GDPR: Best practices for repermissioning customers

In a new series, MyCustomer speaks with a panel of experts to try to bring clarity to some of the more opaque areas of the impending General Data Protection Regulation (GDPR).

Last time, we examined the issue of repermissioning for marketing consent, answering how to know if you need to repermission your customers.  

In the latest in the series, the panel is revisiting repermissioning to share best practices.

How can you best repermission its customers for consent?

Paul Laughlin, founder, Laughlin Consultancy

Firstly, I would recommend doing this ASAP. We are already seeing the beginning of a tsunami of repermissioning email campaigns. This will lead to consumer fatigue (as we’ve seen with NPS feedback). So, get in before this media stops working. Plus, think about which media will work best for your customers. Putting them first is key. If they regularly visit your stores, could you use in-store capture (digital or physical)? If they are used to receiving printed media, could you communicate using that medium? Setting yourself apart from the competition requires creativity.

It is vital you have a clear value proposition for people (customer or prospects). This requires a cultural change by customers. In many ways, you should think of these as ‘asking permission’ campaigns, not repermissioning. You are not processing people you ‘own’, seeking to get the ‘right’ answer from them. Rather, the rules of the game have changed. You now need to offer your service to more empowered consumers. What are you offering in exchange for their data? How will that help them? Don’t just use spin - if necessary reinvent your proposition to ensure a clear value in exchange for data shared (customer insight should guide you).

Thinking about the offer from the perspective of the recipient should also lead you to my final tip - keep it simple. Some of the best examples of gaining such permission have come from media companies. Given this is really a communication challenge, we shouldn’t be surprised. To inspire your own approach, I would recommend taking a look at the approaches used by both the BBC & Channel 4. Transparency is essential and where possible, humour can help with what is a very dry subject for most people.

Iain Lovatt, chairman, Blue Group Inc

Along with a data cleanse to bring your database up-to-date, I would suggest:

• Find your best customers (and prospects) first. I’ve found Pareto’s principle very often rings true – around 80% of your business often comes from just 20% of your customers. If you plan on keeping the business of this precious 20%, it is critical you take a personal approach to seek their consent. They deserve more than an automated email.
• Identify who you can continue to market to using legitimate interest. This is especially important for B2B companies. Under GDPR, sole traders and partnerships need to be treated in the same way as consumers. However, limited companies, LLPs and government departments can be marketed to without consent, using legitimate interest (although individuals can still ask you to opt out their work email.)
• Remember to only repermission those who have given you consent! Sending a repermission email to an individual who has opted out is already a breach of existing rules, and several brands (Honda and Flybe, for example) have already been fined and had their knuckles wrapped by ICO.
• Use the opportunity to refresh your data collection methods. This will ensure you’ll have records to prove how you gained consent for future use if you need it. 
• If in doubt, delete. You might not have to go to the same lengths at Wetherspoon’s but you can’t be punished for data you don’t hold.

Jim Roberts, director and founder, BlacklerRoberts

Once you have identified a target audience who need a repermissioning exercise, then for the actual communication you should follow standard  best practice, in particular re-engagement campaigns, covering:

• Keep it simple. Do not confuse and combine with other offers/activities.
• Have a clear path to consent or removed consent. Provide a clear option to consent and allow for individuals who do not respond. They have withheld consent and should be treated as such.
• Sell the positives. Show the benefits/value of being subscribed.
• Show the way back. Allow for people to opt-back in and ensure there is a mechanism to do this. 

Kim Smouter, the head of government affairs at ESOMAR

Like with everything in the GDPR, you need to know what your processing activities actually are, catalogue them, catalogue why you need the data you need and how you intend to use that both today (and ideally tomorrow!).

Consent is only one of six legal grounds for processing and under GDPR becomes one of the "toughest" to use because of all of the implications it represents. It's worthwhile, before going blindly down the route of consent, to see if any of the other processing grounds might be more appropriate. For example if you're doing Big Data processing activities you'll be hard pressed to use consent as your processing ground because you can't be precise enough to meet the requirements of GDPR consent, but might be more easily able to prove your legitimate interest to do the processing. 

If repermissioning proves your only viable option, then efforts should be placed on updating the privacy policy to make it as simple and as clear as possible (using layering techniques as appropriate), you *must* also inform data subjects of *all* their rights under the GDPR, and you need to makesure the consent request matches the policy seamlessly. Keeping a record of the clear and affirmative action is essential in the event you get challenged and I strongly suggest thinking at all times about future uses not just the current ones so that you are future-proofing your repermissioning request.