GDPR – General Data Protection Regulation – comes into effect on May 25, 2018.
At the heart of this new regulation are three core principles on how you collect and manage your customer and prospect data. These are:
- The proof that you have opt-in, fully informed consent to use the information
- The right for those whose data you collect to have transparency
- And the right for them to be completely forgotten altogether
Whilst implementing these principles is going to be a challenge, it’s long overdue, finally bringing 1995’s data protection rules into the digital age and safeguarding individuals everywhere throughout Europe.
So here’s a little more on each of these principles:
This is the principle with the biggest impact and there are 3 points here to take into account.
Point i: Opt-out has been the norm for so much of digital marketing. But this largely ‘assumed consent’, where you have to untick pre-ticked boxes, will no longer be allowed under the new rules. The Information Commissioner’s Office (ICO) states clearly “failure to opt-out is not consent”.
Under GDPR, explicit opt-in consent (freely given, clear and identifiable) will be required for all marketing communications. So you’ll need to gather opt-in consent from all your existing customers and prospects on your databases.
If you can’t prove you have the consent matched clearly to how you intend to use it then that data will be unusable. Which takes us to the next point.
Point ii: Intent – the concept that a person “must have known beyond all reasonable doubt…” is at the heart of informed consent under GDPR. If you’re using a customer’s data, you’ll need to be able to prove you have unambiguous, informed, contextual consent related to that specific usage. No more general opt in phrases such as ‘contacting you from time to time with other information…’ or ‘share your data with other selected organisations…’.
Point iii: This consent is going to be a challenge when everyone is asking for it at the same time. So act now to get ahead of the game.
Because customers can ask to see the data you have collected on them, you’re going to need to have highly structured storage systems, processes and methods to easily retrieve it, and then provide it to the customer within the stipulated 30-day time period. There will be penalties for failing to comply.
And many of your customers or prospects could be asking for this information, particularly if you’ve sailed close to the wind on the first principle. A recent survey by Macro 4 found that 52% of those asked would make an information request if they believed an organisation to be holding information they hadn’t agreed to.
But there is a benefit to this transparency. The same study found that 42% of those asked would be more likely to use a company that made it easier for them to know what information it was holding about them, and how it will be used.
3. Forget About Me
This is about invisibility – and requests to have that data removed entirely. This means that not only are you going to need to be able to rapidly retrieve individual customer and prospect data and provide it to them but, if they should then ask you to, you’re going to need to be able to delete all of it, on demand and prove that you’ve done that.
The new regulations won’t allow for any excuses, so if you have residual information stored in data warehouses or on sales peoples’ CRM or even address books that you didn’t know about you’ll be in trouble.
This means you’ll need to know where you’ve got what information, and who has it.
Of course, there’s much more to GDPR and much about it remains unclear. And all the commentators note that it’s likely to be made clearer by case law. But with fines now set at up to €20 million or 4% of annual turnover – whichever is the higher, you need to ensure you’re not the one making that case law.
So the best course of action is to get on with preparing as soon as possible and, perhaps, to demonstrate your integrity. Use GDPR as an opportunity to build trust with existing customers, win new ones, and all the while improve the quality of your data.