Affecting every company collecting, processing and storing personal data from EU residents, the impact of the General Data Protection Regulation (GDPR) will be far-reaching.
Marketing teams will likely be the first to be affected by these regulations as they are one of the main players when it comes to data processing in companies. Their data collection and processing strategies will have to be unambiguous and communicated to all users/subscribers. In other words, it will be prohibited to collect and use the email address of a consumer, without his or her agreement.
Recent research from the Direct Marketing Association (DMA) indicates nearly two-thirds of organisations recognise that they will be ‘very’ or ‘extremely’ affected by GDPR. However, although awareness is generally high, there is still a lot to do in terms of preparedness. While 60% of marketers feel they are on course for GDPR readiness, 17% say they are behind in their planning, and even more worryingly, 15% have not implemented any form of plan at all.
Consent will be key
It’s worth noting that consent represents only one of several legal bases under which personal data may be processed under GDPR. Other bases include legitimate interest; contractual obligation; legal obligation; vital interest; and to administer justice.
Most marketers, however, are going to rely on consent for their data processing activities. GDPR has set the bar high for consent, which will have a huge impact on the industry. Transparency will be enforced as companies will be required to give customers choice and control over how their data is handled. Under GDPR, key requirements for consent are that it is unbundled, granular, requires a positive response, names third parties and gives recipients the power to revoke consent at any time. Marketers will need to have a complete understanding of how they collect personal data, how it is stored and how it flows throughout their infrastructure.
It will also not just impact European markets. Whether you are a European headquartered company, an overseas firm with offices and customers in Europe, or even if you simply have EU nationals in your marketing database, you will need to adopt new practices to ensure full compliance with this regulation.
Failure to meet these regulations could potentially be devastating. Not only will poor data handling reflect badly on the company and its reputation, but regulators will be within their rights to award eye-watering fines of up to 4% of a company’s annual turnover or €20 million, whichever is higher. The Information Commissioner’s Office (ICO) is cracking down on poor data protection and will likely make examples of brands that are identified as being non-compliant. Earlier on this year, the ICO fined Honda and Flybe £83,000 in total for the poor handling of people’s personal data. While not GDPR related, it can be seen as a statement of intent on the part of the ICO when it comes to what is acceptable and what is not when managing data. For a company of any size, the financial penalty that comes with GDPR could be business-changing.
To guarantee compliance, many businesses are now appointing a Data Protection Officer (DPO). In the past, it’s been fair to say that many organisations have not applied enough rigour in their approach to data protection, but it’s likely those with particularly sensitive data – public sector organisations, for example – will feel obliged to appoint a properly trained DPO. A DPO would be responsible for informing and advising the person in charge of data processing, as well as monitoring the company's compliance with the new regulation.
This year, headlines and conversations have largely focused on GDPR, however, these aren’t the only regulations marketers need to be aware of. Far fewer marketers are aware of the new ePrivacy regulation that is being drafted. While GDPR replaces the old Data Protection laws, ePrivacy is more specifically focused on electronic communications and will ultimately replace the Privacy of Electronic Communications Regulations (PECR) Act that currently regulates email and all other online marketing. There are major concerns right now that it will impose opt-in requirements for B2B marketing and telemarketing for the first time, as well as impose a requirement for explicit consent before cookies can be used.
There’s no doubt about it, marketers’ jobs are going to be heavily impacted by regulations next year. They will need to ensure they are as open as possible to customers about how and why they are collecting personal data and give them the choice of opting out. It will no longer be acceptable to send marketing materials to an email address that was provided when a customer downloaded a whitepaper without first obtaining explicit and unambiguous consent to do so. Being explicit – and being able to show proof of this transparency and consent – will be key.
The good news is that marketers can use GDPR to their advantage. According to the DMA, 39% of marketers believe GDPR will improve their customer offering and nearly half state changes would benefit consumers. The fact is, if email consent is harnessed in the right way, it can significantly benefit a company. By knowing that subscribers have positively opted into receiving emails, marketers are already communicating with individuals that are ready to be engaged.
GDPR is essentially enforcing processes that have been known best practices for years. Now enshrined by law, GDPR will come with its challenges but, ultimately, it will further raise industry standards and give marketers an opportunity to engage with individuals whilst respecting their privacy.