In May 2018 one of the biggest data protection laws to ever hit Europe will be introduced, outlawing the ability to keep personal data of any kind without consent and without evidence of consent.
It’s predicted that on average firms will lose around 75% of their data after the 25th May cut off date, which will have a catastrophic effect on most businesses.
So if you have not taken any action by now, depending on the size of your database, it’s probably almost too late.
GDPR applies to marketing material, although there can be a little ambiguity around what constitutes ‘marketing’. For example magazines are classed as a ‘subscription’ rather than marketing, however there are other precautions publishers need to make, which I discuss later on.
There are however many unanswered questions, especially in the B2B sector, so in times like this you need to call on those with knowledge and thankfully I have a very close friend who, in her own words, is ‘The marketing champion for GDPR in the UK’, and is responsible for a team of 20 to focus on ensuring they are 100% GDPR compliant for their company which employs 50,000 across 120 countries.
So here, I have taken dialogue from a conversation we had and provided some useful information for those still unsure about what to do:
To start off with in the first instance you need to make sure your CRM system has the capabilities to record consent. Then focus on gaining retrospective consent from your existing data if your existing data collection policies were not GDPR compliant such as;
- Purchased data lists
- Data collected via forms where users were given the option to opt out rather than in
- Data where you do not a time stamped record of their opt in consent
- Consumer data with only a single opt in touch point and no confirmation email.
For many businesses this is their entire database, so they are currently (or should be) running full marketing campaigns around gaining GDPR compliant consent.
Simultaneously you need to make sure that all your current data collection policies are compliant so all new data collected can be used after 25th May 2018.
There are a number of ‘subtle’ ways to approach this, for example you could run campaigns with special offers, great content, brand new product launches etc and ‘subtly’ say on the campaign something along the lines of:
“If you love our campaigns/products/content etc please take a moment to update your details and give us consent to continue to contact you, otherwise this will be the last time you hear from us” etc
A cunning way could be to let your subscribers know of an exciting new event/product/news story that will take place AFTER May 25 and if they want to hear about it they will need to update their details
There are a number of ways you can approach this and I’m sure the above examples will give you some inspiration.
A common misunderstanding about GDPR - please do not make this mistake!
Many businesses will make the mistake of thinking:
“All our emails have an ‘opt-out’ link, so our subscribers can just click this if they want to unsubscribe.”
Unfortunately giving people the right to opt out is no longer considered ‘consent to contact’ under GDPR. They need to have ‘opted-in’ to any outbound marketing channel, and you need to be able to demonstrate that your data has opted in, so you will need a system that records all marketing consent opt-ins with a time stamp.
The data in question could be anything but not limited to a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address etc.
If you are contacting consumers. They need to have ‘double opted in’ so have ticked a box saying they wish to receive communications from you and then clicked a link in an email confirming they wish to receive marketing emails – again all this needs to be logged per user, should you ever get investigated by the data privacy council.
You also need to give your data ‘the right to be forgotten’. So should they request their data be deleted, that every instance of their data be removed from all of your systems, unless there is a legal reason to hold some data in that case.
If your company has a mobile app which has a user registration, you will need to have an opt-in wording, which they tick to say they are happy to receive content from you and it will need to be double opt-in – most apps are feeding this into their user agreement, so essentially, unless people opt-in they cannot use the app.
So what do the GDPR Regulations mean for publishers and data list providers?
As mentioned earlier, subscription-based data is not deemed to be under the GDPR act, however the problem for medias will come when they run marketing campaigns on behalf of their clients, as this will be deemed ‘marketing’ material.
So, if medias do run Direct Marketing Campaigns on behalf of their clients, they need to ensure that this data abides by the new regulation.
Personally I can’t wait for this law to be introduced, as PII has always had a very stringent data policy - we have never and will never sell or purchase any data, and every single subscriber has subscribed at their own will, and we have the right procedures in place to prove this.
