The European General Data Protection Regulation (GDPR) will change how marketers and advertisers operate in the European Union. Regardless of its headquarter location, every business that collects personal data and builds profiles of European residents must change the way it sources and handles customers data. For many of these organisations, it will be a dramatic shift.
Marketers should start by focusing their resources to address the changes GDPR will bring. It’s not a matter of whether they can still operate under GDPR – certainly they can. Instead, they should be thinking about how to operate moving forward. Marketers must take procedural, technological and organisational steps to ensure that their data sourcing and handling practices are in line with GDPR.
1. Determine which data falls within GDPR. Companies must classify data in a dynamic manner and determine whether single or multiple pieces of data allow them to directly or indirectly identify someone. If the answer is yes, that’s personal data and falls within the scope of the rules.
2. Ensure that they have a legal basis for collecting and processing personal data. What data businesses collect and how they can use it hinges greatly on the legal basis in place. Organisations can collect and process data leveraging a number of legal basis, including customer consent and legitimate interest. Marketers should use legitimate interest whenever possible, but whatever they choose to use, remember that GDPR requires firms to document and provide evidence of their legal basis.
3. Link the purpose of the data initiatives with the amount of data needed. Purpose limitation and data minimisation must become the new guiding principles for marketers. It’s essential to determine the purpose of an initiative before engaging in data collection and processing. And the amount of data a company processes must be the minimum needed to achieve that specific purpose.
4. Set up stringent mechanisms to mitigate third-party risks. GDPR makes third-party risk greater than ever. For example, if a company buys data to identify an individual across her devices and serve her personalised content, it must make sure that its data provider used customer consent to collect the data and that customer was given all relevant information. In other words, if one partner undermines compliance, all parties in that value chain are at risk of missing compliance obligations. Marketers need to set up audit mechanisms that allow them to continuously evaluate the privacy practices of their partners.
5. Leverage anonymous data to mitigate privacy risks. When it comes to anonymisation there are still a number of unanswered questions. However, there is no doubt that robust anonymisation helps mitigate privacy risks. Marketers must find ways to gain maximum value out of anonymised data, such as generate insights from anonymised audience data, produce advanced segmentations, and activate these segments through a range of advertising and marketing channels. As such, they will continue to pursue activities they do today, on the premise that they are not using personal data.
6. Distinguish between customer profiling and automated decision-making. These two might be the same thing in some instances, but it’s not always the case. The second usually doesn’t involve any human interaction and the result of the initiative leads an organisation to take an action that has an impact on the individual’s legal, economic situation, for example. If a company’s profiling activities fall within this category, it will need to rely on explicit customer consent. If they don’t, legitimate interest could be the way forward.
7. Rely on consent and be transparent to “single out” customers. Initiatives such as cross-device recognition or device graphs must be built with customer consent. Marketers should think of it not only as a compliance requirement, but also as a guiding principle to approach customers. Forrester’s research shows that some customers truly appreciate highly personalised advertisements, but they want to be in control. Marketers need to state clearly and simply which data they will collect, why, and with whom they plan to share it. it might feel that managing customer consent is burdensome, but it will be a winning strategy for customer engagement.
GDPR is not a one-off effort – it is instead a long-term strategy. To meet and sustain GDPR compliance, firms must embed its principles in their day-to-day business activities. As a result, over time, we expect that marketers will prefer data quality over quantity, become more selective about their data providers and partners, and use less – but more trusted and profitable – third party data.
This is not “just” about compliance. Customers’ privacy expectations are on the rise and an increasing number of them decide with whom to engage and how also on the base of privacy considerations. While they approach GDPR, marketers everywhere must bear in mind that effective privacy practices make happier customers and, ultimately, this is all that matters.
Enza Iannopollo is an analyst at Forrester. She will be speaking at Forrester’s Privacy & Security Europe 2017 taking place at etc. Venues in St Paul's, London on October 5–6.
To receive a 35% discount on your ticket, follow this link and use coupon code MCC.