This is my interactive lesson to explain how Marketers can get a competitive advantage from Data Protection and GDPR. Let me know what you think !
Much of the focus and attention surrounding the forthcoming General Data Protection Regulation (GDPR) has been around the big sticks that the Information Commissioner’s Office (ICO) will wield. The level of fines will be significantly increased – up to 4% of Global Turnover or 20M euros, whichever is the higher.
Some Marketers could infer that the new regulations effectively kill off Direct Marketing.. But there are carrots too for organisations.
As Elizabeth Denham the ICO commissioner said in a speech to ICAEW in January 2017 that the new Accountability principle offers a payoff down the line: –
“not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”
So what I wanted to focus on in this article was how Marketers could use the new GDPR regulations to build a competitive edge.
But first – why am I qualified to talk about this ? I’m a Marketing and IT expert who has worked on implementing major direct marketing campaigns worldwide (email, print and social media) for IBM and Ricoh Europe. I have first hand experience of working under laws very similar to GDPR as I have run campaigns in Germany. The German Federal Data Protection Act (2003) is very similar to GDPR, as I’ll explain later.
Reforming data protection – the plus side for Marketers
It’s interesting that, the Information Commissioner’s Office (ICO) website refers to GDPR as Data Protection Reform. GDPR is an evolution of existing laws and practices which were first introduced in nearly 20 years ago – before Facebook, before Google, before Smartphones. However there’s more to it than just updating Data Protection laws for modern technology. It’s also about responsibility – changing the way organisations think about the personal data of their clients or target clients, and managing customer data sensitively and ethically.
In this context there is no difference between B2B and B2C: we are all consumers and we will all have a right to expect Marketing organisations use our data responsibly and in accordance with the law.
If Marketers learn to respect the privacy of their consumers, and to avoid activities which are likely to annoy, offend or cause distress then these individuals are much less likely to complain to the ICO. More importantly Marketers can develop a new relationship with their consumer and this is where Marketers could start to make a competitive advantage.
The new approach to Privacy gives more power to consumers. Consumers will have more control over their data. They’ll have stronger rights to be informed about how organisations use their personal data, and they will even be able to obtain and port their personal data for their own purposes across different services.
This really changes the relationship between the company and the consumer. Marketers will need to be much more specific and transparent about what they are using customer data for. Gaining consent from consumers to use their data will be more complex:
“consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent”
Elizabeth Denham, Information Commissioner
However the plus side is that, with imagination and planning, Marketers should have much better data about their consumers, and – crucially – consumers should be more receptive to receiving Marketing messages.
So, here is my advice for where to start to capitalise on this advantage.
Make sure you comply with the existing regulation. GDPR in fact assumes that organisations are already compliant with DPA. In particular there are a lot of straightforward things that you can do now to improve your marketing and to comply with the legislation. These include.
Take notice of your Privacy Notice – this is a requirement of DPA and ICO have published guidelines as to what it should contain. The key thing is that the Marketing should pay special attention to what this says and make sure that it accurately covers the Marketing activities you are planning to do with customer data.
If you don’t think this is important, then this should focus your mind.
Cancer Research was recently fined £16,000 for profiling potential donors (using third parties) to assess their wealth. In their judgement the ICO highlighted that this wasn’t explained in their Privacy Notice and so it happened without the knowledge of the individuals.
Double- optin –Under the double optin an individual has to confirm their consent as follows…
Although this isn’t required until GDRP comes into force, in my experience it is good practice. When I’ve run campaigns in the German market (where they have had Double Optin laws since 2003) the nett result is that getting your customers to confirm their email address not only gives you much cleaner data but it also gives you “warm” contacts who are expecting to hear from you.
Best of all it’s actually not that difficult to do. Tools like Mailchimp already have Double Optin built in.
In practice, however the ICO is unlikely to fine you over a missing Privacy Notice or confusing Optin statements.
Sweat the big stuff
Opt out processes – make sure you have robust internal processes for Opting people out / removing them from your database(s). Make sure that it is really easy for people to opt out.
(Note if you are a charity under the new FPS you have to respond to requests to opt out within 28 days).
Marketing Data – review what data you keep on individuals. Is it “adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed” ? Remove any unnecessary data. Remember that your customer data maybe held across multiple systems – e.g. CRM system, email tool.
Consent – are you sure that you have consent from your contacts for marketing purposes ? Can you prove it ?
Importantly – if you use lists bought in from third party then you can’t rely on their consent.
In May 2016, the ICO fined Better for the Country Ltd for sending out 500,000 texts, urging people to support its campaign to leave the EU. It obtained the phone numbers from a third party and did not have the consent of the people it sent text messages to.
The ICO states that you are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. However it has to be a good idea to play it safe. And, it’s good practice to ensure that you definitely have consent and any new consent gained needs to meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. Cleaning your marketing database will also bring additional benefits anyway.
Get ready for GDPR – and tailor your messages to your audience
Extended information about consumers – under GDPR consumers can be specific about what they are signing up for. So rather than just saying “Sign up to receive information” – it is better to identify what you will use their data for. This is actually a good opportunity to identify customer interests – such as:
- sign up to receive insights about XXX
- sign up to receive information about special offers
The key thing here is that you deliver against your promise. Rather than send out -a one size fits general newsletter to your contacts, send personalised messages tailored to their stated interests. That way you are much more likely to get a better response.
Profiling of data – there is a lot in the regulations about profiling and especially automated profiling. The bottom line, for me, is to think carefully about how you will augment existing data and – if you are planning to do any tele-matching (e.g. to find out phone numbers for your customers) then make sure your customers are informed.
Data on children – anyone under 16 cannot legally consent. (You have to get the consent of their parents or guardians) So, you need to be very careful about marketing to children. If children aren’t in your target audience then at the least it’s worth asking your customers if they are over 16.
Having your carrot and eat it – a win win
Just as the new GDPR regulations will punish poor marketing practices, they will also reward good marketing practice. There could well be a significant plus side to this work: a better relationship with your customers.
If they have knowingly opted in to receive your marketing communications; if they have freely told you what they are interested in; if they are comfortable with the way that you use their data – then they will trust your brand more, and they are far more likely to respond to your marketing messages.
For me, that’s the win win.
I’m a Freelance Marketing Consultant. Contact me to find out how I can help your transform your business for the digital world.