As a Council member at the Data Marketing Association (DMA), I’ve been monitoring this new marketing law since 2012 and been surprised at the lack of practical advice on how to prepare for it.
So I’ve decided to share with you the 3-point GDPR action plan I’m constructing – it may not be perfect, and will almost certainly change/develop, but here’s your chance to steal it.
A. Get permission
Sounds easy. It’s not. The most robust way to get permission for processing data is to get consent. But consent now has to be ‘unambiguous’. That means it must be freely given, specific and informed – shown either by a statement or a clear affirmative action. You cannot bury the details of consent in your Terms & Conditions.
Plus consider the type of legal basis you prefer for processing personal information. You have a choice between consent or legitimate interest. I prefer consent (see my post “Which is best, ‘Legitimate Interest’ or ‘Consent’?” that supports this GDPR action plan).
For consent, your target audience has to tick a box or give permission over the phone, and in that act, they agree that your messages are of value. Therefore, they are more likely to read them and less likely to unsubscribe, unfollow or ignore your phone calls.
You only need permission from prospects. The General Data Protection Regulation (GDPR) assumes you have a relationship with existing customers and can, therefore, process their data – until they tell you to stop. But if you plan to use profiling or automated decision-making, you may need additional consent.
So I have reviewed the wording on my consent forms (i.e. the tick box attached to forms on many websites). I also ensure sales teams have a ‘script’ to use when they ask for consent over the phone.
It may not be necessary to get total consent on the first engagement. Obtaining consent for automated profiling may be difficult, so consider first getting consent for processing data and perhaps ask for profiling consent later.
Also, think about the channels you use. Consent via a tick box or email blast may be convenient, but it is not necessarily the most effective. I have found that consent via telemarketing gets much better results, typically 15% compared to 1-3% using digital methods. It’s because telemarketing is great for objection handling. See my post ‘Want prospects to opt-in? Call them‘
B. Get secure
The GDPR was originally conceived as a response to concerns across the EU about data loss and hacking – the clue is in the title, it’s the ‘Data Protection’ regulation, not ‘Marketing’ regulation. So security across the whole of the EU was the real issue, marketing just got swept in with the tide.
Review the personal information you store and examine its sensitivity. Do you hold credit card details, National Insurance numbers, passwords? Now list all the staff who have access to that data and ask whether they need it to perform their job.
Next, consider the security of your website. Beyond employing professional hackers to find holes in your site’s security, there are simple measures you can take. Like ensuring all website forms are on a secure server page, so messages are encrypted.
You will also need to get your IT department involved. Where are the servers located that hold your data, how secure are they and what is the plan for failure? Be aware that failure includes a member of staff losing their company laptop, losing access to customer data or sending data to the wrong person.
C. Get informed
But the responsibility for personal data does not rest solely with the marketing department. Ensure you have a training plan for all members of staff within your organisation. Security, privacy and permission touch many departments, and it’s not something that should be explained at the staff induction and then forgotten. Regular, annual sessions to refresh staff on data protection laws and their importance are certainly part of my plan.
A quick round-up of my GDPR action plan? Despite Brexit, the GDPR is still relevant. Don’t ignore it. Use it as a guide to improve your relationship with prospects and customers. I suggest you get permission, get secure and get informed.
This post is part of a series about the General Data Protection Regulation; the full list of posts include ‘How Brexit impacts marketing data in the UK‘ | ‘3 tips: Steal my GDPR plan‘ | ‘The GDPR became law yesterday… and nobody cared‘ | ‘Get ready for Data Protection ambulance chasers‘ | ‘10 Must-know facts about the new EU data law‘ | ‘Want prospects to opt-in? Call them‘ | ‘You don’t need ‘opt-in’ to store a switchboard number‘ | ‘What can these guys teach you about opt-in marketing?‘ | ‘How content marketing will change after 2018‘ | ‘Winning Edge: Counter a direct threat‘
Get my latest blog posts, reports and videos delivered straight to your Inbox, just 8 times a year. It’s free but not cheap. Complete the form below to receive the Marketing Graham Bulletin; you can unsubscribe at any time.
|Marketing Graham Bulletin|