With less than a year to go before the biggest change to data laws in a generation comes into force, many marketers say they’re struggling to get their heads around what the General Data Protection Regulation (GDPR) involves – and to make the necessary provisions.
According to a recent survey by the Direct Marketing Association (DMA), only 54% of UK businesses expect to be compliant by the May 2018 deadline. Worryingly, nearly a quarter had not even begun preparations.
Confused? You shouldn’t be.
The Information Commissioner’s Office set out some clear and practical advice for UK organisations on the changes they will need to make to consent mechanisms as a result of GDPR:
- An unambiguous opt-in is required to process personal data
- Brands will need to be specific about what will be done with the data
- Individual companies must be named when requesting consent for third-party marketing
- Pre-ticked boxes and any assumption that consent is given by default will be insufficient
- Brands cannot stop consumers using a service if they withhold consent for their data to be processed
Let’s break this down and take a deeper look at what some of this means for marketing teams.
Opt-in – not op-out
When it comes to consent regarding communications, opt-in becomes the ‘new norm’ under GDPR.
All consent must be freely given, specific, informed and unambiguous. That means you can’t assume consent based on a prospect’s inactivity – and using pre-ticked boxes won’t be good enough.
The terms of GDPR are clear: prospects and customers have to agree that their data can be used and they can be contacted.
GDPR gives consumers back control of how their data is collected and what it’s used for. This includes the ‘right to be forgotten’ – in other words, the option of having their data removed from your data base.
Consumers will be able to ask you to remove their data when there is no legitimate reason to process their information, when they withdraw consent for it to be used on the original terms – or if it’s been unlawfully processed.
Any request for data to be deleted has to be complied with.
Processing personal data
Companies can no longer collect data for the sake of having it. There must be a justifiable reason in place for gathering data from your customers and prospects and be clear about what you intend to use it for – and how long you would need to use it.
If you’re wondering what the practicalities of all this means for marketing teams, don’t worry. We’ve created a series of posts to outline all the steps you’ll need to put in place to cover all these points, from how to check the quality of your email marketing lists, through to a simple GDPR marketing guide to help you establish whether your existing process is compliant.
But there is one other aspect of GDPR that is vital to be aware of – privacy – and that has big implication for CRM databases.
Database building and management
Many businesses use databases to store personal data – and email marketing lists and CRM databases are two examples that will be affected by GDPR.
To effectively meet the requirements of GDPR, the application of best practices on data privacy and security will be key. That means you’ll need to ask yourself three questions:
- Do I have visibility of where all my data lives?
- Can I protect and secure that data, so that my data processors and their subcontractors have zero access to it?
- Can I proactively apply policy to that data, and all the places it lives, up to and including data erasure?
That means ensuring you have a CRM system in place that reduces data security risks – for example, by having all data in the same place – and which enables you to control exactly who has access to that data. This should include the ability to assign privileges that limit the tasks that can be performed by any given user.
Most companies operating CRM systems will need to ensure that future data is collected with specific opt-in permissions, with all activity date stamped so you can demonstrate accountability for all activities.
If you’re running an older on-premise version of a CRM system, you may need to check functionality to ensure everything is in place to ensure you are compliant with GDPR. This may include implementing modifications in fields or workflows.