By Tony Dowling, {grow} Community Member
Whether your business in based in Europe, or if you are based outside of Europe but working with European citizens, you’ll want to be learn about the new General Data Protection Regulations on the way.
The General Data Protection Regulations come into force starting May 25, 2018. If you are already compliant with current Data Protection legislation, you’ll have a great head start to make sure your marketing efforts are going to be on track.
But this isn’t the case for many businesses, especially smaller ones, where speed of thought and responsiveness are perhaps more important than adhering to every policy out there.
Data compliance under review
Chances are, unless you have been more than scrupulous with the collation of your marketing databases, you won’t be in a compliant position. And given the headache data processing and marketing is for most SMEs, for most, it will feel like a massive task to put right.
One person I spoke to even wondered in the case his data wasn’t compliant, was there any point even carrying on! However don’t despair, there are a lot of positives to take from this as well, not least the reputational benefits of General Data Protection Regulations compliance.
Check out the Information Commissioners Office for the word from “the horse’s mouth” and be aware there is a lot of less-than-accurate information around too. My advice is to seek professional and knowledgable help on these matters, and make sure you are going to be in a good place come May 2018.
Broadly speaking, there are three things you’ll need to do.
1. Data Extraction
Collect all the data you have – all the records, email addresses, and anything else that has customer’s personal records on it. It’s really important to make sure you get the data you have from whatever sources you have it in. These include the obvious places like email databases run by third-party apps and suppliers, to less obvious places like the mobile phones and laptops that people take home to work on, accounts data, campaign data, special offers, different lists and segments, etc.
There are probably a surprising amount of places where you’ll find personal data hanging around, and old unused lists and legacy systems that have kicked around for years.
2. Data Cleanse and ‘Re-permissioning’ or Gaining Consent
Once you have all your data in the one place, it’s really, really important make sure that the data is standardized. Every record should have the same fields, with the same rules (full names for instance, and no initials), be nice and clean, complete and accurate, and not containing any duplication.
It’s really easy to build different email lists and then re-combine those lists back into the main database. This can cause no end of trouble, especially if you accidentally recombine the ‘unsubscribe’ list!
One word of warning here. Be prepared for a significant drop off in volume of legitimate contacts in your compliant database.
I’ve seen databases reduced by as much as 85% due to poor data quality and management over a period of time resulting in duplicates and out of date / incomplete data.
On the plus side, this data is basically rubbish anyway, and you need it out of your marketing systems. It adds to your storage and processing costs, and the number of emails you’ll have to send, but does little else for you.
A highly targeted, clean list can result in as much as a 60% or 70% open rate, versus poor lists that can result in less than a 5% or 10% open rate. So the balance is a lower volume, higher performing campaign, versus a higher volume, poorly performing campaign.
Once that data is standardized and cleansed, you can go about your re-permissioning campaign. This is basically getting in touch with your lists and asking them for the permissions you’ll need in order to market to them in the future.
Be aware though, you’ll need a reason to contact these people in the first place, and a lawful reason that’s recognised by the GDPR.
- You already have the consent of the subject.
- Processing is required as part of a contract.
- Processing is part of a legal requirement.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
3. Data Design
This is where the magic happens. And this is where theGeneral Data Protection Regulations compliance gets baked into your systems. Its referred to as Privacy by design in the regulations. You will need to create a database, or data warehouse that allows for the collection of new data, and the storage and editing of your newly re-permissioned data.
Within the design, build in fields for all the data you need to store, and the permissions that you need to hold in order to legally communicate with the people in your database. You’ll also need to edit those permissions to accommodate the requirements legislation like unsubscribing and the publics ‘right’ to be forgotten – removed from your database.
This makes compliance very straight forward, as everything that is required is captured at source, and immediately available to demonstrate your good practices.You’ll also need the most up to date security in place, an aspect of GPDR that is often overlooked.
It sounds like a lot to do, but with the right partner, and a step by step approach, it can be made relatively painless.
The issue maybe is finding the partner, and making sure you aren’t paying for functionality you don’t need yet, and at the same time, making sure you are ‘future proof’ in terms of the demands you’ll be putting on your data in the years to come.
Whichever way you get there, get there you must! The regulations are in place from May 25, 2018 forward and apply to anyone doing business inside the EU, or with customers inside the EU, and thats a surprising amount of people!
But don’t panic, with a systematic approach and following the advice already out there, or following the advice of an expert you trust, you’ll be good to go.
Tony Dowling is a digital media guy turned marketing data geek, and runs a small transformation agency, Novo Consultancy, in the UK. Working with the GDPR Alliance in South Wales he supplies clients with a gateway to data and GDPR compliance solutions including ICT, Systems and Processes to ensure they are ready for May 2018.