With the FTC investigation into Facebook’s privacy practices, it’s clear that privacy directives must be carefully adhered to whenever a business might have access to customer Personally Identifiable Information (PII). As companies scramble to maintain trust with their target audiences, one of the challenges for marketers is gaining clarity on how the six primary directives will impact marketing efforts.
When the GDPR goes into effect on May 25th, 2018, companies must have built-in privacy assurance solutions for all digital communication channels where PII data is requested or used. More importantly, US companies that handle data of EU members must consistently assess privacy practices to strengthen usage permission protocols for data and documents, as well as the way that they communicate about breaches of personal data.
There are serious repercussions for violating this new legally binding directive. Failing to comply could lead to fines of up to €20 million ($28.16M US) or 4% of your global turnover. To prepare your marketing efforts to meet compliance, here are 5 things you must know to adapt your marketing efforts for compliance.
1. Data Permission: Emails and Newsletter Opt-In
Data permission is about how you manage email opt-ins for people that may request to receive promotional material from you. Marketers can no longer assume that visitors want to be contacted. The GDPR calls for obtaining expressed consent in a ‘freely given, specific, informed, and unambiguous’ way, which is reinforced by a ‘clear affirmative action’.
In practice, this means that leads, customers, partners, etc. need to physically confirm that they want to be contacted. Marketers must have clear systems in place that show how you actively seek and obtain customer and prospect permissions for contacting them. More specifically, marketers must obtain specific opt-in consent to receive a newsletter or contact them by email.
In addition, the act of remarketing via display ads by cookie placement on visitors’ browsers will require providing them with a clear way to give consent to receive those cookies and a clear way to opt out.
2. Data Access
The GDPR ‘right to be forgotten” gives people the right to have outdated or inaccurate personal data removed. As a marketer, it will be your responsibility to ensure that your users can easily access their data and remove consent for its use. This can be as straightforward as including an unsubscribe link within your marketing emails and directing users to a page that allows them to manage their email preferences.
3. Gathering only the Data that you need
GDPR limits marketing efforts to the collection of only the data that you need. The regulation’s concept of ‘legitimate interest’ is not as clear as most people would like, as it states: ‘processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. This doesn’t mean that marketers don’t need to obtain consen; it means there may be a ‘legal basis for processing’ personal data in certain circumstances.
To justify that gathered data has a legitimate interest requires that the needs of the company for the data be clear and explicit without over reaching the fundamental freedoms and privacy rights of an individual (the data subject). Some examples would include:
- Data processing for fraud protection
- Direct marketing (when opt-in and opt out rights and procedures are clearly shown)
- Direct and appropriate relationships, such as with an established client
- Holding of limited PII to ensure that a customer doesn’t receive marketing materials as part of a legal obligation
- Data used for website personalization such as with a travel services provider
- The use of diagnostic analytics tools to assess the number of visitors, posts, page views, reviews on a social media platform
Navigating the waters of legitimate use is just one of the many reasons why having a Chief Data Officer (CDO) for digital transformation is a growing consideration for many companies. A CDO is in the perfect position to act as or appoint a data protection officer, which is recommended by GDPR. To ensure that every use of PII data meets the legitimate interest benchmarks, your data protection officer will likely be undertaking a Legitimate Interests Assessment (LIA).
4. Controllers and Processors
Since the GDPR regulation applies to companies not located in the European Union, it’s imperative that companies in the US that have customers in the EU understand the role of controllers and processors. The marketing team of a company would be defined as “controllers” if they are responsible for making decisions about what to do with collected data.
The IT department, software providers, and other marketing affiliates are “processors” because they handle and use data. Processing refers to Obtaining, organizing, changing, anonymizing, transferring, analyzing, and even destroying data. The processors use personal data only when and how they are instructed by the controller. That being said, an entity within an organization can be both a controller and processor if they both make the decisions about data usage and then processes that data.
5. Processing and Profiling
Profiling is defined as when marketers use automation to ‘process personal data to evaluate certain personal aspects relating to a natural person’. That can include ‘economic, health, personal preferences, interests, reliability, behavior, location or movements’. This clearly comes into play with contextual marketing.
Tools and Approaches for Ensuring Compliance
Ensuring that companies and marketing teams meet compliance at scale can be more challenging with some CRM tools that lack robust automation and advanced analytics tools.
Businesses with the Sitecore platform and particularly those that transition to Sitecore 9 have a number of automation tools that make it easier for marketers to comply with GDPR such as:
- Automatically disabling all direct marketing activities to end customers
- Providing irreversible anonymization of user data so that it is no longer identifiable, which meets the right to be forgotten statute.
- Additional tools (in Sitecore 9) for identifying and protecting PII data and ensuring end-to-end data security.
These and other features can work in conjunction with other content management processes of the platform to ensure GDPR compliance via enhanced user experience (UX) approaches. For example, businesses will be better prepared to keep compliance in check by unbundling consent.
The goal is to make it easier for website and ecommerce site visitors to differentiate between Terms and Conditions’ agreement and consent signing and ‘Contact permission’ sections. The Website UX would be based on creating highly differentiated content spaces for these consent sections and ideally to take the consent section down to a more granular level.
Granular consent goes a long way to supporting compliance through better website UX. The idea is to clearly define each contact method separately as part of opting in or out on the website. This would mean special checkboxes that separate opt in consent for email, telephone, text message and posts. Other methods are to ensure that registered account users of an ecommerce site or other website require PII information give the account holder the clear ability to:
- Withdraw permission for marketing in their account settings
- Withdraw permission for profiling that may impact things such as the adverts a user sees
- Fully delete your account (right to erasure)
As evidenced by the fallout that Facebook is experiencing, the bottom-line ramifications and brand damage can have far-reaching consequences when customers lose faith in how you protect their PII data. Equally important is the fact that having accurate data and controls has a positive effect on lead generation, fulfillment and the allocation of marketing campaign budgets. That’s why marketers should see GDPR compliance as a positive for the long-term rather than an inconvenience in the short term. As evidenced by the fallout that Facebook is experiencing, the bottom-line ramifications and brand damage can have far-reaching consequences when customers lose faith in how you protect their PII data. Equally important is the fact that having accurate data and controls has a positive effect on lead generation, fulfillment and the allocation of marketing campaign budgets. That’s why marketers should see GDPR compliance as a positive for the long-term rather than an inconvenience in the short term.