May 25th 2018 is right around the corner and there’s still some confusion about GDPR and how it’s going to impact your business. No one is immune to GDPR (unless you’re closing business to Europeans), if your business relies on customers to make money, then you want to pay attention because if you get it wrong, you could end up with a fine of up to 20 million Euros or 4% of your global turnover.
So, let’s start with the basics; what the heck is GDPR- The General Data Protection Regulation is quite simply a regulation in EU law on data protection and privacy for all individuals within the European Union. The word ‘regulation’ means it’s not a directive, it’s the law, it has to be adhered to, it’s legally binding!
In today’s connected world, personal data is being collected at an incredible rate.
The websites you use, the calls you make, the places you visit and even the photos you take are all recorded, measured and leave a digital footprint – a footprint that is fast becoming a prized resource.
In May 2017, The Economist called personal data “the world’s most valuable resource’ ahead of oil, because of how much it now informs the way companies communicate with their customers and how it positively impacts customer experience.
However, because personal data is so valuable, it’s vulnerable to theft or misuse and this has led to consumers demanding to know how companies use and store their personal data. This is because, overall, consumers are not convinced companies are doing enough to protect them.
But, why introduce it now?
The main reason for introducing this now is because the current EU data privacy regulations are still based on a document that was first adopted in 1980 (later updated in 1995).
This means that the data privacy principles that the EU works are outdated on don’t include considerations for social media, smartphones, or even advanced web technology (i.e Artificial Intelligence, Virtual Reality, etc).
Plus, the current regulation is only a directive, so companies (and countries) could easily opt-out.
From 25th May, 2018 this will no longer be the case.
While consistency in data privacy regulations across Europe should be good news for all marketers, GDPR also comes with quite a few challenges that impact marketing teams – especially marketing teams that communicate to customers based in the EU.
How does GDPR impact marketing?
On the surface, GDPR might seem extreme, especially for smaller businesses or solo-practitioners. Realistically though, there are only 3 key areas that marketers need to worry about – data permission, data access and data focus.
Let’s take a look at these individually;
1. Data Permission
Data permission is about how you manage email opt-ins –people who request to receive promotional material from you. You can’t assume that they want to be contacted. In the future, they need to express consent in a ‘freely given, specific, informed, and unambiguous’ way, which is reinforced by a ‘clear affirmative action’.
Wait, what does that mean?
In practice, this means that leads, customers, partners, etc. need to physically confirm that they want to be contacted. You need to make sure you’ve actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted. Therefore, a pre-ticked box that automatically opts them in won’t cut it anymore – opt-ins need to be a deliberate choice.
For example, instead of assuming that visitors who fill out a web form want to receive marketing emails from Pink Dot Advertising (left), we now ask visitors to specifically opt-in to newsletters by ticking the sign up box.
The only caveat is when it comes to refer a friend programs.
In most cases, refer a friend programs work when a prospect or customer enters a friends email address in order to claim an offer (i.e. a discount, sale, bonus, etc). Once they have entered a friend’s email address, an email is automatically sent from the company to the “friend” without gaining explicit consent to contact them. These emails are typically “notifications”, rather than promotional.
Providing this data is neither stored or processed, then it is considered GDPR compliant.
However, if the data is stored and used for marketing communications, then you are in violation.
To be clear:
No marketing communication is to be sent out to the referee’s email address.
2. Data Access
The right to be forgotten has become one of the most talked about rulings in EU Justice Court history. It gives people the right to have outdated or inaccurate personal data to be removed and has, in some instances, already been implemented by companies like Google, who were forced to remove pages from its search engine results in order to comply.
The introduction of the GDPR offers individuals a method to gain more control over how their data is collected and used – including the ability to access or remove it – in line with their right to be forgotten.
As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.
Practically speaking, this can be as straightforward as including an unsubscribe link within your email marketing template and linking to a user profile that allows users to manage their email preferences.
3. Data Focus
As marketers, we can all be guilty of collecting a little more data from a person than we actually need. Ask yourself, do I really need to know someone’s favorite movie before they can subscribe to our newsletter?
With this in mind, GDPR requires you to legally justify the processing of the personal data you collect.
Don’t worry; this is not as scary as it sounds.
