Momentous times in digital advertising and marketing are ahead next month in the UK and Europe as the GDPR, (General Data Protection Regulation) comes into effect on 25th May 2018. This act will have repercussions for all modern businesses which deal in any way with the UK and EU and should herald a new attitude to global data marketing.
Are you involved in digital marketing in any way for your business? If the answer is yes. This will affect you… so be ready!
This is certainly the most important act in the last 20 years concerning data and everyone involved in digital marketing and every business which utilises digital marketing should be aware of its structure and its ramifications.
Many people are asking me if this concerns me as the owner of Digital Fire which is predominately an email data marketing business. The answer is that we welcome this regulation with open arms! We have always adhered to stringent email marketing and SMS marketing policies and this act will ensure that everyone is on a level playing field. Penalties for non-conformity will be severe and this we hope will clear away some of the less scrupulous data marketers.
At Digital Fire want people’s information to be safe, and respected and we want consumers to receive information that’s pertinent to their stipulated wants and needs. That is how we have driven such high email data marketing responses for global clients over the last ten years.
So, in brief what is GDPR and what are its main parameters?
The new regulations protect the individual and ensure that privacy and data protection become an integral part of business, not just an afterthought.
The legislation now takes into account modern marketing methods of data collection and new processes and technologies that may impact privacy and data storage including artificial intelligence, texts, and others. And although the GDPR was written specifically for EU citizens (UK too), it impacts organizations globally because legislation is binding. Directives were viewed as suggestions by many organizations, but legislation is a different ballgame.
Any organization that processes, stores, records or archives data of any EU citizen is subject to compliance under GDPR and it will impact all areas of organizations from sales, to marketing, to customer service across industries. The legislation is extensive, 260 pages, and what I outline here is not legal advice but an aide to help marketers understand the terms and impact of GDPR. (Organisations should consult legal and compliance experts when building GDPR compliance processes.)
Scope – Any organization that processes, stores, records data of EU citizens is impacted. This means the organizations themselves, as well as any third party or outsourced organizations hired by the organization that handles or stores this data, regardless of the organization’s location or headquarters. Yep that means basically EVERYONE, and it is important to understand the far-reaching implications of GDPR as other countries may revise their data policies based on this. SA is in serious need of such an act and we hope the POPI takes note of this major legislation.
Definition of Personal Data – One of the most important aspects of GDPR for organizations and especially marketers to recognize is that the definition of Personal Data has expanded in a very big way. In the United States for example typically they use the term Personally Identifiable Information (PII) to define the types of data that are “sensitive”. PII includes any information, such as name, social security numbers or date of birth, that could be used on its own or in conjunction with other information to identify, contact, or locate a single person or identify an individual in context.
The EU uses the term Personal Data instead of PII and has added some very specific and broad categories that are now protected under GDPR. The new category, Sensitive Personal Data, includes ethnic, racial, health, bio-metric and genetic data. Political opinions and a few other types also fall under the Sensitive Personal Data.
Much of what B2B marketers collect and store will be considered Sensitive Personal Data including browser information, cookies, and IP addresses. Additional information regarding the definitions of Personal and Sensitive Personal Data can be further investigated here.
Consent and Ownership – When marketers think about consent to use or store data, we often believe we have tacit approval from the individual to do so. We also often believe we “own” the data because we have collected it. This is an outdated view of consent and one of the fundamental changes the legislation highlights.
Consent is now clearly defined as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
Individuals also have a right to understand how their data was collected, for what purpose it is being used for and may change or retract their consent at any time. Pre-checked boxes of consent at the end of web forms will no longer suffice for consent. Organizations will need to prove they have consent to market to individuals as well, so bulk buying of lists or names is, as ever, not a good idea. (Digital Fire’s email data rental solution which adheres to GDPR policy is a much smarter move.)
Regarding consent, don’t panic. Building a preference center to obtain explicit consent will help manage consent. However, as mid-size and enterprise organizations often have many different CRM systems and siloed platforms, it will be imperative to tightly integrate all data and leave no margin for error. Once someone opts out, they are opted out of everything from text messages, telephone calls or emails without fail. This means even emails scheduled in marketing automation systems. It’s a breach of compliance if an individual receives a message once they have opted out. Pre-scheduled programs are not an excuse.
Individuals, not organizations, own their data, and now have the right to access, edit (rectification) directly and even completely erase (Right to be Forgotten or Right to Erasure) their data. If an individual requests access to their data, organizations have to produce the data without “undue delay” within one month of request.
This means organizations must know where every piece of data is stored (including recordings) so that the consumer may action it accordingly. Most organizations have data stored across different platforms, making consolidation and export of data requests challenging at best.
Lastly, you need to be aware of the penalties for not complying with GDPR because they are significant. Failure to comply may result in a €20 million Euro fine or 4% of company revenue. Organizations need to conduct a full data assessment to understand where any and all data resides across their organization and hired third parties and begin to plan to upgrade their processes to reach compliance.
Build or update your preference centers now and start thinking about data and privacy as the right of the individual, not the organisation.
Digital Fire offers GDPR compliance consultancy to our global clients to assist them in negotiating this hurdle and ensuring they continue successfully in harnessing and using data in a legal and successful manner.
Take away: If you want to know what actions to take now – review the twelve steps below from the Information Commissioner’s Office – ice.org.uk
MD and Founder Digital Fire.