Are you ready for the EU’s incoming General Data Protection Regulation, better known as GDPR?
Well, it comes into effect in in May 2018, but there’s every chance that you’re not 100% prepared quite yet. According to figures published in Computer Weekly in October this year, more than 40% of marketers still feel that their organisation isn’t ready for the upcoming changes to the data protection rules that are going to affect how we communicate with customers, capture lead information, and how we do our jobs in general.
Other surveys show that GDPR preparation is even further behind. Smart Insights, for instance, surveyed over 200 people, and only 6% said that their company was ready for GDPR.
But let’s take a step back a moment and answer an important question before we continue.
What Is GDPR?
The EU’s new General Data Protection Regulation is a big deal. And let’s just be clear from the outset: forget about Brexit – GDPR will have huge implications for practically every business in the UK even after we leave the EU.
Indeed, it doesn’t matter whether or not your organisation is actually located within the EU itself. What matters is whether or not your organisation does business with people or other organisations which are in the EU, or indeed if you handle any form of data that is at all concerned with EU residents. There will be a new data protection bill in the UK after Brexit, though it will implement the vast majority of GDPR – and in any case, GDPR will still affect how UK businesses handle EU residents’ data whether we’re in the EU or not.
What this means is that even if you just have a contact form on your website through which you can capture personal data (such as names, email addresses, etc.) from EU citizens, GDPR affects you.
But what is GDPR?
Well, in a nutshell, GDPR is a regulation that provides a new framework for data protection laws. In the UK, it will replace the 1995 data protection directive, which the country’s current laws are based upon.
The objective of the regulation is first to give greater data protection and rights to individuals, and second to “harmonise” data privacy laws across Europe. And that second point is important – GDPR is a regulation, not a directive. Directives are enforced by individual countries, whereas GDPR is a regulation, meaning that it will become law in all 28 countries across Europe as of May 25th 2018.
However – here’s the bit where your ears need to prick up. The risks of noncompliance are huge. Seriously huge.
Are you ready…?
The penalty for infringement of articles 5, 6, 7 and 9 of GDPR is a fine of up to €20 million or 4% of turnover – whichever is higher. The penalty for infringement of articles 8, 11, 25-39, 42 and 43 is a fine of up to €10 million or 2% of global revenue – whichever is higher.
Those are serious figures indeed…
How Will the Incoming GDPR Legislation Affect Marketing?
GDPR is a big deal for marketers.
Of course it is – after all, one of the biggest parts of a marketer’s job is to capture the personal data of potential leads, and then use that data to convert those leads into sales.
The incoming changes will affect how we do this in three important ways. Let’s break them down…
Obtaining Consent
In the realm of marketing and communication strategies, social media marketing refers to leveraging social media platforms to promote products and services. Similarly, digital marketing encompasses various online marketing techniques to reach and engage with the target audience. Sales promotions are specific incentives or offers designed to boost sales and attract customers. All these efforts are directed towards achieving marketing aims and objectives.
Starting May 2018, under GDPR regulations, explicit consent is required for any contact you capture in the context of marketing activities. Prior to this, businesses could rely on pre-ticked check boxes, which implied consent and required users to opt out if they did not wish to receive communications. However, with GDPR in place, individuals must take a clear and explicit action to "opt in" to receive marketing communications through channels such as social media, digital marketing campaigns, and sales promotions. This ensures that users have more control over their data and communication preferences.
Indeed, consent, to use the words of the legislation, must be “freely given, specific, informed, and unambiguous” and be signified “by a statement or by a clear affirmative action”.
This means that you can no longer assume consent even if a prospect hands over their contact information on your website – for they must, in addition, give specific, informed and unambiguous consent that their data can be used and that they can be contacted. A pre-ticked box will no longer be good enough – and indeed, this is specifically mentioned in the legislation.
However, an “affirmative action” can include ticking a box to express consent. It’s the action that matters – users must now actively opt in, otherwise it must be assumed that they have opted out, meaning that they cannot be contacted and their data cannot be used.
Also while we’re on this point, the data subject must also be able to withdraw consent at any time – and it should be as easy to withdraw consent as it is to give it.
The Right to Be Forgotten
The purpose of GDPR is not to be a pain in the neck for marketers – rather, to confer more control to individuals on how their data is first collected and subsequently used. And this means that all individuals should have the right to be forgotten – and under GDPR, they will.
To ensure compliance with data protection regulations, such as GDPR, it is imperative to offer data subjects a transparent method of accessing all data collected from them. This includes data obtained through various marketing strategies like search engine marketing and content marketing. Additionally, brand loyalty initiatives may also involve data collection, making it equally important to provide access to such information.
Furthermore, individuals possess the right to withdraw their consent at any time, including their consent for data gathered via search engine marketing, content marketing strategies, and brand loyalty efforts. In exercising this right, they are also entitled to request the erasure and discontinuation of data processing associated with these marketing activities.
By adhering to these principles, businesses can uphold data privacy standards while optimizing their marketing approaches through search engine marketing, content strategies, and fostering brand loyalty among their customers.
All prospects have the right to be forgotten, and you must make it so that they can be forgotten in an instant with no questions asked.
Data Focus
The third part concerns what data can and cannot be collected.
Let’s face facts here – many marketers can be guilty of asking users for a little more data than is actually needed. If someone’s subscribing to your newsletter, for instance, do you really need to know what they had for breakfast, what their favourite movie is, or what their preferred social network is?
In most cases, the answer will most likely be – “probably not”.
Of course, we like this data because it helps us build up a better profile of our prospects which allows us to market to them better. However, under GDPR, we will have to legally justify the processing of the data we collect.
So, what this essentially means is that we can only focus on the data that we actually need (no more inside leg measurements (unless you’re selling jeans)) and will have to let everything else fall by the wayside.
Over to You
So, are you ready for GDPR?
In 2018, GDPR brought significant changes to marketing. Every marketing department had to adapt their strategies and campaigns to comply with data protection regulations. Internet marketing and inbound marketing faced particular challenges due to their data collection practices. Marketers had to ensure transparent data handling and obtain explicit consent from individuals before using their data. This led to a new era of ethical and privacy-conscious marketing practices under GDPR.
The deadline for compliance is only in May, so if you’re not ready, you haven’t got very long left. You’ll need policies in place as all businesses are subject to random audits at any time, and if they are found to be non-compliant – even if no actual complaints have been made – they will be subject to the astronomical fines outlined above.
However, so long as you can always prove that you are GDPR compliant, are obtaining consent in the correct manner, are giving individuals access to their data and the right to be forgotten and only collecting the precise data that you actually need, you should be ok.
Even if you don’t hire in a dedicated data protection officer, becoming GDPR-compliant will still cost you time and money. You will need to train and educate your team, adjust your systems and procedures, and document your policies in case a dreaded audit should come knocking on your door.
We leave you with this six step guide for GDPR compliance from Computer Weekly.
If you need help preparing for the incoming GDPR legislation, get in touch with inbound marketing experts at Incisive Edge today.