The European Union’s new General Data Protection Regulation (GDPR) is intended to protect the fundamental rights and freedoms of natural persons and, in particular, their right to protect and move their personal data. In practice, this entails a number of organizational and technical measures. As many people are not yet aware, this also applies to marketing.
Lacking knowledge and planning among marketers
As shown by a European Business Awards (EBA) study, 28 percent of those surveyed had no knowledge pertaining to the GDPR. This is quite alarming considering the fact that the new regulation enters into force in May 2018. It is therefore no wonder that more than a quarter (26 percent) of surveyed business leaders indicated that they may not meet the deadline.
The biggest problem is that many companies don’t know where their data is stored or who has access to the personal data. In addition to this, the deletion periods are not known in many European companies. It is therefore no wonder that these firms are having difficulties structuring their data and assessing it accordingly. In many cases, marketers also have little knowledge of this. 50 percent of the respondents to a survey conducted by the Chartered Institute of Marketing admitted to not fully understanding the GDPR and its impact on marketing. But what exactly will marketers be faced with?
- Written consent for data collection: While consumers previously automatically agreed to having their data collected (e.g. using cookies) simply by using a website, they now have to explicitly give their consent either in writing or via mouse click. Genetic and biometric information are now also included in the legal definition of “personal data”. To meet these requirements, companies now have to implement user interfaces for consent (opt-in) that are intuitive to use.
- An “Unsubscribe” link: In the future, consumers must be provided the option to revoke their opt-in consent quickly and without entering any access data. If they do this, they have the right to take all of their data with them or delete the information. Companies must therefore provide a simple opt-out procedure and ensure the data is deleted promptly and verifiably on consumer demand.
- Clear formulation of all planned methods and purposes for data collection: This is necessary, for example, if companies collect data automatically using cookies and profiling. Website operators also have to inform their customers of any risks associated with collection of this information and which security measures the company is using to combat these risks. Properly formulated legal texts for impact assessment serve as the basis for this. At the same time, companies are required to save and ensure the security of all communication with the customer and all collected information.
- Inform customers of the type, use and jurisdiction of personal data in the most timely manner possible: This can be quite costly, because companies must specify exactly which instances collect data to what extent, and who the responsible data officer is. To ensure this, structured processes are required to quickly recognise customer enquiries and provide sufficient answers.
There are a lot of regulations for companies to observe in the future. The defined level of penalties is forcing companies to act quickly and comply with the new regulations. However, one stipulation of the GDPR should make marketers happy: personalized advertising is allowed by law! Whereas previously any data not found in the phone book could not be used for marketing purposes, this has now changed. If companies ensure the protection of personal data on their company website and have obtained consent, then they can directly address new customers. Using a structured data warehouse architecture and clearly defined data collection, they can create the required foundation for personalized marketing. Of course, the appropriate data protection has to be provided.
Against this background companies should quickly recognize that, despite all the challenges, the GDPR also offers a great opportunity. If data is collected and stored properly, hyper-personalized messages can be sent to consumers. Those who still need more information about GDPR requirements can find various resources online.