In about 18 months the new GDPR, the EU’s long-planned data protection regulation, will come into force. This will require a new level of rigour in gaining permission and data management. Brands that do not collect and manage their data according to the new regulations risk losing permission to analyse that data and to communicate digitally with thousands of their customers.
The recent ruling that because ‘valid consent’ had not been granted, WhatsApp and Facebook may not share customer data, is a taste of things to come.
Brands should start planning now to avoid losing their customer data, being cut off from their customers and risk paying a fine of up to 4% of global revenue.
This article explains the main implications, and outlines the four key steps brands should start taking now.
There is no-where to hide
Brands should not assume that being outside the EU protects them. The regulation applies to any data held on EU citizens. So unless you block all EU citizens from accessing your digital space, your data management must comply. The UK has already said that it will comply.
Top-line of the new regulation
Here are the main points and how they will affect marketing.
- Explain very clearly what data you collect and how precisely you will use it.
- This may include tracked, behavioural, attitudinal and demographic data as well as contact details.
- Use simple-to-understand language when requesting permission.
- Include the length of time you propose to keep the data.
- Only use the data for the purposes for which permission was given.
- Explain where you get the data from, including from 3rd
- The user must actively consent. You cannot bury the data permission inside terms and conditions, or use pre-ticked boxes.
- This includes the need to have explicit permission for direct marketing.
- You will need to be able to demonstrate that permission has been granted, and that you are only using it for the purposes for which permission was given.
- You may not keep the data for longer than the period for which permission was given.
- There are further restrictions around collecting and using data from children or when recording data on sexual orientation, ethnicity and health.
- Do not assume that permission needs to be given only once. The user must have ongoing access to manage what data you hold and how it is used.
- You will need to be able to let the customer see what permission they have given at any time (almost certainly without charge).
- They will also have permission to correct any data you hold on them.
- Your customer has the right to be forgotten, so can easily ask you to delete all data relating to them.
- Your customer can ask at any time for their data to be transferred to a different organisation.
- This will make switching to a competitor much easier.
- The data you hold will need to be exportable.
- The relevant authorities will need to be informed of any security breaches within 72 hours.
- Customers must be made aware of any breach that could compromise their privacy
- This may increase the public awareness of the risks of data theft
The main effects of the regulation for brands and customers
Although many brands have been good at opt-ins in the past, this new regulation requires another level of openness.
The GDPR will force brands to work much harder at keeping their customers happy. Those that don’t build a stronger relationship may face social-media-fuelled backlashes that drive high volumes of customers to seek to be forgotten, or to transfer their data to a competitor.
Publicity around the new data regulation and potentially around data breaches will help customers understand the value of their data.
- They may challenge what data is collected, and may demand incentives for their permission or withdraw it altogether.
- Seeking reassurance on the security of their data and interrogating how it is used, may increase the burden on call-centres, IT systems and staff.
What to do about it
- Start learning now how to convince your customers and prospects to give you the permission you need. Remember, without their explicit, current permission, you cannot use their data.
- Consider running research into how they view the relationship and their data
- Run tests to see how customer respond to giving permission
- Keep an open mind and consider plan A and plan B in case customers don’t respond the way you expect
- Build a customer journey to see where you will need to ask for data, and how you anticipate using it
- Talk to your Governance / Compliance team early. It’s much easier to sort any issues and to balance the need for data with the need for compliance if the teams are collaborating from the start.
- Work closely now with the IT team to check that they are putting in place all the technologies to enable compliant data management that matches the requirements of the marketing team. If you are not aligned early, you may face a skills shortage nearer the time.
- Look at your existing data early to see what you hold, where it comes from, and what permission you have for using it. It will be much easier to start gathering evidence of permission if you start before there is a legal requirement
- Customer data will become a brand-defining issue. Consider how your brand will behave in collecting permission and dealing with a more open relationship. This is not about the corporate colours, but about how you behave. Get it right, and you will find that the customer-brand relationship gets stronger. Get it wrong and it can have a lasting effect on your revenue and brand.
Useful links:
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
https://www.marketingweek.com/2016/05/25/brands-must-get-up-to-speed-on-eu-data-regulation-changes/