Data collection has become such an integral part of marketing strategy that we’ve almost become blind to what it actually means: the collection and storage of personal data in exchange for the ability to send messages. It’s also such a basic strategy play that many assume every country operates the same way. Not so. And it’s about to get more difficult, especially if you’re marketing in Europe.
New European data laws will come into effect in May 2018—just eight months’ time—but one in four marketers are still only in the planning stage of ensuring compliance, according to a survey of major global brands. The General Data Protection Regulation, or GDPR, applies to both “controllers” and “processors”—those who collect and those who store—and is supposed to improve and simplify data protection for EU citizens, residents, and businesses. Anyone who maintains a record of personal data must adhere to strict guidelines to mitigate risk of breaches—which includes data stores in CRMs, marketing automation systems, and so on.
Plus, it applies to processing carried out by organizations operating within the EU, or those outside the EU that offer goods or services to individuals in the EU. Yes, US and APAC companies: You need to pay attention, too.
Adam Rose, partner at Mishcon de Reya, puts it in layman’s terms: “Essentially, it means three key requirements: that people be told their data is being processed, that what they’re told will happen with data is what actually happens, and there are obligations on people who are data controllers to keep as little data as possible for as short a period as possible.
“These rules are broadly what has been in place in Europe for a number of years; the key difference is that, for example, American organizations targeting European individuals will now be regulated as well. Until now if you were based in the US targeting UK citizens from the States, you had nothing to worry about. This law changes so you are now regulated, too.”
If you’re outside the EU, you may even have to appoint a data protection representative, says Jonathan Armstrong, partner at Cordery. He believes GDPR is “part evolution and part revolution”: “The original intention of GDPR was to update the law for new technology and to try and iron out some of the country-specific wrinkles of national data protection law in Europe. This might turn out to be a dream, however; already we are seeing some countries in Europe add to the GDPR regime, for example with the UK’s Data Protection Bill and some of the new criminal offenses that creates.”
Image attribution: Raw Pixel
And for those who don’t comply? Well, financial penalties, of course—fines of up to four percent of global turnover or 20 million euros, whichever is higher, not to mention the wide-ranging reputation damage a company faces for non-compliance.
It’s scary stuff, particularly when you hear that many decision-makers aren’t even sure what “personal information” is. Trend Micro surveyed more than 1,000 IT decision-makers from businesses across the globe and found:
For the record, personal data includes email addresses, information about web browsing habits, an IP address, phone number, name, postal addresses, date of birth, and so on. Anything that could be used to identify someone is now under GDPR.
More stats you say? The World Federation of Advertisers (WFA) surveyed major global brands that spend more than $20 billion on marketing annually and found 70 percent of brand owners do not feel marketers in their organization are fully aware of the extent of GDPR; 35 percent of them expect to be non-compliant at deadline day.
So what should you be doing to get ready? The first step is to identify where you are likely to be caught by GDPR; do a data audit that covers the journey data takes from when it’s first collected all the way through to when it’s destroyed. Look at what personal data you manage, how it’s collected, where it’s collected from, what you do with it, where you store it, and who you supply it to. Look at consent mechanisms, review and update privacy policies, and review data inventories. Many global brands are even hiring data protection officers.
Remember, the General Data Protection Regulation is in part an anti-spam measure; it means you can only send electronic direct marketing to individuals who have consented knowingly. This means no more automatically-ticked boxes for opting in to marketing. How best can you capture someone’s true consent?
Image attribution: Mateusz Dach
“One of the things that we might see from companies as a knee-jerk reaction is emails asking people to re-opt in and much more detailed privacy notices and click-through boxes on websites,” says Armstrong. “We know, however, from changes to cookies laws that the unintelligent use of things like click-throughs annoys an audience. Good marketeers will get the balance right between transparency, openness and honesty on the one hand, and concentrating on what is really important to their audience on the other.”
Richard Fitzmaurice is a global CMO and says his team began making a “conscious effort to start preparing for GDPR” in early 2017 by proactively keeping in touch with developments and building relationships with industry experts. “We also hired experienced marketing data managers who could help us ensure we had our ‘house in order’ and our policies and procedures mapped out in a way that would help us adapt to the new marketing way of life post-GDPR.
“As a company operating in over 80 countries we take a global approach—not one approach for marketing in Europe and another for the rest of the world. This means we develop a global standard based on meeting the requirements of the most stringent country. We play it safe. We are documenting policies and processes more than ever and making a very concerted effort to train the whole marketing team whilst funneling key decisions and access to data to experts.”
Continues Fitzmaurice: “The biggest surprise so far has been the dark shade of gray on the intricacies of GDPR and lack of certainty over what it will actually look like in 2018. I think the more advanced marketing functions are using it as an opportunity to review their existing approaches to marketing data management and are trying to work out how to not be worried about GDPR, but use it as an opportunity to build better, tighter relationships with their clients and prospects. In a good way, it is making marketers think, ‘How do I add more, real, value to our clients so they do want us to keep in touch with them?’ I would like to think that the quality of the marketing industry’s email campaigns will improve because of this fresh thinking.”
Remember: Be alert but not alarmed. There’s still time to comply and get your stuff together, but you’ll need to act soon. Speak with your internal compliance team; if they don’t know, you’ll need to seek external counsel, preferably with someone who knows European law. Reach out to counterparts in other regions to brainstorm approaches.
And be aware of fake news, says Armstrong: “The difficulty with any GDPR preparations is the amount of GDPR fake news about. It’s hard for organizations to know where to get a trusted source of their information; a good place to start is legal and compliance FAQs. The important thing I think is to start planning with a correct assessment of what the new law requires from you.”
Featured image attribution: Christin Hume