Unless you have been on a sabbatical for the last 12 months you would not have been able to avoid all of the hype and panic around GDPR. I actually found myself in a conversation about GDPR last night at a neighbour’s barbeque! What has happened and why has this become more important than talking about the weather or rugby?
GDPR comes into effect on May 25th and there seems to be a whole spectrum of approaches being taken out there. Some are simply burying their head in the sand and dismissing it as not being relevant to them. At the other end of the scale, people are declaring this as the end of marketing, or at least eMarketing.
The reality is, if you have been marketing in a responsible manner, then you are likely to be a lot closer to GDPR compliance than you think. It is important that you take the time to read and understand the legislation and map this onto how you do things to understand how close you are to compliance. To get you started, here are some key pointers.
GDPR aims to guard against spamming, i.e. sending out mass eMarketing to people who have no interest in what you are sending or do not wish to receive these emails. No responsible marketer wants to do this.
This does not mean you can no longer send out eMarketing communications. What it means is that you can only send to people who have ‘opted-in’ to your communication programs, or where the communication is justifiable in fulfilling your contracted obligation to a customer.
There is a third ‘greyer’ area where you have valid justification that the receiver is open to such communication and there is value being delivered to them. To ensure you do not fall foul of GDPR this is an area that you must explore yourself on a case by case basis.
Be Proactive In Capturing Preferences
Even if someone opts-in to your programmes this does not mean that they want to receive your beautifully crafted emails to the end of time. You have to be proactive in allowing people to opt-out or change their preferences.
This is where marketers need to be responsible. Placing an opt-out button in the small print at the bottom of your email may address the letter of the law, but it is not the spirit of GDPR. You need to be more proactive. If there is any doubt on whether someone should or should not receive an email, I would always put a statement right up front. “You are receiving this email because you have previously shown an interest in our solution – if this is no longer the case, you can adjust your preferences by clicking here.”
Taking Due Care With Personal Information
This is where most of the changes in processes are likely to take place. Firstly, let’s be clear; personal information does not just relate to credit card details, date of birth and other highly sensitive information. It is any data that can be used to identify an individual, a name, company name, email address, etc.
It is common for Marketing teams to use a whole host of different applications to support their activity: email engines, marketing automation, CRM, Web Conferencing, Event Registration, etc. It is also common to use a plethora of spreadsheets to pass data between systems and to report on activity.
A key goal of GDPR is to ensure that if you are using Personal Information, you take the necessary steps to secure this personal information. You should not be circulating personal information on spreadsheets via email, nor should you have these lists sitting unencrypted on employee laptops.
You need to take the steps to minimise the number of copies of personal information and ensure that the systems and applications that these reside on are secure.
The Right To Be Forgotten
This is closely linked to the above. In the past, if someone opts-out of your communication, you simply marked the record as ‘do not email’ or ‘do not call’. With GDPR every individual has the right to ask to be forgotten. What this means is that you must remove their details (unless you are required to maintain records for other purposes e.g. Financial Compliance).
This links closely with the above. You need to know where all instances of personal information is held and have the ability to remove their details from all applications, files and spreadsheets where this data is held.
Don’t Panic, But You Need Take Steps
GDPR applies to every organisation regardless of the nature of your business or your size. You do not need to panic; many of the steps you need to take are best practice anyway. However, you do need to take the time to understand the legislation, map the flow of personal information across your marketing function and identify the gaps in compliance. Best of luck.
Gary is the Managing Director of Cremarc, a specialist B2B marketing company that helps organisations to deliver effective marketing through storytelling, marketing automation and cleverly designed ‘challenger marketing’.