The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years, and when it comes into effect on May 25th, 2018, it intends to give European citizens back control over their personal data. Its impact won’t just be felt in Europe though, as it will have wider implications for companies across the world that hold data on the continent.
“Yeah but that’s some acronym for something boring that someone else will worry about right?”
“But I’m a Creative (*strokes beard and/or readjusts thick-rimmed glasses*) that can’t be bound by regulations surely?”
NOPE! This one affects all of us *collective sigh*.
So let’s try to break it down to the essentials of what us Marketers really need to know and implement.
Here’s the DL…
WHY ARE THERE THESE NEW REGS?
As Marketers we all know how important Data is to us these days. For us at Ignite everything revolves around using measurable data, and we use this as pure intelligence in order to ensure we are investing our client’s marketing budgets in the smartest way for maximum ROI.
But with Data comes responsibility. You are potentially holding some really sensitive personal information about individuals’ lives. With the explosion of the digital world there’s far more data flying about, so the aim of the new regulations is to ensure that users have more control over their data, what communications they receive, and start to make steps to stop unwanted communications.
WHAT DOES THE GDPR WANT US TO DO?
In short, to ensure that people’s privacy is kept protected. We need to show where any personal data is going, how it is stored, kept secure and what it’s used for. We’ve also got to ensure that we can delete all trace of people’s information upon their request.
WHAT IS CLASSED AS PERSONAL DATA?
Anything that relates to their personal, private or public lives. This could be their name, computer IP address, bank details, photos, even genetic data. But specifically of note for us Marketers is that it extends to data like social media posts, location data, economic information and people’s interests which we use to affect our advertising from paid campaigns.
HOW WILL THIS AFFECT MARKETERS SPECIFICALLY?
Any data we use will have to have come with consent from the customer. We will need to know when the consent was given and not take it for granted that we’ve got that consent forever as there’s to be a ‘right to be forgotten’ rule, which allows customers to demand that their data be erased at any time.
The permission to use personal data will need to be regularly updated – for example, by sending an annual email asking if they’d still like to be on the mailing list.
At the moment the ‘opt-in’ button on a mailing list option is sometimes already ticked – but this will have to change and the customer has to tick the box to show they clearly understand and agree to receiving communications.
The list can go on. But essentially we must ensure that any personal data we have is known and approved by that individual, and that it’s stored securely and in an organised manner so that should it need to be exported, updated or erased it can.
For many marketers, third party tools and marketing technology providers (i.e. marketing automation platforms, CRMs etc) form much of their data ecosystem. In this case, it’s important that we check that our suppliers are ready and prepared for GDPR compliance.
Before the May 2018 deadline, it’s wise for Marketers to:
– Ask suppliers to detail how they will store/process data to ensure GDPR compliancy.
– Ensure there is a point of contact at each supplier that will deal with any data breaches and notify of such within the 72 hour window
– Make sure to only collect data that is necessary – don’t keep random data without a clearly specified purpose
– Be sure it’s possible to delete data should you stop using a service, and that you can download your own data when requested
WHAT IF WE DON’T COMPLY?
FINES. BIG ONES. €20 million or 4% of annual turnover (whatever’s largest!) Don’t even bother trying to swerve this one. But aside from the financial implications there’s the important ethical issue – we should show that we care about the data we have and use it with the utmost respect.
Okay, okay, all this theory is great, but what will we actually be doing to ensure compliance with the GDPR? Well here’s what we’ll be doing…
– Raising internal and client awareness. Make sure that the Ignite team, and all our clients, are aware of the upcoming changes, deadlines and implications of the GDPR and any changes required.
– Auditing and documenting our data. Know what personal data we hold, identify where it came from and who we share it with.
– Contacting all our suppliers to ensure they will be complying with the GDPR (as the majority of our data is held by third party suppliers such as Google, Facebook, our hosting provider Rackspace, our email distribution provider Dotmailer)
– Creating our Ignite GDPR Policy document which will be available for any of our clients, customers and employees to reference and informs of how us and our third party suppliers are complying with GDPR.
– Encouraging our clients to run a re-permissioning email to current email contacts, to check that they have all opted-in to receive our email communications
– Updating all our cookies and privacy notices on our own and our client’s websites
– Checking our HR employee data, and ensure all is up-to-date and secure on our databases and payroll systems.
Now go forth and comply!
Images courtesy of Xeerpa.com & Hospitality.net