The following is a guest post by Stella Goulet, CMO of Avanade.
Working on a marketing contract recently made me realize how complicated GDPR can be. Marketers can’t afford to sit back; we need to understand the implications of the European Union’s General Data Protection Regulation (GDPR) and address them now.
If you’re not sure what GDPR is all about, you’re not alone. According to a study by the World Federation of Advertisers, 70% of marketers in global organizations said marketers in their companies were not fully aware of GDPR’s implications.
And if you do know what GDPR is all about and aren’t sure if your company is ready for it, you’re also not alone. Research by Egress found that 87% of surveyed CIOs believe their current policies and procedures leave them exposed to risk under GDPR.
Getting tough on data privacy
Most experts agree that GDPR, which comes into force on May 25, 2018, is among the toughest data privacy regulations to date and will likely set the bar for other privacy laws. Fines for violations may reach up to 4% of a company’s annual global turnover or €20 million (whichever is greater).
Although GDPR is an EU regulation, it doesn’t apply only to European organizations. It applies to any company collecting, processing or holding the personal data of EU residents, regardless of the company’s location.
In addition to GDPR, marketers should pay attention to the ePrivacy Regulation being introduced in the EU. While not yet finalized, it is proposed to come into effect along with GDPR and will govern direct marketing practices concerning electronic communication services.
What are the implications for marketing?
The ePrivacy Regulation will require “explicit consent,” which marketers need to address. This will limit to whom we can market (via email) and track (on digital properties).
The latter may be more significant. As modern marketers, we want to offer relevant, personalized experiences across our digital channels. If we’re unable to track how users engage with our content and website, we will find it difficult to provide those experiences.
Additional functionality and technology may need to be built into existing platforms to comply with some of the requirements of GDPR and the draft ePrivacy Regulation. For example, EU residents will have the right to view their personal data, receive an electronic copy, update it, and delete it. This could cause an increased burden on the IT team to build this additional capability. And deleted data could affect marketing’s ability to accurately report on our overall effectiveness.
What can marketers do now? Four things:
#1. Build “preference centers.”
To encourage users to subscribe or opt in to specific types of content — versus an all-or-nothing approach — marketers should build preference centers, enabling clients to control how they prefer to engage with you.
For example, clients may opt out of general marketing emails, but opt in to event invitations. Marketers should focus on tactics like gated content, website subscription pop-ups and event subscriptions.
#2. Plan for compliance now. Do all you can to build up an in-house permission marketing database.
- Add opt-in checkboxes and language to all your web forms.
- Include a call to action in as many digital tactics as possible to encourage users to opt-in or subscribe to your company’s content.
- Consider more social selling; encourage your sales teams to share content via social media, rather than relying only on email.
- Clean inactive users out of your marketing database.
#3. Invest in platforms and technologies that use company-level data (vs. personal data).
This will provide the ability to offer a somewhat personalized experience. For example, rather than using behavioral data, you may want to leverage demographic or company-level data to personalize based on industry.
#4. Make the most of your marketing automation system.
Organizations that use marketing automation are likely to be in a better position to become compliant. Take the following actions:
- Hold suppression files of individuals who have opted out, preventing future contact.
- Capture compulsory fields of all data coming into the system (for auditing purposes), such as source, program or campaign, and opt-in date and time.
- Set notifications or run ad hoc reports so you can regularly check opt-ins on the places the data is being collected.
There may be a silver lining
While it’s clear that GDPR and the draft ePrivacy Regulation are complex and will provide challenges for marketers, it’s not all bad news.
The upside is that marketers will be forced to improve targeting and increase their knowledge of clients. As a result, our contacts should be higher quality, enabling us to build trust and closer relationships, and provide more relevant experiences with those who do subscribe or opt in to different types of content.
And that’s a good thing.
Thanks, Stella!
Very good proactive thinking. In addition to simply being compliant, have a strategy to engage your customers in relevant ways that they will be comfortable with.
“Hold suppression files of individuals who have opted out, preventing future contact.”
Note that this might be problematic. You need a right / permission to handle personal information such as email address. If this permission is revoked and you do not fulfill any other right to handle personal data, shouldn’t this information be deleted?