So for those medias out there who have built their businesses by buying in data, I can’t wait to report your next marketing email you send to my spam folder - Be warned!!!!
How the GDPR Regulation will shake up Programmatic advertising
This could/will have a huge impact on media advertising - thankfully not so much for us trade medias I'm relieved to say (as if it wasn't hard enough as it is!)
Sending PR to publishers
This is an interesting point, because when we receive PR you are marketing your latest news to us, so is this deemed to be marketing material?
If so, according to the new regulations we need to give you our consent!
So make sure you think twice the next time you reply to Phil with ‘no budget’ or ‘it’s against company policy’ (And I would love to say where that policy can go, but I’ll leave that for another post!)
But I’m sure we all have better things to do than worry about our consent to receive your PR!
Something that I think will really test the longevity of this regulation are competitor companies reporting each other. It will take a lot of resources for the guys at GDPR to investigate large organisations that hold 100’s of 1000’s of data, and will on occasions be like finding a needle in a haystack, so how long will it be until procedures are put in place to ensure reports are genuine and there is no association to the reported company?
And if that ever does happen, how long will it take organisations to find ways around this…?
Lack of support from email broadcasting companies
Something which I have found surprising is the lack of support from Email Broadcasting companies. Of course they are aware of the changes and will provide documentation about how they secure their data, however with regards to notifying their customers I have not had one single email and I use 5 different email services!
The reason for this I guess, is that most email broadcasting providers charge per contact, therefore if what is predicted does happen and businesses lose 75% of their data, this will have a huge impact on their revenues, which could in fact lead to a price rise to level it out.
It will be interesting to see the knock-on effect that this has.
A couple of important details you need to know about GDPR
Data Protection Officer (DPO)
If you engage in processing a large scale of sensitive personal data, or systematic monitoring of data you need to appoint a DPO.
The term ”large scale” is not clearly defined in the regulation. According to guidelines from Working Party 29, ”large scale” is defined by several factors: number of individuals, data volume, duration of data processing, and territory range.
One example of large scale processing is the processing of patients’ data as a part of routine hospital activities (unlike patient data processing by an individual doctor – this is not considered ”large scale”).
Other examples of large scale processing are the use of search engines to target personal data for advertising, and processing customer data as a part of the routine sales activities of an insurance company or a bank.
Penalties for Violation
As compared to Data Protection Directive of 1995, the GDPR has more stringent penalties for Non-Compliance. In case the Supervisory Authorities find any violations of the regulation by any organisation they have the authority to penalise the defaulting organisations with or without fine for corrective actions. The penalties might extend up to 2 % or 4% of the global turnover or € 10 million or € 20 million, whichever is greater.
Having said all this, it is still unclear if this will apply to B2B marketing at all! The GDPR itself makes no distinction between B2B and B2C marketing.
Currently, B2B marketing emails and texts are permitted to existing customers on a soft opt-in basis, under the Privacy and Electronic Communications Regulation (PECR).
However, the EU is currently revising its ePrivacy directive (which informs PECR in the UK), into a new regulation called the Regulation on Privacy and Electronic Communications.
A leaked version of the regulation brought it into line with the GDPR, only allowing direct marketing by email to those who had given their prior consent. But the latest draft currently awaiting approval maintains the soft opt-in approach for B2B. Pending approval, this new regulation should come into effect on the same day as the GDPR, 25 May 2018.
This leaves B2B marketers stuck between a rock and a hard place. Do you dare to gamble and see if the B2B marketing exemption passes through the EU legislation unscathed? But if there are delays, or if it doesn't, you have no time to get complaint. The decision is yours....
I remember when the EU legislation on cookies was introduced there was a lot of noise about this, but does anyone really care about this now? The majority probably not.
So I wonder if this huge investment for companies to ensure they abide by these regulations will be another case of this?
We’ll have to wait and see.
I would love to hear your thoughts on this - have you already put procedures in place to abide by this, or will you be taking a chance and turning a blind eye to it?