The Marketer's Guide to Understanding GDPR
In less than a year, the EU General Data Protection Regulation (GDPR) is set to take effect. This new European privacy law will overhaul the way companies collect, use and store personal data. It’s also going to a have significant impact on how businesses engage with and market to their customers.
Yet, many companies are woefully unprepared. A recent survey from the Direct Marketing Association suggests that only 54% of businesses will be fully compliant by the May 2018 deadline. With the deadline quickly approaching, business owners and marketers alike need to understand the implications of GDPR and how it will affect their marketing efforts.
What is GDPR?
The new GDPR was put forth by the European Commission in 2012 and finally agreed upon by the European Parliament and Council in December 2016. GDPR is already in effect, but the deadline for compliance is 25 May 2018.
GDPR introduces a stringent set of personal data protection laws that extend the data rights of EU citizens and requires companies to implement policies and procedures to better protect personal data and safeguard against cyber-attacks.
Who does it affect?
The new data compliance rules apply to any company that deals with EU citizens, regardless of size, industry or location. If your company is not dealing with contacts based in the EU, then the GDPR does not apply. However, best practice is that you should still adhere to the data regulations that are already in place.
What does it mean for marketers?
GDPR introduces a slew of changes for marketers, especially when it comes to seeking, collecting and recording consent. Here’s what every marketer and small business owner needs to know:
Marketing Consent is No Longer Optional
With the introduction of GDPR, permission marketing is no longer best practice, it’s a legal requirement. As of May 2018, marketers will only be allowed to email individuals who have explicitly opted-in to receive messages. The regulation states that businesses must receive affirmative consent that is “freely given, specific, informed and unambiguous.” This means no more pre-ticked boxes, silent consent or “clickwrap” forms, those lengthy contracts that visitors can sign off on without reading. Individuals must knowingly and actively select to receive email marketing communications from your company.
Additionally, companies must provide individuals with adequate information on how their data will be used. For example, if you plan to profile someone’s data to determine which offers they should receive, you must inform them at the time of registration and give them the opportunity to object.
With these stricter consent rules, many of the practices that marketers currently use to build their databases will no longer be legal under GDPR. For example, if someone leaves their email address to download a white paper, you won’t be able to simply them to your mailing list anymore.
Companies Must Keep Track of Consent
Not only do companies need to seek consent from subscribers, but they also bear the burden of proof. Under GDPR, companies are required to keep records of consent. You must be able to provide evidence to demonstrate to what individuals have consented, what they were told, and when and how they consented.
Moreover, you must provide subscribers with the ability to withdraw consent at any time. GDPR asserts that the process by which subscribers withdraw must be as easy as the process of providing consent. This means that companies will need to have simple and effective customer preference programmes in place.
It’s Time to Reconnect with your Database
While GDPR presents new challenges in collecting and storing data, that’s only half of the story. GDPR also applies to all existing data. If you don’t have sufficient consent from your current database, you won’t legally be allowed to process their data.
In the run-up to GDPR, marketers will need to reconnect with their customer databases and ensure that their consent statements are compliant with the new regulation. With less than a year to go, now’s the time to begin planning re-permission campaigns and start reconnecting with customers.
What happens if you don't comply?
Businesses that fail to comply with GDPR could face fines of up to €20 million or 4% of annual turnover, whichever is greater. While it’s clear that authorities won’t have the resources to go after every company that breaks the rules, noncompliance is a risk that could cost you your business. Are you willing to risk it?
Learn more about GDPR
For more insights and information on GDPR, here are a few helpful resources: