This article is for general information and should not be construed as legal advice. Please consult with your attorney for specifics on how the GDPR applies to your business
You have likely heard a lot of buzz concerning the European privacy regulation GDPR (General Data Protection Regulation), but what does it really mean for digital marketers? After all, digital marketing involves the collecting and analyzing of data from customers and potential customers.
Will the GDPR put an end to those practices? No, but digital marketers and advertisers will have to be ready for May 25, the day when GDPR is going to come into force.
Even if you don’t have customers in the EU, you may have obligations under the law. If you have even one subscriber from a European nation, you are on the hook for GDPR compliance. And with penalties amounting up to 4% of global annual revenue, you don’t want to take any chances.
There are three main spheres of influence that GDPR will have on marketing processes.
1. Getting Consent
Everyone who has read at least a bit about GDPR knows about the “clear explicit consent” that companies will have to obtain when collecting personal information. Companies must state in a clear and unambiguous way how they plan to use the information collected and obtain a clear affirmative consent. This includes having email newsletter subscribers consent to each type of email you plan to send…you can no longer send other marketing emails to them unless they specifically consent to them.
Usually, it looks like a list of statements with a tick-box next to each of them. Firms are not allowed to add pre-ticked boxes next to user agreements or opt-ins to newsletters. Users have to tick them manually.
Remember, the GDPR is retroactive, so if you have collected email addresses in the past in a way that does not align with the GDPR, you’ll want to have subscribers re-consent.
If you use cookies to track visitors, you should get consent for that as well. Implement a pop-up that lets visitors know that you use cookies and explain how it enhances their user experience. They should be given the choice to accept or refuse cookies.
2. Data Access and CRM Platforms
Businesses must give users an opportunity to easily withdraw their consent. Companies have to respect this right and to tell their visitors about how to go about withdrawing consent. Moreover, you need to have a ready-to-work mechanism for that.
Users will also have the right to access any data concerning them that is stored or processed. Therefore, companies will need robust CRM (customer relationship management) platforms that allow them to quickly respond to users’ requests.
As a business owner, GDPR obliges you to keep in mind the user’s right to be “forgotten.” You should remove the personal data of a user once they request it. You can even indicate this right in any newsletter next to the “Unsubscribe” button.
3. Cut Everything and Become Focused
A marketer’s instinct is often to collect more data than they actually need as it helps to understand the customer better, but the GDPR says that companies can’t store and process excess data. This may not be so scary as it seems, as you still can collect data which is the subject of “public interest,” for example, if you are performing market research.
In any case, marketers will still be able to collect data that is necessary for their activities. It will just need to be more focused.
For marketing specialists, this can actually be more beneficial, as people will more likely answer focused thematic surveys rather than hundreds of questions about everything beyond the topic. Specialists will get high-quality, segmented data that will help overcome the barrier to generating leads.
4. Create and document data breach procedures.
The GDPR requires that you have a written record that specifies how you will protect personal data and how you will handle hacks and data breaches. Make sure you spell this out in your privacy policies.
If the worst should happen and your company is the victim of a data breach, the regulation also requires that you report it “without undue delay.” Make sure you have procedures in place to handle this type of situation.
Moving Forward
With all of that in mind, here are some specific action points for marketers:
- Provide transparency to your users and require a clear grant of consent to use their information. Improve the user experience, making sure that all the statements are written in a plain language and can be understood by any visitor.
- Re-work or update your CRM for the better interaction with your clients. Access to personal data should be fast and simple.
- Check your mailing lists to ensure that you do not send newsletters to unsubscribed users by accident. You don’t want to find yourself in Flybe’s situation: They were fined 70K GBP for sending unwanted emails.
- Update your privacy policy.
- Implement cookie consent pop-ups.
- Act in accordance with your company’s strategy regarding GDPR. Consult with a DPO (data protection officer), an EU representative, or attorney. Since each company is different, what suits another company might not fit you.
Which brings us to our final point: This is just an overview of the GDPR. It’s crucial that you continue to educate yourself on the regulation and that you consult with your attorney to ensure your company is compliant with the GDPR.