What this means is that you need to focus on the data you need, and stop asking for the “nice to haves”. If you really need to know a visitors shoe size and inside leg measurement, and can prove why you need it, then you can continue asking for it. Otherwise, avoid collecting any unnecessary data and stick with the basics.
The cost of failing to comply
The deadline for GDPR in May 2018 isn’t that far away and many businesses have already switched into “panic mode” to make sure they’re compliant way ahead of time. The trouble with this is that this leads to mistakes. And these mistakes can be costly.
Especially as the Information Commissioner’s Office (ICO) starts to clamp down even harder on the misuse of personal data.
In fact, the ICO has already reported three incidents that involve household brand names who tried to use well-known email activation strategies to reach out to their database. The campaigns, which were sent out by Flybe, Honda and Morrisons, asked customers if they wanted to be contacted by email and to update their preferences.
How did they contact their customers, you might ask?
Well, they contacted them by email – even those customers that had previously opted out.
And this is a serious breach of compliance.
1. Flybe fined £70,000
In August 2016, Flybe sent an email to 3.3 million people in their database with the subject line “Are your details correct?”
It sounds like a smart strategy in theory, but unfortunately, these 3.3 million people had previously opted out (unsubscribed) to marketing emails and thereby gave no consent to be contacted.
The result? A fine of £70,000.
Key take away: If your customers have opted-out of marketing emails, don’t email them – it’s as simple as that. You are breaking the law if you do.
Who is affected most by GDPR in marketing?
If you have customers, then everyone inside your company will be affected by GDPR. But, in the marketing department, there are three roles that will see the biggest change in their everyday work.
Let’s take a closer look at who this affects and how.
1. Email marketing managers
For B2B marketers, email addresses are the lifeblood of lead generation programs.
Often considered the start of the sales process, a user that willingly gives you his email address in exchange for more information, such as signing up to your mailing list or downloading a piece of content, is known as an “opt in”.
This is in stark contrast to firms that buy email lists or scrape (or copy) them from a website. Under the new GDPR regulation, buying lists (or scraping them) will be strictly forbidden.
Ensuring users opt-in to your B2B email marketing campaigns and give consent to be contacted will be a requirement, rather than automatically adding them to your email list and then waiting for them to opt out. While this is best practice today, it will be an EU law in 2018.
2. Marketing automation specialists
Marketing automation can be extremely powerful tool.
But, it can also land you in trouble with GDPR if not set up correctly.
If your marketing automation system sends out emails on behalf of your CRM system, then you could be facing eye-watering penalties from the ICO if an email is sent automatically to someone who has opted out.
You need to make sure that every name in your CRM database and every email in your automation system has given you permission to market to them. And, if someone opts out of an automated email sequence, that the two systems are updated to ensure that no further emails are sent. And no, having the next email already scheduled is not a valid excuse.
3. Public relations execs
Pitching new product releases or company information to journalists is no different than marketing to an employee of a business. While it’s possible that the liability for this consent will lie with media databases such as PRweb and MyNewsDesk, journalists will still have to give consent to be contacted by you instead of the traditional email outreach program.
This consent could be given through platforms like HARO, where journalists are asking you to contact them, or through requests made on social media platforms. So if you’re not on those platforms yet, now is the time to sign up!
Of course, if a journalist reaches out to you directly, they’ve expressed interest in talking to you.
GDPR is a golden opportunity for marketers
At this stage, you’re probably thinking that the way you do business will never be the same again.
But, there’s no real need to worry.
Sure, GDPR does sound intimidating and the fines issued by the ICO are enough to make you rethink your entire marketing strategy. But, in reality, this new legislation isn’t a set-back. In fact, it’s a great opportunity for you to do what marketers do best – that is create targeted marketing campaigns with people that are engaged with your brand.
1. Gaining Consent
With GDPR, you need explicit consent to use an individual’s data. Your customers can also ask you exactly what information you have on them, who it is shared with and the purpose it has been used for.
The opportunity here lies in the fact that instead of a simple yes or no option when asking customers about data, you can now provide them with a range of options so that they can find out what they’re interested in. Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.
This not only helps to be compliant with GDPR, but it also helps you further segment your customers and focus your communication based on specific interests, rather than sending a “one size fits all” email campaign.
2. Right to be Forgotten
Under GDPR, every individual has what’s called the “right to be forgotten”.
If requested by a customer, your business will need to remove all data you hold on that specific individual, across the whole organization. If you keep data in different places for different purposes, then this can cause issues.
