The relationship between businesses and customers is ever-changing. The availability of more information makes it easier for consumers to research and make decisions on their purchases. At the same time, marketers can get more access to information about customers and their preferences, making selling easier and more successful over time.
However, this growth in data has to be regulated, and the European Union’s General Data Protection Regulation (GDPR) has some specific requirements that will affect marketers over time. It’s, therefore, worth looking at two aspects of how marketers work with data: GDPR compliance and on-going data management.
What does GDPR require?
GDPR was created to update previous data protection regulations in Europe, which, interestingly, had been put in place well before the Internet became important to business operations. The updates within GDPR were designed to bring data protection regulations up to speed with all the new ways of doing business that have developed over the past few years.
Based on guidance from the Information Commissioners Office, consumer rights under GDPR include the following that directly affect marketers:
- Right to be informed – this covers any gathering of data by companies, and consumers must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
- Right of access – this provides consumers with the right to request access to how their data is used by the company after it has been gathered.
- Right of rectification – this ensures that consumers can have their data updated if it is out of date or incomplete.
- Right to be forgotten – if consumers are no longer customers, then they have the right to have their data deleted.
- Right to restrict processing – consumers can request that their data is not used for processing. Their record can remain in place, but not be used.
- Right to data portability – consumers can get a copy of their data, which can then be moved to another provider.
- Right to object – this includes the right to stop processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. Similarly, this right must be made clear to consumers at the very start of any communication.
For marketers, understanding how data sets may be put together and then managed over time will be critical.
What steps should marketers know about data, security and GDPR?
Alongside the requirements for managing marketing programmes and use of data, marketers will have to understand where customer data is held within their organisations. For example, records are often held within customer relationship management systems that may be hosted internally or in the cloud.
The likes of SalesForce have successfully sold CRM to a range of companies, from small businesses through to international enterprises. However, these records will have to be managed as part of the wider approach to GDPR.
For companies that have moved over to external, cloud-based applications, there are a few areas that will have to be considered. The first is how data may be used within the business. The role of the cloud is to make it easier to work and collaborate around data. While this can make it simpler to achieve goals, it might also be simple to download and use copies of that data for analysis.
Each one of those copies would contain customer data, and would, therefore, have to be tracked and managed in accordance with the rules that GDPR sets out. Without this oversight in place, it’s possible that companies can think they are compliant when actually there is a risk that GDPR may be broken.
For example, a copy of the customer database may be downloaded for analysis. This set of records should be covered by GDPR in the same way as other instances of customer data. However, the person downloading that information may not be aware that this file should be saved securely and managed over time. Similarly, both the marketing team and IT department may be unaware that this copy of data now exists.
Without the right oversight, it’s possible for marketing data to sit on laptops or mobile devices and then be forgotten. In the event of a loss or theft, this would count as a potential breach of GDPR.
These rogue copies of old customer data can hang around as well. If a customer asks for their data to be deleted or not processed, does this automatically filter down to all copies of that record? In most cases, no; if an old copy of a customer database then gets used in error for a mailout or other marketing campaign, this represents another potential breach.
For marketers, these instances represent a collision between the rules that have been developed and the real world environment that people work in. Marketers, therefore, have to consider their approach to customer data within the business, as well as understanding all the processes involved in saving and protecting those files from initial creation through to backup and archival.
Asking the IT team within the business for assistance here can help. IT has supported disaster recovery and data security for years and will be preparing their own systems to cope with GDPR. Collaboration here around customer data and records can, therefore, help both sides ensure that records remain protected, whether they are managed by central IT teams or provided as part of third-party cloud services.
What should marketers know about data protection?
This collaboration does not mean looking at the technology involved and understanding the difference between backup, disaster recovery and archiving. Instead, it means being familiar with the need for data protection and where potential gaps can creep in. This is more about the process that members of the marketing team might take around data than the technology.
A good example here is the use of cloud services like SalesForce. IT may or may not be involved in the selection of a service for marketing, and will not be responsible for managing data held within the cloud. At the same time, using a cloud service does not automatically mean that marketers can absolve themselves of responsibility around data protection and security either.
Companies like SalesForce provide best practice advice on data protection and security that includes keeping a separate and up to date copy of the company’s customer list and storing it in another location. However, the responsibility for taking this copy – how often it should be taken, where it is stored, et cetera – is something that marketers may need help with. Marketers should, therefore, familiarise themselves with how their teams create new files and data over time and ensure that these assets are protected appropriately.
As more services move to the cloud, and data gets used as part of targeting and marketing activities more regularly, this set of information has to be kept secure and protected over time. Marketers should set out to cover their own activities around data so that they do not miss their responsibilities around data protection and GDPR.