The GDPR Checklist: The Boxes You Should Check Tick Before May 25th
This blog has been written in collaboration with my colleague Antony Humphreys, Key Account Manager at Adestra
If you’re a marketer there is no way you have escaped talking about the 4 letters. Regardless of your expertise and your field; whether you work in direct marketing, in digital, for an agency, for a B2B company or a B2C company, General Data Protection Regulation is the one topic no one can run away from and nor should they. While there is much debate on how this law will change the marketing landscape, the fact of the matter is that doom and gloom will not help you here.
Yes, there will be changes, but in all fairness, this will only benefit your customers and help you become more transparent about your data practices. Your clients will have more visibility over what happens with their information and greater control on what they choose to share with your brand. It will give you the opportunity objectively to analyze the data you currently hold, enhance the quality of it and perhaps even implement some overdue improvements. So why not embrace this positive transformation? The key is to balance your business motives with the expectations of your customer.
It is important to understand that GDPR came into law in May 2016 and will be enforced from May 25th 2018 – there will be no further ‘grace period’. It will impact all personal data, current and future, B2B and B2C. It will influence all marketing channels and data practices where the processing of personal data is involved. Moreover, it will impact most companies that process personal data of EU Citizens (and UK Citizens post-Brexit).
If you are not in the European Union but have information on customers from a EU country, then GDPR still applies. For those that are not compliant, or cannot prove that they are compliant, there will be penalties in the form of 4% of the annual worldwide turnover or 20,000,000 €. As a result, it is important to fully grasp what this regulation is about, how you should prepare for it and the checkboxes you need to tick.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Article 4(1) Regulation (EU) 2016/679 of the European Parliament and of the Council
Firstly, GDPR revolves around the 6 data protection principles laid out in the Data Protection Act 1998 plus the new principle of Accountability. These principles stem from the Right to Privacy brought to us by the Human Rights Act. 2 major components personal data and consent. As explained in the quote above, personal data is any information that can be used to identify an individual. At its most basic this includes name and email, but it also expands to specific details or data that can be related to an individual, for example if you have a unique customer ID for the contacts in your database. GDPR does set a high standard for consent. As explained by the ICO, consent “means offering people genuine choice and control over how you use their data.” It entails having your clients and customers agree to receiving communications from you. In a sense, it is about having people freely give their approval to be contacted. Again, as you can see there is a pattern, the main objective is to put the customer at the forefront of your marketing.
During our research with eConsultancy last year, the Email Industry Census revealed that 16 % of in-house marketers and 23% of agency respondents mentioned that they were unaware of changes that would affect their activities. With GDPR fast approaching hopefully this has changed, although it can still be rather overwhelming. As a result, a good place to start is by doing a data audit. The DMA has some great resources on this, and as they mention there are certain aspects and questions that you need to consider, such as:
- What data do you have and why?
- How are you collecting this data?
- How and where is it stored?
- How do you use this data?
- Are you sharing this data with any third parties? What data are you sharing?
- Who is responsible for the data and the processing of it?
- Do you have a data retention and data deletion plan in place?
- Do you have all he technology you need to process that data and correctly manage data?
Now that you are able to answer these questions it is time to go even more granular. You must consider the 6 aspects that are covered by GDPR, which are:
- Legitimate interests
- Information provisions
- 3rd party data
- Legacy data
Please do investigate the complete checklist available via the DMA website. To give you a brief overview this is what you need to bear in mind:
- You should check each process of personal data and ensure it is aligned to a relevant lawful basis.
- All data collection points (e.g. sign-up forms) should be reviewed to confirm they meet the requirements of GDPR. Please note that you must be clear about where and what data is collected, as well as what it is used for.
- Remember: no pre-ticked boxes as it should be a positive opt-in, all brands must be mentioned (if you have multiple or use 3rd parties), and people should have the option to refuse marketing communications.
- Make sure that you do not bundle consent as a precondition of your service (i.e. a customer wins a prize draw, but to claim the prize they must consent to receive direct marketing).
- In addition, you should ask for consent somewhere other than your T&Cs.
- When collecting data, you must have mechanisms in place that help you record when and how you got consent and record exactly which contacts were told at the time.
- Make it easy for individuals to access their personal data and update it as necessary and check that you are collecting only the minimum amount of data necessary, deleting the records after use.
- You should have the appropriate means to refresh consent at certain intervals.
- If you do use legitimate interest legal grounds, then these must be explained.
- If you are profiling individuals via an automated decision-making process, check that you have provided explicit consent via an non-ticked opt-out with clear copy explaining the implications.
Finally, as you have now asked yourself the right questions, if you do need to cleanse your data and invigorate your lists please do remember that it is important not to email anyone that you are unsure has contested or unsubscribed. You should also keep in mind that preference centers and automaton are your friends. We also have some great examples on using automation for data purposes from our clients: for example IBC cleansed inactive data and invigorated their list with an automated re-engagement program. They had 16% of their contacts re-engage and an average open rate uplift from around 14-17% to 25% and higher.
GDPR is not out to get marketers; it only ensures that they are transparent about their practices and have their customers in mind. It gives more power to customers and enables them to have greater visibility on how their data is being used. While you may need to implement some changes, these will likely result in a better quality of data, more engaged contacts and ultimately increase the trust they have in your brand.
You can find out more on how to prepare for the 25th from our series of GDPR blogs from our in-house expert, Antony.