The Long View Data in perspective As new data regulations come into force, marketers must ensure best practice is met across compliance measures. For consultant Bilal Ghafoor, its about putting the customer first Words: Martin Bewick F or marketers, the moment has almost arrived. The long and winding road that ends with the introduction of the General Data Protection Regulation (GDPR) has brought us to it becoming law on 25 May. With plans for its take-up already actioned across organisations, now is the time for marketers to take a step back and consider the place of the customer in the practical outputs created from the new regulatory framework. What can marketers now do for the customer to ensure that the transition is seamless? For example, are standards of best practice being met across compliance measures? Remember, too, that May is not the end of the journey. Indeed, for customers, its more like the beginning. May is not a cliff edge, says Bilal Ghafoor, a GDPR consultant in the charity sector who has advised Macmillan Cancer Support, Parkinsons UK, and the NHS on data protection issues. My advice, when it comes to communications, is that if you havent yet sought your customers consent to contact them, or if youre not sure you have it, is to go and get it. Privacy in electronic communications Ghafoor also suggests that for marketers rushing to attend to GDPR concerns, the place to start is a regulation that has been in place for 15 years. If most of your marketing is electronic, via email, social media and SMS, it can be argued and this might sound counterintuitive that GDPR should not really matter very much, he says. The reason for this is the Privacy in Electronic Communications Regulations (PECR). PECR entered the statute book in 2003 and already restricts unsolicited marketing by phone, fax, email, text, or other electronic messages, by requiring organisations to gain specific consent in advance. The best way to obtain valid consent, the Information Commissioners Office advises, is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you. This familiar safeguard may make GDPR implementation easier for some marketers. Basically, its already unlawful to email someone a marketing communication without their consent and most marketing already operates with this understanding, says Ghafoor. What GDPR does is to spell out more explicitly that message around consent, as well as answering questions of where you got your data from, how old it is, where its stored, and how long you can keep it. Ghafoor says that even with applications such as Facebook Custom Audiences (which allows marketers to retarget Facebook ads to users who have visited and interacted with a website) or Lookalike Audiences (which helps marketers find more people on Facebook who resemble that audience), the long-standing principles of consent still apply. The bottom line is that marketers should already be upholding it. PECR has been updated two or three times since 2003, butthe basic idea of consent hasnt changed. It is due to be updated next year, however, so marketers should keep a look out for any changes. Bilal Ghafoor The data most people hold today is likely to have been acquired in the past two or three years, and should have been gained through an opt-in process. But, if a customer has signed up to receive a monthly email update from you and, for example, you want to cross-sell to them, thats different. They might not have agreed to that, and thats where GDPR comesin. One crucial point is also vital to remember organisations can only rely on pre-GDPR consent if it is now GDPR compliant. Basically, its already unlawful to email someone a marketing communication without their consent Asking permission The key, when youre gaining consent, says Ghafoor, is to tell people what youre going to do with their data. You shouldnt get consent to send someone an email about toasters and then six months later think oh, theyre interested in white goods and start sending them emails about microwave ovens. Communications should always be about the service or product people have requested, and there must always be an opt-out option, too. There are also what are known as soft opt-ins. If, for example, there has been a failed transaction, you can send that prospect a marketing communication because they have expressed an interest in a product or service. The same applies if someone has made a transaction and left the opt-out option blank organisations can still assume their consent. Youre only allowed to send a limited number of communications to them in the period afterwards, adds Ghafour, and it must be about the same product or service and, again, there must be an opt-out option. Third-party data If you buy lists from other people, you need to know where the data comes from. Are the people on the list fully informed that the list has been sold on? Is it clear and transparent to everyone how the data will be used? Remember too, that marketing is just one component of an organisation. This means you need to look at what the rest of the organisation is doing to make sure customer lists and data are kept safe, and that people are kept well informed about their rights. GDPR and customer consideration List management Dont make the mistake that Honda and Flybe made. They looked at their customer lists, werent sure if they had consent to contact the people on it, and emailed their DATA CONTROL entire databases to askand for consent including all those who had previously opted out of Categorise your data, and understand how its processed communications. stored. Itemise why you need receiving that information and for how long They got fined for it. you need to retain it. The critical thing is not to annoy people. Emailing people to ask to opt in to receive marketing communications is, in itself, a marketing communication. The best advice here is to RISK ASSESSMENT exclude everyone who, for example, hasnt interacted with you for a few years. Theand amount of time it takes for a customer to be considered as lapsed will depend on Draft a Privacy Impact Assessment (PIA) Data Protection your organisation. If youre Impact Assessment (DPIA) of security policies to determine risk a fridge manufacturer, your customers probably wont buy from you every three years it might be eight or 10 years. So the way to think about how old your exposure and available protections. customers are, is to look at your purchasing cycles. In other sectors, if you havent heard from a customer in a year then, essentially, theyre gone. It needs a sensible decision based on who SUPPLY CHAIN your clientsitsare Where and only You are responsible for your data, wherever held. thereever seek to contact the people that might actually have some value forand you. is doubt, err on the side of caution pursue the highest bars ofcompliance. Make it friendly SECURE YOUR TECHNOLOGY Ghafoor adds: The next thing to do is think about the content of the message that asks for not do charming? For example, one of my clients used a countdown Evaluate your tech, review yourconsent. encryptionWhy capabilities andsomething sensecheck your security to highlightsystem potentialof weak spots. offering chances to opt in to a newsletter. The final email was a blackedemails out, redacted newsletter, which illustrated how customers might miss out if they didnt opt in. INTERNAL COMMS People like that creative type of message. Some have offered the inducement of a competition to win money-off for example. But thats not what people want they dont Write and circulate appropriatepolicies onasubjects such asvoucher, data theyll win it. access, data retention and howimagine data is required to be handled. I think,byhowever, Make sure policies are seen and understood employees,that after 25 May these types of emails will drop off, as anyone still external vendors and partners.sending them will look like an outlier and it will raise suspicions that they might be doing something unlawful. In the end, pretty much every organisation wants to send out some communications. STAY AHEAD canneed haveto the cleaned-up list, with everyone aware of their rights, but if GDPR planning doesnt stop in You May. You stay most on top brilliantly of you of havent got opt-in, the data is dead. You might as well just delete it. So make sure youve any changes to the implementation the regulation, and have processes that are adaptable. contacted the people you can, give them the option to opt in, and build from there. Source: Box cloud content management Read more about GDPR training for marketers cim.co.uk/exchange