Unless you have been living under a rock for more than a while – and a rock that has no Internet connection whatsoever – you will be very aware that this week, on May 25th, the European Union’s General Data Protection Regulation (GDPR) goes into effect. It matters so much because it applies to every business that collects personal data from EU residents, regardless of where the business itself (or its servers) are located.
It is also widely regarded as the most extensive privacy protection law on the planet and it comes with potential fines that could hurt even the largest and wealthiest of companies; violations can be punishable by up to 4% of a company's annual global revenue or €20 million (nearly $23 million), whichever is greater.
But maybe the most important aspect that marketing organizations need to understand is how GDPR changes the requirements that need to be fulfilled regarding consent and purpose before any personal customer data can be collected and used.
Everything must have a purpose
The GDPR aims not only to protect the data of consumers, but to give them a high level of control over what data is being collected from them and what it is supposed to be used for.
GDPR prohibits excessive data collection. You can only collect personal data that is indeed needed for the service or product you offer. Asking for phone number or gender just to deliver an email newsletter or enable the download of a white paper is no longer going to fly.
This means that you have to rethink and redesign your campaigns and get rid of all data fields on your landing pages and other web forms that could be considered as excessive data collection.
Instead of asking customers to provide a broad range of information in one go (say, on a registration page) you might need to change to a model where you progressively collect the different data points – for example, a webinar registration page would not justify asking for phone numbers or gender as these data points are not needed for the purpose of delivering the webinar. If you offer a text-message based notification service it would be ok to ask for the phone number, but you are not allowed to use the number for anything other than delivering that service, unless you inform the customer and get their explicit consent.
It’s all about consent
Consent is another important prerequisite before obtaining any personal data. The new regulation requires companies to ask customers for explicit and affirmative consent before they collect and use their data – and, of course, to keep a record of that.
Customers must also be enabled to view, modify and even revoke their consent at any time. “It shall be as easy to withdraw as to give consent,” states article 7(3) of the GDPR. In other words, providing an easy-to-use web form to collect consent in the first place and then making it purposely difficult to revoke consent afterwards by requesting people to follow a complicated bureaucratic process that involves sending a signed paper letter would not be allowed.
For marketing organizations this has quite a few implications. You can no longer make use of registration forms that use pre-checked boxes, for example on landing pages for gated lead gen content. Consent must be opt-in, instead of opt-out, and you need to clearly inform people why you’re collecting their data and what you’re going to use it for. If your web forms come with either no information or ambiguous information about what the data will be used for you must change that. “The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.” (Recital 39, GDPR).
What about my existing database?
The GDPR doesn’t distinguish between personal data that was obtained before or after the regulation goes into effect on May 25th. Data that was obtained prior to GDPR without explicit consent is not in compliance; there is no clause in GDPR that would allow such data to be “grandfathered in,” and there is no grace period either.
This is the reason why you recently probably received emails from companies asking you to declare consent again in order to continue to receive their marketing communication you subscribed to in the past.
You either have to obtain explicit consent from the people in your database or stop using their records; otherwise you risk getting into trouble for GDPR violations.
Consent is the new currency
With GDPR going live, personalized marketing and deep marketing analytics will only be possible with the permission to use personal data. This will also limit what large data providers like Facebook or Google can provide to their clients. Not only GDPR, but also the recent data breach scandals made these companies much more cautious about sharing customer data, and companies should no longer rely on them for personalized marketing. “Cultivate your own ecosystems based on consolidated, ethical data because consent is the new currency,” said Andrew Frank, Gartner VP and distinguished analyst in his keynote at the Gartner Digital Marketing Conference 2018.