The GDPR & How It Will Affect Your Business’s Marketing
What is the GDPR?
The General Data Protection Regulation or GDPR is legislation that is coming into effect on the 25th May 2018. It is a new EU regulation that is attempting to unify how countries in the EU approach data protection and the security of personal information. And, despite Brexit, the UK is very much included in this new regulation, as any country that wants to trade with countries in the EU must be compliant.
The GDPR aims to give citizens of the EU greater control over their own data, and to give them confidence that their personal information is being protected by the companies they choose to give them to.
What does the GDPR mean for your business?
The main way that this could affect you and your business is regarding the collection, use and transferal of personal information. Think about those email pop-ups on your website, those details your customers enter when they place an order, and your CRM system containing the contact information of all of your clients. All of these are examples of collecting data, which will now be being heavily controlled and regulated, with severe penalties for those that do not comply.
Personal data includes:
- Names
- Photos
- Email addresses
- Bank details
- Updates on social networking websites
- Location details
- Medical information
- Computer IP addresses
Let’s delve a little deeper. What rights will the individual be given with regards to their own data?
- The right to access. Citizens will have the right to request access to their personal data and ascertain how their data is being used by your company. You also have to provide a copy of the personal data that you have on file for an individual, for free, if they request it.
- The right to be forgotten. Individuals will be able to request that their data be deleted by your company, with strict penalties if you do not oblige.
- The right to data portability. Your customers will gain the right to obtain their personal data and transfer it to another service provider. For example, a bank would be required to give their customer access to their own data (in a commonly used and machine readable format like a CSV file) for them to accurately ascertain whether they are getting the best possible deal from the bank on a third party comparison website, and to switch if they are not.
- The right to be informed. Your business will have to be very transparent in informing individuals when you gather their data. Customers will have to opt in, perhaps double opt in, to give their consent. It is thought (but not confirmed) that the company would have to have a double opt in for a newsletter sign up for example, which has some important implications for your email marketing, especially if you’re currently collecting email addresses with an auto selected tick box.
- The right to have information corrected. Individuals will have the right to update their personal data if it is incorrect or out of date.
- The right to restrict processing. When an individual restricts the processing of their data, you are allowed to store it but not use it in any way.
- The right to object. An individual will have the right to stop the use of their data in your direct marketing, and the use of their data must desist immediately on their request. This must be made very clear to individuals at the point that you collect their data, and also must be a very simple process to implement. This means that any complicated and overly long unsubscribe processes (are you sure you want to unsubscribe? Are you sure you’re sure?) will result in penalties.
- The right to be notified. If there has been any kind of data breach which has or might put personal data at risk of being compromised, the affected individuals must be informed within 72 hours of the discovery of the breach.
So, what does your business need to do about the GDPR?
According to Dell & Dimension Research, 97% of companies don’t have a plan in place for when GDPR kicks off in 2018. So, we thought we would share a few examples about what your company needs to do prior to the regulation being enforced, with reference to your website and your marketing. Note, this is in no way an exhaustive list of what needs to be implemented, only a few examples of some of the things you must change. For more information, please see the official EU GDPR website on https://www.eugdpr.org/
Email Marketing
In order to sign up for communications from your company, prospects will have to fill out a form or actively tick a box and then confirm they would like to sign up in a second email. The consent to be communicated with must be recorded and time stamped in case the data collection is questioned in the future. The process to unsubscribe must be simple and instant.
eCommerce
If you collect payment information on your website, previously you could outsource your data collection and payment processing to a third party payment gateway and absolve yourself from the responsibility of looking after it. No longer. Now your company has to show proof and clearly explain that you know exactly what is happening to those details when they are collected by that third party. Although collecting payments is always, by its very nature, explicitly asked for, when GDPR comes into force this ask also needs to come with a very clear statement about where your customers data goes, and who is responsible for storing and processing the data. The privacy policy of all third parties must be easily accessible on your website. Once GDPR is implemented, organisations also need to make their customers data available for download by that customer. Whether this must be available for download from their customer log in on your website is yet to be determined- you may just be able to provide this once it is asked for. We are trying to find this out for you!
Buying Data
If your company buys personal data for your sales team or for your email marketing, the data will have to be qualified by your company before you are allowed to use it. This means you will have to give the contacts on those lists the opportunity to opt out of being contacted by your company. Even if you bought the list from a vendor, it is your company who is responsible for gathering the consent of the individuals.
Again, when they give their permission to be contacted, this must be recorded and time stamped, and it must be detailed which bits of their data they have consented to being stored.
Trade Shows & Exhibitions
Particularly in a B2B business, it is very common to collect or exchange business cards with a new contact, then get back to the office and add them onto a database or CRM system. Due to there not being a double opt in with this method, this will no longer be allowed under the GDPR. How they are going to enforce this, we do not know.
Privacy Policy
Your privacy policy must be easy to understand (think: layman’s terms) and easy to locate on your website. Make sure it is updated according to the GDPR before the 25th May 2018.
Cookies
You’ve been on websites before that have a pop up that lets you know that cookies are being collected. These will no longer be sufficient, as the person is not truly being given free choice, as they have already landed on your website. Under the new rules just visiting your website for the first time won’t qualify as consent for processing visitors’ data, even if you provide your visitors with information like “By using this site, you accept cookies”. Cookies will need to be disabled by default until the user clearly accepts the use of cookies. This is unless they are definitely required for the operation of the website. It will also be necessary for the user to be able to choose what their cookies are used for (and also what they are not allowed to be used for). In other words, a user must be able to say: “I want cookies enabled for saving my log in details, but never for targeted advertising”.
Third Party Vendor Code
Most website/app operators don’t know about the many direct and indirect vendors who contribute to code on their site and who these vendors are, let alone know how many domains and cookies these vendors use to track website visitors. You or at least your marketing team need to understand exactly what information is being collected and state this very clearly in your privacy policy & in your opt in. For example, do you collect IP addresses and device ID’s? If so, you must make this clear.
What happens if you don’t act?
Without sounding too ominous, the penalties for companies found to be in breach of the GDPR regulations are severe. You could be fined up to 4% of your annual global turnover or 20 million euros, whichever is greater.
So, you need to start putting the necessary procedures, protocols and physical amendments to your website or apps (also across your whole company, HR, IT, Sales… every department collects data in some way!) in place now so that you are compliant come May 25th 2018.
And if you need any help with the marketing side of things, if you need any amendments making to your website, or you need help with anything at all, you know where we are.