The Impact of GDPR on Marketing, Industry and Business
If you haven’t heard, the General Data Protection Regulation (GDPR), a comprehensive set of EU-wide regulations covering all forms of data collection, storage, and protection, is coming into force on May 25th 2018. We’ve seen exponential growth in data collection since the Data Protection Act was brought in in 1998, and after two decades it needs a bit of an overhaul.
The explosion of data-driven and hyper-targeted marketing has meant companies large and small are holding reams of personal customer data.
Who does it affect?
Every company that collects and stores personal information, “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,” the ICO says on its website.
Depending on the type and size of business you run, you will have different responsibilities under the GDPR. For example, if your company has over 250 employees, you will have to record and justify the data you collect and process. Furthermore, regulations surrounding healthcare data are different from those covering financial data, so it’s worth scrubbing up on the particular effects it will have on your industry.
As with any regulation, there are penalties for not abiding by it. WIRED has a good overview that covers absolutely everything you need to know.
That sounds a bit wonky, how does it affect Marketing specifically?
The good news is that if you are using best-practice marketing techniques that lean on transparency and customer consent, you’re probably already compliant! The bad news mostly falls on companies that are using shady, outdated marketing methods. As HubSpot puts it:
“Those companies which have put their own needs ahead of consumers and indulged in shady or outbound tactics are in for a shock. Their world is going to change dramatically as the GDPR will hasten the demise of marketing tactics like buying lists, cold emailing and spam.”
So what do I need to do?
If you’re doing your digital marketing right, in a way that garners trust and targets your audience effectively, you should be following the principles below already. If not, you’ll have to do so from May next year, so listen up:
Be Clear and Transparent
Any organisation collecting customer data via a form must clearly communicate to the customer what that data is going to be used for.
So if your website collects customers’ email addresses via a form, that form needs to clearly explain what you are going to do with that information. This is particularly important when collecting data in return for gated content, for example.
And pre-ticked ‘consent’ boxes? Don’t even think about it.
This is great for consumers because they won’t receive any marketing they haven’t expressly consented to, and it’s great for businesses because it means you’re only reaching out to customers who want to receive your communications. This elicits trust and makes your marketing more effective (and you can impress your boss with improved open rates!)
Minimise Data Collection
Under the GDPR you are only allowed to gather as much personal data as is relevant and necessary to achieve your stated aims.
Asking a customer their height and weight might be relevant for a personalised tailoring service, for example, but would be a bit invasive (and non-GDPR compliant) for an interior decorator. This is already the best way to approach data collection; the less data you request, the easier it is for customers to sign up, and the less likely it is they will be put off by invasive questions.
Limit Purpose and Usage
So you’ve told your visitor that you only need their email so they can receive timely product updates and promotions, you can’t very well sell their data to a third-party without asking their permission first, can you?
Just as customers need to opt-in to data collection for the initial purpose it’s being collected for, they will need to opt-in again for any further use.
This may sound obvious, but any customer data needs to be kept secure once collected. The GDPR states that companies must implement “appropriate technical and organisational security measures” to protect data. This means data should be encrypted and password-protected, and only authorised members of staff should have access to it.
This one is a win-win for customer and company; under the GDPR, consumers have the right to have their information updated so it is accurate. On a basic level this helps you deliver – and helps your customers receive – your communications with minimised bounceback.
Retention and Deletion
Once you have the customer’s data, it’s your responsibility to only hold onto it for as long as is necessary according to your own data retention policies. Once a customer has unsubscribed or stops using your services, you should only hold on to their data for a limited amount of time afterwards, not ad infinitum.
Similarly, and this might seem obvious, if a customer asks you to delete their data from your records, you need to follow through on that request and confirm with the customer when you have done so.
I already do all of that, am I sorted?
Probably. Again, it depends on your industry, company size, and the data collection techniques you use. The Information Commissioner’s Office is responsible for policing the GDPR in the UK, so you should treat their advice as the ultimate source of guidance.
The GDPR comes from the EU, what about Brexit?
I wouldn’t count on it.
Firstly, even after the UK leaves the EU, the UK will enshrine the majority of existing (as of March 2019) EU law into UK, this is the main purpose of the European Union (Withdrawal) Bill currently being debated in Parliament.
Secondly, GDPR regulations are being implemented in the Data Protection Bill, which will come to the House of Commons next year.
Finally, even if GDPR wasn’t imminently about to become the law of the land, marketers should heed its guidance.