The new EU Global Data Privacy Regulations will take effect in May 2018. Do you have a plan?
Any organization that collects and uses data on leads, clients, customers, or business partners in the EU is required to comply with the tenets of GDPR. Marketing teams, who are typically the custodians or owners of CRM systems and contact databases, have a key role in fostering their organization’s compliance. Have you heard about GDPR, but perhaps not taken action yet? Get started now, and you can avoid a non-compliance mishap.
There are six key steps that marketing must understand and act on by the May 2018 effective date of GDPR. For simplicity’s sake, we refer to individual contacts of all types simply as customers or data subjects.
- Assess your organization’s data and marketing tools
A first step to prepare for GDPR is understanding the data landscape across the company. Identify whether your organization is a data controller or data processor. Where does personal data reside? Who has access? What is the data used for? Consider all potential sources. Customer contact lists may reside on salespeople’s local drives, for example. Consider reducing the risk of rogue data by requiring all employees to interact only with authorized systems.
Talk to providers of sales and marketing tools early. Salesforce, Adobe, Oracle, HubSpot and others will be implementing product features to assist controller organizations with GDPR compliance.
- Run a data quality check
Most organizations manage databases holding thousands or millions of customer records. This data can decay rapidly, as individuals change jobs or move, and as companies merge, move or rebrand. Maintenance workflows must include regular deduplication, management of opt-outs and deletion of dead records.
Start by improving the quality of existing customer data. Complete an assessment of data on hand, validate existing contacts in the EU and confirm that each contact record contains a source, consent and date of consent.
If there are contacts for which you don’t have GDPR-proof consent—or if you are unsure whether their consent is compliant— it would be advisable to run a re-permission campaign to refresh that consent. Those who do not provide fresh consent should be removed from the contact list.
- Implement effective consent process
GDPR further requires that organizations obtain explicit consent from contacts to obtain and use their data. Organizations should implement consent protocols for every data collection point. Examples include:
- Landing pages that collect consent from website visitors. The subject must check boxes (default checked boxes are not allowed) or enter text to indicate or confirm approval for the use of data. These include subscription or event registrations, content download pages, support request forms and other website opt-in pages.
- Collection of contact information at trade shows or events must inform the subject of data privacy policies and offer an opportunity for the individual to confirm consent.
- Organizations processing personal data of children under 13 must collect consent from the child’s parent.
- New customer account creation must provide data privacy policy and capture consent.
Consent details must be collected, stored and available for review. Controller companies will need to create a means of storing consent detail. This can be done by customizing existing applications, working with CRM providers to support consent capture, or migrating to GDPR-friendly applications.
- Assure individual control over personal data
A key GDPR goal is to strengthen and protect the rights of individuals to control their personal data. Under the right to be forgotten rule, a company or organization is required to identify, erase and confirm deletion of an individual’s personal data upon request. Many organizations will have to create internal tools or rely on manual or semi-automated processes initially. Marketers should ensure that an erasure option is easy for customers to find and submit.
- Provide contacts with access, rectification and portability
Customers have a right to access, review or correct their data and may ask for a copy of their personal data in a machine-readable format. Initially, marketers may have to use a relatively manual process, using web forms or email to complete the process. Work with CRM and marketing automation providers on this front – many will offer user-friendly dashboards, enhanced profiles or wallets that allow the customer to securely access and maintain their own private information.
- Update your organization’s privacy policy
The GDPR requires company privacy statements to confirm support for the right of data erasure, rectification, restriction of processing and portability.
Update your privacy policy to explain data practices in a clear and transparent manner. This information be conveyed in an unobtrusive, easy-to-digest mode with graphics, icons, hover text or even video.
Customer Focus Is Key to Success
The extra steps of capturing GDPR-compliant consent could affect the customer experience if not well designed. As a marketing leader, you have an obligation to assertively protect the customer experience. Lead or be actively involved in team decisions on GDPR implementation. This is not the sole responsibility of the IT department.
If your marketing performance metrics include prospect and lead counts, expect list shrinkage as contacts elect to disengage. The right to be forgotten will also curtail retargeting campaigns – email campaigns to unsubscribed customers saying “we want you back” will not be allowed.
Individual control over personal data may contribute to higher-quality data and greater overall satisfaction, as customers gain a sense of empowerment over their data and its use in communications. While lists may be smaller, you may be encouraged by the fact that targeted campaigns will be reaching truly interested customers who have given explicit permission to be contacted.