The new EU data regulations that are under discussion have already divided opinion amongst commentators. In an effort to provide some clarity about what is being proposed, here is a useful summary of the main points – and what marketers should consider.
What lies at the heart of the General Data Protection Regulation (GDPR) is that the current level of consumer opt-in consent used in nearly all consumer contact databases will not be sufficient under the new law. It will render data unusable, or there is the prospect of proposed fines running to tens of millions of Euros.
GDPR covers areas such as personal privacy and security, but from a marketing perspective it is about the new consumer opt-in permission rules. It means all data will have to be audited against the new standards, and where it does not conform then it will need to be refreshed by asking for enhanced consumer consent. There is also a need to create an effective storing system for individual consent forms, and a method through which consumers can ask and have information on them removed.
These are not insignificant tasks, and they will not be quick to implement. But no matter the level of frustration generated there is no substitute for becoming compliant other than to accept databases will have to be written off.
However, there is potentially positive news in all of this. If you have to contact customers and prospects to renew consent, it can be used to gain new data on a large and detailed scale, and at the same time make offers direct. The benefits can actually be made to outweigh the negatives.
Of course, there is a temptation to look for a shortcut, or to delay aspects of the compliance process, but really they only delay the inevitable, and are more costly in the long run. All companies at some stage will come under scrutiny from the Information Commissioners Office (ICO), or members of the public, and the combination of hefty fines and consumers having the ability to claim damages for misuse of information is difficult to ignore. There could even be the possibility of a PPI type move towards the public demanding compensation on a large scale, plus of course, harm to brand reputation.
Your to-do list
From the start it is advisable to seek help. Few brands or agencies are equipped to manage the compliance task, and there are more than a few data suppliers that struggle to understand what is involved in GDPR. So when seeking support make sure it comes from established reliable sources. A compliance heritage is a must, and also ask detailed questions about the forthcoming regulations. If there is hesitate look elsewhere. Inevitably a small industry of compliance advisors will emerge, so make sure the right one is sourced.
The other job at the top end of the to-do list is to appoint someone to be responsible for overseeing the compliance process. If nobody is given ownership there is a possibility that job will get pushed back and forth and ultimately not get done, or implemented badly. Either way the result could be costly.
Whoever takes charge their responsibilities should include the production of written guidelines on GDPR, and distributing them to all relevant personnel. The guide should set out what is, and what is not allowed in terms of consumer data so that individuals can do their jobs safe in the knowledge that they are not breaking the new law.
Data audits and changes to data protocol are not things that can be rushed, and may take months of work, including changes to software. Currently, for example, there are very few CRM software systems with a storage function for keeping consent forms.
Even though the new EU law may not be introduced until the end of 2017, or even later, the lawmakers and bureaucrats in Brussels are perfectly capable of acting more quickly than predicted. More importantly, it may take some data owners more than a year or more to prepare. Even starting work on compliance today will be too late for some. Delay is a risky strategy given the potential financial penalties, but also the investment needed in any last minute intensive bid to play catch up.
To continue to use data there are three key tasks that have to be completed. They are establishing whether or not the current level of opt-in permission meets the new unambiguous terms required, refreshing it appropriately if needed, and storing consent forms from every consumer, whether in electronic or paper form.
There is widespread confusion about the definition of the ‘unambiguous’ permission criteria to the forthcoming law. A good illustration is that it will be like a traffic light system. Consumer consent will have to be sought and provided if you want to convey information about a given subject to a customer or prospect through a given communication channel. Later you may wish to communicate about another subject in another way, and that would be like stopping at another set of traffic lights at which fresh permission must be asked in order to move forward once more.
Storing consent forms is something that most data owners have never had to do before, but in future all forms will have to be presented if requested to do so by the ICO. Creating a storage facility is therefore a key element of compliance.
The other task is to enable consumers to have their data removed quickly if they request it. The ‘take down’ clause as it is becoming known, means having to provide a clearly identifiable route for members of the public to make contact and make their request known and acted upon.
What is almost of equal importance to becoming GDPR compliant is maintaining a new data regime. Regular reviews will put any emerging problems right, and remove the risk of sanctions, or having to undertake data overhauls. The use of qualified third parties will be able to make objective assessments, and also give advice on making improvements to data protocol, and use of data.
If it is necessary to refresh opt consent levels by contacting consumers it is possible to use that contact to learn a great deal more about them, discover their real buying potential, purchasing triggers, and during that process sell or make offers directly to them. The compliance process can be used as an opportunity for improving market knowledge, driving sales or recruiting more customers.
Jeremy Whitaker is executive chairman of Verso Group.