A big EU data protection storm is coming - are you ready?

Most business people involved in using customer data to market or sell directly via mail, SMS, social media messaging and other digital channels are at least vaguely aware that profound changes in regulation in this area are coming and they are going to have to do something – something pretty big in fact – to meet new rules sooner rather than later.

The Canadian government has been one of the first to strike in the data protection and anti-spam arena and companies based in, or even just operating in, Canada have had to move rather sharpishly to comply. At Maximizer, having a Canadian parent, we are keenly aware of the new strict data protection regulations just instituted in Canada, in which the sending of commercial electronic messages without the recipient's explicit consent, including messages to email addresses and social networking accounts, and text messages sent to a mobile phone, is prohibited. That means companies can no longer accept passive permissions that rely on consumers not bothering to opt out: now they have to actively opt in to receive commercial messages.

Tough new European laws in the pipeline

In Europe however, businesses still seem a bit too complacent about impending European Union data protection legislation, which promises to be just as tough as the new Canadian law, or even tougher. The EU legislation is scheduled to come into force in the next 12-22 months, which is really not that long a lead time for businesses. The proposed EU legislation may still undergo some revisions, but the fundamental intent, as it now stands, is similar to that of the Canadian law when it comes to commercial messaging.

The key elements include:

• Requiring express permission for data collection, data usage (such as market analysis), data disclosure and messaging:  process that must be completely transparent
• ‘Right to be forgotten’: individuals have the right to have their data deleted from company records at their request
• Large fines and compensation claims for failure to comply: fines of up to 100 million euros or 5% of annual income (whichever is larger) for breaches of the regulations and straightforward procedures for compensation claims.

For companies located in the EU and dealing with prospects and customers in the EU, the underlying fact is that assumed permission is simply off the table. If you plan to use data based on preferences, previous purchases and other behavioural data, make sure the customer has actively ticked a box saying you have permission. Even for service and product update messages, explicit permission is advised. Businesses also have to give their consent to receive sales and marketing communications. The onus is on the vendors to demonstrate that they can prove express consent.

Making your business storm-proof when it comes to data protection legislation

There are a number of steps any business can take to ensure that it is ready and able to comply with even the most drastic of the anticipated changes to EU data protection law:

1. Spring clean your data

Make sure your data is accurate, up-to-date and of use. The first two are obvious elements of and best practice data governance: making sure names are spelled correctly, addresses and other contact details current and any other information confirmed. Making sure the data is of use is equally important. We may live in the age of Big Data, but if the information you hold is really of no use to your business, then bin it! Other junk information such as outdated records on interests and preferences should also be purged from your systems. All data should be time-tagged in accordance with its usage along with the purpose for which data has been collected: it is best practice only to keep data for an appropriate amount of time and not to hold onto it when its usefulness has lapsed – i.e. when the 18-year-old who asked to be kept up-to-date on bicycle equipment turns 28 and drives a car, it is time to delete!
     
2. Determine who is responsible for data protection

Under the proposed EU legislation, large companies would have to appoint a data protection officer, but small and medium enterprises (SMEs) would be exempt. However, it really is necessary for any organisation to designate at least one person to be responsible for compliance with data regulations and indeed for promoting best practice – even, or maybe especially, for SMEs. Otherwise, things fall through the cracks and your organisation risks being stung with a big fine. There also needs to be a procedure in place for dealing with data breaches, outlining who has to be informed, what actions have to be taken, what the legal requirements are and when the necessary responses have to be made.
     
3. Explicitly secure the right permissions, managing through your CRM platform

Finally and most importantly, job one is to make sure that you have the right permissions – i.e. that your customer database is preconfigured to comply with the proposed EU legislation. This process can be refined to ensure that you have explicit consent for a range of communications, such as new products, special offers, service alerts and messages related to areas of interest – actively canvass customers on their areas of interest and then encourage them to opt into communications covering those. The job is made immensely easier if your CRM system is geared to handle this complex array of permissions on various levels – in fact it is critical – and so we have made sure that the latest version of our system, Maximizer CRM 2015, has in-built anti-spam functionality that enables users to meet with stringent permission requirements. Features include:

• permission rules for email by type
• email opt-in levels and preference management
• auto opt-in status checking prior to email distribution
• and post-communication alerts showing individual contact exclusions.

In addition to securing permissions, all data should also be tracked and when it is transferred from one part of the organisation to another the permissions must be clear so that it is only used for its approved purpose. Maximizer CRM 2015 makes this process easier, also by including audit trails among its new features. Audit trails enable users to track changes to the database, showing what amendments have been made, when each one was made and who made it. In the new version of Maximizer, these can be seen via easily generated HTML audit reports, that can be exported to Excel for further analysis and archiving. This could be crucial because, in case of any breach of data regulations, any organisation will have to be able to account for what happened and why – and how it can take steps to prevent it from happening again.

Never too early for best practice data governance

Whilst the final decisions have not been made on the EU data protection legislation, companies should not delay in preparing for them. Certainly, promoting best practice data governance within an organisation should never be delayed – especially when the stakes are set to get a lot higher. Doing so protects not just your company’s operational foundation and its financial health, but its reputation and brand image.