The solution to this is to have a single platform that hosts the consent record of every single user. Having a single platform, like a CRM system, will help you keep track of all your permissions data and ensure you’re GDPR compliant.
The advantage of having a single platform is that it gives your customers the opportunity to switch consent on and off, for different purposes. This, in turn, gives you the opportunity to learn more about your customers and target them with more specific or relevant campaigns.
People do business with other people (or organizations) that they know, like, and trust. Building trust comes through projecting transparency. You have to be upfront and honest about who you are and what you’re doing.
A study by Harris Interactive found that 93% of online shoppers cite the security of their personal data as a concern. You can overcome these concerns by being transparent with data. You need to demonstrate that an individual’s data is being treated with respect and held securely. If you can do that and show that you have your customer’s best interests at heart, then you will strengthen both trust and engagement with your customers.
9 practical tips on GDPR for marketing
In January 2017, Osterman Research, Inc published a paper and found that 73% of businesses are not ready to satisfy the compliance obligations of the GDPR. While a 2016 study by Symantec found that 23% of businesses feel they will only be partly compliant by the May 2018 deadline.
The good news is that there are some things that you can start doing right now to make sure your business is GDPR complaint ahead of May 2018.
Here are nine practical tips that you can get started with right now:
- Start auditing your mailing list now. According to a new study by W8 data, up to 75% of marketing databases will become obsolete by 25th May, 2018 and only 25% of existing customer data meets GDPR requirements. Therefore, remove anyone where you do not have a record of their opt-in. For new subscribers, make sure that the potential subscriber confirms that he or she wants to join your mailing list by sending an automated email to confirm the subscription.
- Review the way you’re currently collecting personal data. Are you still buying mailing lists? If so, now might be the time to start fresh with a new mailing list. In the UK, pub chain JD Whetherspoon took the unprecedented step of deleting their entire email marketing database (more than 650,000 email addresses). In a letter from their CEO (shown below), John Hutson informed customers that all customer emails will be securely deleted. While that might be a terrifying prospect for some, it’s something to consider as you will then be guaranteed with a list of engaged and interested readers.
- Do you create content that is tailored to your potential customers? Invest in a content marketing strategy by creating white papers, guides and eBooks that visitors can access and download in exchange for them sharing their contact information.
- Educate your sales team about social selling techniques. Essentially, sales reps should connect with prospects on social media and share relevant content – rather than trying to reach new prospects by email.
- The time for using Google docs or Excel spreadsheets to store customer data is over. Start centralizing your personal data collection into a CRM system. And make sure your users can access their data, review its proposed usage, and make any changes as necessary.
- Understand the data you’re collecting in more detail. Is it all necessary, or are there elements that you can do without? When it comes to sign up forms, only ask for what you need, and what you will use. For B2B marketers, full name, email address and company name is usually more than enough.
- Try using push notifications. A push notification is a pop up message that appears on a desktop or mobile device. Marketers can use push notifications to send a message to subscribers at any time. However, unlike email marketing campaigns, push notifications do not process personal data (IP addresses are anonymized) and users are required to give explicit consent in order to opt-in and receive notifications.
- Update your privacy statement. Review your current privacy statement and amend the statement accordingly to comply with GDPR requirements. Is the content in your privacy statement difficult to read? Or are you purposefully using terminology so that potential customers do not know what they are signing up to? If so, rewrite it and make it easy to read.
The weeks leading up to 25th, May 2018 are set to be challenging for businesses across Europe and beyond.
GDPR is a big change to the way in which companies operating in EU countries handle personal data, with fines of up to €20 million if you fail to comply. That’s why it’s important for you to seek advice from a lawyer as to what is or is not a legal requirement for your business.
Remember, GDPR isn’t designed to stop businesses from communicating with their customers. GDPR will lead to an increase in data quality, which is why the best and most resourceful marketers are seeing the bigger picture in that it’s an opportunity to delve deeper into the needs of their prospects and customers, rather than using the traditional “one-size-fits-all” approach to marketing.
That being said, the rules for GDPR compliance are quite simple – don’t contact someone unless they specifically ask to be. Don’t assume they want to hear from you. Don’t cold contact them, and don’t send them irrelevant information that they didn’t request.
DISCLAIMER: This blog post is not to be considered as legal advice.