With your business facing a potential fine of £20M or 4% of your turnover, compliance with the 2018 General Data Protection Regulation ( GDPR ) is a critical issue for your company to be addressing. In particular, the legislation will change a number of aspects of digital marketing compliance. These include:
- the definition and implementation of opting in and consent
- transparency about the use of cookies in activities like remarketing
- what your privacy policy needs to cover and how it should be written
- keeping a record of how you got the data, where from and how long you are keeping it for
It’s on the minds of marketers and digital marketers alike and despite all the negative implications that are being discussed, we believe that although it does bring about some challenges, that these are actually opportunities for marketers and their businesses.
Disclaimer
This post aims to offer insight into how the regulation will impact Marketers and in particular, the work of Digital Marketers. These are our recommendations and suggestions based on the research that we have undertaken, but in order to ensure full compliance, we would advise that you seek legal advice and take the time to conduct some further reading on the subject yourself.
GDPR – What Is It?
The General Data Protection Regulation (GDPR) is a series of changes to the way that data is captured, used and managed, for all individuals in the EU.
The purpose of this regulation is to give all individuals increased control over the data that can be captured and used about them.
When Will It Come Into Force?
25th May 2018
This is the final deadline and there is no transitional or grace period after this date.
Who will this affect?
Broadly speaking, the regulation will affect everyone, but there are some specific points that Marketers and Digital Marketers should be aware of.
Any organisation that holds, collects or uses customer data for their marketing or business communications will need to review their processes and ensure they are compliant by the deadline.
GDPR Fines
Worst case scenario, the associated fines of non-compliance are up to €20 million or 4% of your global turnover, whichever is greater.
What Do We Need to Do as Marketers in Order to Comply with the GDPR Regulations
Due to the nature of digital marketing, there are many areas that will be affected by the GDPR changes and should be taken into consideration now, to make sure that you comply.
Email Marketing
Think about how and when you are going to contact your existing database, to encourage them to ‘opt in’ to future emails. Offering them something in return for opting in, may prove to be an effective method and this could be a whitepaper or a piece of content for example. However opting in, would still need to be an optional tick box, otherwise the consent would not be freely given.
Things to cover in a re-engagement email:
- How you got their personal details
- Why you are contacting them
- What sort of content you will send them in the future if they opt in
- How they can update their communication preferences and opt out
Re-Marketing
This works by using cookies to track your activity online. You will specifically need to outline in your privacy policy that cookies are being used in this way.
Website Forms
Forms must no longer include pre-ticked boxes, as this is considered implied consent and not freely given.
Offering rich downloadable content on your website has always been an effective way of collecting data to use in future campaigns. However, the ‘thank you for downloading’ completion pages are a good place to gain consent. A simple click through call to action, to ‘opt in’ would work well here.
Social Media Advertising
If you ae planning to use email addresses to build lists for social media targeting, then you will also need to tell users about this. They will need to opt in and also be offered the option to opt out too. Therefore marketers will need to obtain consent for the data to be used on social platforms and then the social platforms are also then responsible for the safety of that data.
Cookies
As per the 2011 regulation The Privacy and Electronics Communication Regulation, advertising the use of and requiring acceptance of cookies became law. The use of cookies should also be outlined in your privacy policy and what the information collected will be used for.
Users also can opt out of cookie tracking in their browser’s privacy settings.
IP Tracking
There are many software providers that will give you a tracking code to embed on your site, so that they can they provide you with identifiable details of your visitors. This is different to the anonymous data that can be found in Google Analytics. You will also need to make sure that any IP tracking you do is also stated in your privacy policy as IP addresses are classed as ‘personal data’.
Privacy Policy
The GDPR says that your privacy information must be:
‘concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.’
The ICO provides some information on what should be included in a privacy policy and this can be viewed here.
It would be wise to revisit your existing privacy policy (if you already have one) The key point here is the language that is used is simple and easy to understand, as jargon will not be acceptable under the GDPR rules.
Click here to see the Hallam privacy policy on our website, as an example of how this could look.
The Challenges of GDPR for Marketers
Consent is not Forever
We have all been there; you spend ages crafting the perfect campaign to drive traffic to data capture forms, which encourage the user to fill out their valuable personal data, so that in future you can use this for further Marketing activities. However, under the new rules of the GDPR, the consent of the opt-in from the initial campaign does not mean you have consent to email the customer about all further marketing activity.
Implied Consent
It is no longer acceptable to have a pre-ticked box on a form. The individual must freely and willingly opt in to receive further information.
Using Bought Data
Consent must be gained from the individuals on the list of bought data within a reasonable time frame or on the first correspondence. Just because the third party has gained consent, does not mean that you are covered.
The Opportunities of GDPR for Marketers
More Quality, Less Quantity
The potential results you will be able to achieve from your marketing campaigns will be much more relevant, as those individuals are engaged with your content and have specifically opted in. This in turn should deliver higher click through and engagement rates, which can only be a good thing.
Raising the Profile of Marketing Within an Organisation
If your Marketing team are able to successfully deliver guidance on the GDPR to the rest of the business and explain the importance of handling personal data sensitively, then it may highlight the important role that Marketing plays within the organisation.
Out with the Old and in with the New
Sorting through the dreaded data is something that we are all guilty of putting off. However, preparing for and adhering to the GDPR regulations will mean that you finally have to take the bull by the horns, as it were, and make sure that the data you hold is up to date.
Educating Others in Your Organisation
Although the GDPR regulations are the hot topic on the minds of Marketers at the moment, this is something that the rest of your business also needs to be made aware of and aligned with.
It is worth your data handlers/marketers spending some time familiarising themselves with this new regulation and then reviewing the internal processes, so that they can make recommendations to the rest of the business.
It would also be useful to provide the rest of your business with some information on the GDPR, so that everyone can be made aware of the upcoming changes and how it may affect them.
I have suggested some further resources below, which may be useful as a starting point.
To re-cap
Time is ticking and May 2018 will be here before we know it.
It is best to start thinking about the implications of GDPR for your business now, so that you are not caught out next year.
GDPR Marketers Checklist:
- Think about your ‘opt in’ campaign and how you can gain consent
- Review your current data and whether or not you would be able to show where consent was gained for these contacts if you were asked
- Revisit your privacy policy and make sure that is it easy to read and covers all relevant areas
- Update all the forms on your website so that they are in line with the regulations, eg no pre-ticked boxes etc
- Investigate how best to store information on how consent was gathered using your CRM. This will be different for each CRM and may need some technical assistance
- Decide how you are going to offer individuals the chance to view, update and remove the data which you hold about them. For example this could be a section of the website that you are able to log in to and then amend the details.
- Decide on how long consent is valid for in terms of your business and also a process for gaining consent after this time period is up
- Think about alternative marketing methods alternative to email. There is no denying that GDPR will provide some challenges for those companies that have relied heavily on email marketing, but there are other ways to contact your contacts.
Further information
If you are unsure about anything relating to GDPR and your business, we would advise that you seek some independent legal advice.
Additionally there are lots of online resources that offer further advice on this subject, some of which i have outlined below.
We are also happy to talk through our comments on GDPR. If you would like to discuss then please give us a call or leave a comment below and we will get back to you as best we can.
Online resources
The ICO has compiled the below documents:
12 steps to take to prepare for the GDPR
An overview of the GDPR