D-Day: 25th May 2018. A date many businesses up and down the country have etched in red on their calendars. The day the EU’s General Data Protection Regulation (GDPR) will come into effect . . . whether we’re ready or not.
The landmark decision is set to reinforce existing rights people have on their privacy, and the way their data is stored and used in regards to digital marketing. This will undoubtedly affect the way we do our marketing and use ‘consent’. In fact, according to a report by the DMA, 70% of marketers are concerned about how the ruling will affect their future marketing1.
But with all this talk about GDPR, what is it and what needs to change to make sure businesses aren’t left behind in the marketing rat race?
The Wild West days of data protection are over
In the good ol’ days, companies didn’t think twice about buying briefcases full of names and email addresses; data protection was slack to say the least. Now don’t get me wrong, there were still regulations in place, but your average consumer didn’t know their rights when it came to data protection.
Regulations have improved in recent years, and marketers are much more ‘PC’ when it comes to working ethically with people’s data. And especially now with the importance of segmentation and actionable insight to deliver ROI for the business and value for the customer, marketers are increasingly interested in only contacting those people who want to hear from them.
But this steady increase in awareness and taking ownership of data management best practice is certainly a two-way street - there has also been a shift in the way consumers themselves share their own data. We are all becoming savvier than ever when it comes to who we share our data with and, importantly, why.
Have you ever landed on a website and provided your email address for no reason? No, exactly. Typically it will be in exchange for an e-book, registering for a newsletter or even a discount code on our favourite clothes store’s site.
Customers are still happy to relinquish their data, but in exchange they want real value.
The B Word
Think Brexit will change the outcome for those in the UK? Think again. These regulations are set to continue and become more stringent, despite last June’s referendum.
The UK Government have confirmed that in order to do business with EU countries, UK businesses will still need to adhere to the new guidelines.
Fines
Those who don’t comply with the ruling can be subject to fines of €20M or 4% of total turnover, whichever is higher.
The NCC Group looked into fines from the Information Commissioner’s Office against British companies over the last 12 months, and estimated what these would have been charged if under GDPR.
TalkTalk were slapped with the largest fine of £400,000 following their security failings around customer data. This would have rocketed to £59m2. Pharmacy2U were fined £130,000, this figure would have ballooned to £4.4m2 – a noteworthy slice of their revenues and possibly enough to put them out of business.
Explicit Consent
The DMA revealed 89% of marketers considered email to be the channel that will be the most affected. But before we all run for the hills, what level of consent is required?
The GDPR ruling defines consent as:
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” 3
In layman's terms – customers must be able to provide their data freely, and be able to easily withdraw that same consent as and when they wish. So no more hiding this option in the T&C’s.
And be specific! Customers need to be aware of the purpose of collecting data and who will be processing it. They need to be informed on their rights, such as the right to withdraw at any time and for their data to be deleted when they do withdraw – not just marked with a ‘Do Not Contact’.
Data consent forms should also be kept separate from any other forms, such as consent to share data with third parties.
Implied consent will no longer be enough. This means no more pre-ticked boxes implying the customer is giving their consent. Customers will need to provide you with a clear, affirmative action to provide you with consent to their data being processed.
Sign me up!
Non-compliance is not an option and with the clock ticking, now is the time to think about how you can work with the new ruling and obtain consent correctly.
If you need any help in preparing for GDPR - be honest now - please
1 DMA Insight GDPR and you 2016
2 NCC Group GDPR Impact Analysis 2017
3 Information Commissioner’s Office Consultation: GDPR consent guidance 2017