A marketer’s guide to GDPR
How to get protected, not penalised
Today’s typical marketing organisation is awash with data. It drives so many of the strategies and techniques we take for granted, from successfully targeted campaigns and serving up relevant content to recognised website visitors.
You’d have to be living under a rock not to know that the new EU General Data Protection Regulation (GDPR) is looming. With many marketing teams already stretched for resources, we want to help you get a firm handle on how you’ll be impacted when the new legislation takes effect on May 25th, 2018.
It’s worth remembering that the penalty for a GDPR breach is set at up to €20 million or 4% of worldwide turnover, whichever is higher. That makes knowing how to stay on the right side of this new legislation a real priority.
We’ve pulled together a quick overview of three key areas that urgently need locking down – data consent, data access and data relevance – and suggest practical actions you can take to protect your marketing operation going forward. It’s worth noting that after Brexit, EU GDPR mandates will also be transferred into UK law, so now really is the time to get your data in order.
Consent and the new positive opt-in
The golden era of pre-ticked boxes and automatically opting people in to communications is over. To quote the Information Commissioner’s Office (ICO), under GDPR, you need to actively seek consent from each individual, confirming in a “freely given specific, informed and unambiguous way” that they want to receive promotional material and other information from you. “There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.” This rule extends to your prospects, customers and anyone else you contact through your sales and marketing activity. You also need to store that permission and be able to quickly produce it as evidence.
Data access and the right to be forgotten.
The new guiding principle is that an individual’s data belongs to them, not you. The onus is on you to promptly deal with information that is outdated or inaccurate and to give people control over how their data is collected and used, letting them review and remove it from your databases if that’s what they want to do. The practical way to achieve this? Include a simple ‘Unsubscribe’ link in your email marketing template and offer links to a user profile that lets individuals manage their email preferences. If a request for data removal is received, don’t forget to remove all ghosted copies of that data too, across your systems.
Data relevance and only collecting what you need.
Under GDPR, you need to be able to prove why you need every piece of personal data you request and collect about an individual. It’s therefore safest to only collect the basic information you need to deliver whatever the contact has requested and avoid scooping up other bits of information as you go. It makes for safer profile building.
Beware: It’s easy to make mistakes
The ICO has already made two incidents public. Both involve household names who have flouted existing data privacy laws in their attempts to get ready for GDPR. As Steve Eckersley, ICO Head of Enforcement, has warned: “Businesses must understand they can’t break one law to get ready for another.”
Last August, the airline Flybe sent more than 3.3 million emails to people who had opted-out of communications from the firm. The email titled ‘Are your details correct?’ asked recipients to amend out-of-date information and update their marketing preferences. The email also said that by updating their preferences, people may be entered into a prize draw. The airline was fined £70,000 for breaking the Privacy and Electronic Communication Regulations (PECR).
Honda Motor Europe Ltd also sent 289,790 emails aiming to clarify marketing choices asking “Would you like to hear from Honda?” but the list included those who had already opted out. That mistake cost Honda a £13,000 fine.
Good luck getting ready!
At Fluro, we’re always here to help our customers stay compliant. We’d also recommend the ICO’s website as a great resource. Why not take a look at this 12-point checklist that they’ve created to help you prepare?
