and regulatory requirements (which change quicker these days than in previous).
Consumers will render a judgment based on their perception of whether the company is using their data in a truthful and appropriate manner given their point-of-view of the purpose provided and in what manner provided. Lengthy legal agreements will not be a foundation for a defense. Unless your company sells a product that holds a monopolistic position with consumers, the findings indicate they will render a verdict with their pocketbook.
If we want to improve our marketing through personalization, then people need to know they clearly consented to it, the information they provided is going to be used for legitimate purposes and you are serious about protecting the data in your control.