In order to limit the potential impact on consumers from companies leveraging all this juicy new data, EU data protection reforms will shortly be in place. This means digital marketers, and email marketers especially, need to be on top of them – particularly in terms of dealing with the new requirements for ‘explicit consent’ as well as the ‘right to be forgotten’. The implications are that organisations will have to remodel their workflows and processes to accommodate these new changes – including data collection, CRM, audit trails etc.
It’s no idle threat, non-compliant companies can be fined up to 4% of their global turnover or 20m euros, whichever is greater. Many brands have already been fined for breaching current Data Protection laws, and these are only set to be stricter under EU GDPR [General Data Protection Regulation].
Despite this, more than half of the companies (53%) have not yet adjusted their current activities accordingly which is a cause for concern (according to Econsultancy/Adestra Email Marketing Industry Census 2016). Of these, 31% of agencies and 24% of marketers are worryingly unaware of any legal changes that might affect their activities.
How will the UK leaving the EU affect the marketing industry in the UK?
Because the GDPR affects anyone controlling or processing personal data pertaining to EU Citizens within Europe, all countries need to comply with it whether they’re in or out. This is similar to the new Canadian antispam legislation (CASL), with an industry shift to focusing legislation on where the recipients are located, rather than the senders. What plagues consumers is the amount of spam, and how they have no control over it. It’s difficult to prevent some rather inconceivably generous Africans offering you too-good-to-be-true investment opportunities, or even phishing emails pretending to be your bank – and where these originate outside of Europe, we have no direct control. However, the GDPR makes provision for dealing with companies outside of the EU – and can even pursue them through international courts.
If we want to continue to trade with the rest of the EU we must meet all the regulations of the GDPR. Don’t forget, the UK had a lot of input into setting up GDPR – let’s not complain about it! It’s a good ethical process that ultimately helps consumers and marketers alike.
GDPR controls data privacy and consumers’ right to privacy, protecting against the use of personal data and profiling unless express permission has been given to do so. GDPR also defines consent. In the past, you might have assumed if a visitor to your event stand dropped a card in a goldfish bowl to enter a prize draw, it was ok to contact them. But have marketers been given express permission to contact them? New rules say they haven’t.
But it’s not quite as straightforward as that. There may be a change to the planned regulations for UK based organisations that deal solely with UK based citizens as the government are considering ‘GDPRlite’. How that looks in the cold light of day remains to be seen. Additionally, our current Data Protection Act (1998) doesn’t cover any specifics when it comes to using personal data for Email and SMS communications; that was covered by the Privacy and Electronic Communications Regulations (2003). These rules will still remain in force when GDPR becomes enforceable in May 2018. However, UK government is looking to give these a refresh and it is likely that the new PECR rules will reflect changes and challenges faced with electronic communications and personal data.
What will B2C & B2B marketing teams need to do in order to adapt?
The key consideration here is around consent. The new rules mean consumers need to give consent for their ‘personal data’ (i.e. a record identifying a legitimate living person) to be used by marketing teams to contact them with their offers/products/services. It’s not such a big change for B2C marketers, although they will need permission to profile their consumer data, such as cookie data and user behaviour; but they will need to make sure that they can prove how they got consent. They are under pressure to be more targeted, but need permission before they can do so, so it’s a catch 22.
The challenge is getting the right permission from the right people. Consumers giving permission to email them is very different from them giving permission to send targeted content. For example; you are purchasing a pair of prescription spectacles online and you are required to give your email address as part of the purchasing process. Unless stated ‘clearly and unambiguously’ this does not mean the retailer has permission to send the customer any marketing emails; only order related information. It is suggested that in this case a ‘tick box’ should accompany the online order form which the customer ticks (not unticks) to say they are happy to receive marcoms – a tickbox for each channel would be recommended.
With B2B lists, things are tightening up around consent and proof of consent. The official GDPR definition of consent, which applies to B2C as well, is complex: “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. This means that, using the event stand analogy again, the sales guy that takes your business card to send you more information needs to prove permission is given. So he needs to keep your business card/or scan it for future reference. In future, you will see companies using a sign-up process on a stand to get the right consent there and then – using an iPad with clear opt-in options. They may want to create a CRM event to show the leads captured with clear records to enable an audit trail. They can then use this to prove to ICO, if they need to, a clear comms trail down to the contact level. E.g. This person filled in a form at this event, then signed up to this, clicked this submit button, which triggered an email confirmation, and they then clicked here to confirm (this double opt-in method is recommended best practice).
How does Re-Permissioning work?
Another challenge for marketers is re-permissioning lists for consent purposes. In the definition of explicit consent it stipulated ‘free given’ which is taken to mean that a data subject should not have to consent to receive communications in order to download the whitepaper or whatever is on offer as part of the sign up process.
For example, when individuals download whitepapers, do they give consent to contact them? No, not explicitly. Just because they don’t say stop, it’s not the same as (or as good as) saying continue emailing me. Over the next 18 months, before the regulations come into law in 2018, we will see lots of re-permissioning type campaigns to establish clear consent. These could be dressed up as a personalised email asking if you want to continue receiving information on such and such topic, which will also improve relevancy at the same time.
Companies need to work re-permissioning into their budget this year or next year – especially as it impacts CRM systems in how they gather and record permissions. Don’t leave it until it’s too late – 25th May 2018 is the final date – but do plan and start putting it into action now.
What is your top tip for UK marketers now that the UK will be leaving the EU?
Keep calm and carry on. If you are already compliant with the Data Protection Act 1998 and the Privacy & Electronic Communications Regulations 2003, you haven’t got a lot to worry about. To help prepare for the GDPR, the ICO recently issued 12 steps to take now and more guidance is promised later in the year.
For email marketers, it’s critical to check permissions. Ask these key questions: What are your data sources? How have they been verified? Did consumers give us permission to email them? Can we prove it (and provide documentary evidence)?
Lastly, just because email is cheap, don’t forget to follow the fundamental marketing rules – better targeting means improved relevancy and engagement. Focus on delivering marketing your audience really wants, once they have given clear consent to do so. Simple.