May 12, 2017
GDPR is a new law on data privacy and the law applies from 25th May 2018. To put it another way, you can get fined on 26th May 2018 if you mess this up. The fines are huge. The biggest fine is 4% of your global revenue.
I was at a CMO event this week in Scotland and there was a really interesting conversation about GDPR from a marketing point of view. Scott from Digital Clarity Group lead a workshop on it. So I thought I would write up a blog about it.
So, what is GDPR?
- GDPR = General Data Protection Regulation
- It is an EU regulation so it is globally applied. So individual countries can’t “interpret” it – it is the same for all
- It applies to the whole world too – any company trading in the EU and storing data about EU citizens must comply with the law. So even a USA company trading in the UK, it must comply with the law with regards to the usage and storage of EU citizen’s data
What are the biggest impacts on marketing?
- Consent is required to use a person’s data in any way, shape or form. Not implied consent but explicit consent. In summary, the person has to do an “action” to give their consent. I found a great document on the Information Commissioner’s Office website here. My summary is:
- It needs to be clear what a person is consenting to – how will my data be used? (emails, data processing, profiling, etc.)
- They need to tick or check a box (can’t be pre-selected) – it is needs to be an action on their part and it needs to be for a specific consent that is clear and concise
- You need to able to prove that happened (how/when/what)
- You must enable them to withdraw consent easily
Style of business consideration
- B2C – generally most B2C organisations have been good at gaining explicit opt-in consent for marketing emails for a while now. So maybe you are OK at least for emails, you probably need to review data processing/profiling permissions – consent might need to clearer.
- B2B – quite often B2B businesses are using implied consent for marketing. Red flag time!!! But don’t worry it is not too late – you have till 25th May 2018 to get explicit consent for what you are doing. Do it, do it now. At the very least, get email consent so you can communicate to ask for additional consent!!
Next steps for marketer sweating about GDPR
- Read around GDPR:
- Data audit (of EU citizens)
- What do you store and how do use it?
- Do you have permission to do that? Can you prove that?
- If in any doubt, re-ask for consent before 25th May 2018
- Marketing audit
- Review all web lead forms for consent wording / actions
- Review all cookie permissions for consent wording / actions
- Review your communications permissions portal if you have one. Is it clear enough? Is it specific enough? Can I remove my consent?
- Appoint someone overall owner for GDPR for “all of it”
- GDPR applies to more than just marketing. Make sure someone is owning the whole project (other impacts are on data storage, transfer, encryption, data breach notification, etc.)
Don’t worry if this is the first time you have heard of GDPR. You are not alone! I have been to two marketing leader events in the UK this year, and I would say there were plenty of people who hadn’t heard of it yet. However, you do need to start acting now as the window to gain consent is closing.
I honestly GDPR is an opportunity to pause, take a deep breath and put the customer first. You need to look at why and what you are doing with their data. You need to make sure their customer experience is what they want, with their permission.
Please read the disclaimer, I’m only a Marketing Manager, so the above is only my opinion – you should validate this with a real grown up (preferably with a law degree of some sort).
Disclaimer: Nothing stated in this blog can, or should be considered as legal advice. The research and ideas presented come with interpretation and are intended to be purely informational.
Written by: Duncan Wood, Marketing Manager, Infor