The development of new technologies has resulted in multiple channels and devices for consumers to interact with, giving marketers access to more data than ever before. With the imminent implementation of the general data protection regulation (GDPR), marketing departments will have to significantly change how they collect, store and process any data. Here, Nigel Crockford, Business Development Manager at data security specialist eSpida, explains how marketers must adapt.
Marketing teams collect data to deliver personalised one-to-one communications that focus on the needs of the customer as a way of building brand loyalty. As of May 2018, consumers must provide explicit consent for their data to be obtained and processed by a company to comply with the GDPR.
The current European Union (EU) data privacy regulations were adopted in 1980 and did not anticipate the development or popularity of social media and smartphones. With many of the current principles outdated, the GDPR will significantly raise the standards for the processing of personal data across the EU, giving greater rights to individuals.
For marketing teams, compliance with the GDPR will require altering many of their existing procedures. Soon, the collection of data will have to be relevant for a specific purpose and so if the information is collected for a campaign or competition, this information can only be used for that objective. Further consent will be required to use the information for another purpose.
It is common practice for companies to grow their marketing database using methods like these. For business-to-business marketers especially, e-mail addresses are central to lead generation programs.
The introduction of the GDPR, however, will make it necessary for businesses to actively seek explicit permission from all customers opting in for marketing materials. These opt in requests must not be written into terms and conditions either. Marketers must ensure that potential customers or leads are given clear information as to what their data will be used for, how it will be handled and what subsequent contact to expect.
This means that purchasing e-mail lists or copying personal data from other lead generation sites will be against the GDPR. Unlike the current data privacy regulation, which is a directive, the GDPR is legally binding and failure to comply can lead to fines of either up to €20 million or 4 per cent of a business’ global turnover.
Changing practice
What is of greater concern, however, is that research from the DMA has shown that 15 per cent of businesses still have no plan of action to align their procedures with the GDPR. The severe financial penalties to enforce the GDPR will be particularly damaging to smaller companies.
As well as affecting how businesses explain and obtain consent for new and existing prospects, businesses will also need to detail how this data will be stored within any CRM systems. The right to be forgotten principle will also allow individuals to control what information is retained with the ability to have it removed at any given time.
If a customer does choose to delete their information, using a system that syncs with any marketing automation software is essential. This is because any pre-scheduled correspondence sent out on behalf of a company’s CRM system following a customer opting out of further correspondence will still be a regulation breach.
Just as removing any requested data should be done quickly by marketers, making sure this information is correctly acted on is just as important. In 2016, Flybe was fined £70,000 because of e-mailing 3.3 million people in their database who had unsubscribed to marketing e-mails and, therefore, not consented to being contacted.
To overcome these problems, marketing teams should look to use a single platform CRM system, which hosts the consent record of every single customer on their database. Doing so will make it easier for businesses to track and monitor any permission data, while also remaining compliant with the GDPR.
Connecting marketing and IT
Despite marketing and IT departments both playing pivotal roles to a business’s success, there is often a disconnection between the activities of the two. For example, if a marketing team is operating on an online platform without the IT department knowing and no security measures are in place, the company could encounter several cyber threats.
If an IT security team knows what assets are being used by the company’s marketing team, then it can be vigilant and prepare against common and recorded attacks that have occurred in those areas. Businesses can then consider taking additional steps to avoid the detrimental impact cyber breaches can have on reputation and customers.
Exploit prevention software, for example, is designed to protect applications and files that are prone to attacks. Instead of examining millions of known malware samples, the software focuses on a smaller collection of techniques that are used to spread malware.
As marketing departments conduct regular and systematic monitoring of individual data, companies will now also be required to employ a data protection officer (DPO). The role of the DPO is to help businesses comply with the data protection law, by working with their data processing teams to eliminate many of the risks organisations face when managing data.
While the GDPR sounds like it will be hindering to many of the activities carried out by marketing teams, it will in fact help businesses gain a richer insight into each of their customers’ interests. This is because, by obtaining consent, marketers will create organic lists featuring customers that will want to receive e-mail marketing information.
With that said, GDPR will have a varying impact on the practices and procedures carried out by a marketing team. Marketers must consider every aspect of how data is used, so businesses should also look to GDPR specialists like eSpida to eliminate discrepancies.
Non-compliant businesses of the GDPR could also be faced with bans or suspensions on processing data, in addition to the risk of class actions and criminal sanctions. Despite it currently only being enforced in the EU, many believe this will spark a revolution across the globe for greater data protection for individuals.
How much preparation is needed will vary for each business, but marketing is only one area that needs to be aligned with the regulation. Businesses who have not already started preparing need to act now.
By Nigel Crockford
Business Development Manager