In our last blog post, I talked about GDPR – the idea of consent, and how to get started with a GDPR compliance strategy.
While those were the basics and a good starting point for marketers, there are a number of specifics and nuances that need to be understood. Even if it applies just for EU citizens at the moment, I have a feeling it’s going to be implemented in some form or the other across the world. And that’s why we need to stay on top of these new practices.
Continuing with my learnings from the GDPR webinar by Marketing Week, here are some of the key pointers that marketers need to look out for:
Data Retention and Erasure
A key aspect of GDPR is to give EU citizens the right to consent, as well as take back consent for the use of their data. For marketers, this plays out in two ways:
- Data Retention: You have to tell your audience how long you are going to keep their information. Ideally, it’s best if every form states this in the fine print. If you are adding audiences to a larger marketing list, you should have a system in place that gives them the choice to renew their participation after a period of time. Which, if you’ve done a great job, they will want to do.
- Data Erasure: GDPR gives citizens the “right to be forgotten”. So if a contact states that they no longer wish to be included in your lists, you have to erase their information. It’s best if you specify your processes for data erasure within your privacy notices, so it’s easily understandable and accessible.
ITV’s Steve Forde says data retention and erasure policies should be one of the priority items for organizations working on GDPR compliance.
Data Profiling
We rely on our audience’s personal details to tailor our marketing communications. We segment and profile our contacts to make a more targeted offer. That’s how we create value, and make an impact. But we’ve got to be a little more careful about it, with GDPR.
Steve Ford mentioned that the basic level of profiling – based on age groups or geography, or other direct information that your audience has shared with you, is acceptable under GDPR. It gets covered under the legitimate interest. You simply have to mention the fact that you segment audience on the basis of the data they provide, in your privacy policy.
However, you might want to be careful when combining your existing data with third-party data on your contacts. For example: if you have third-party data that gives detailed demographic information on your contacts – interests, likes, dislikes, opinions etc – you should take a pause before you profile them based on this information.
While this sort of profiling isn’t restricted, you have to make sure your audience is aware of it. You have to give them a chance to allow or disallow this sort of profiling. The best way to do that would be to give them a choice via the check-boxes.
Using Social Media for Targeted Communication
With the kind of restrictions being placed on email lists, a lot of marketers are turning to social as their primary mode of communication. Personally, I feel that’s a good way to go in terms of increasing your audience base. Getting people to follow your brand on social platforms is relatively easier than having them fill out a form.
The webinar panelists agree that given the new rules, social media giants are also setting up new privacy policies to become GDPR compliant, at least in their EU operations, and brands have to ensure that they do the same.
So, if we are using audience data to retarget them on the social platforms, it amounts to data processing. That is something we have to inform our audience and give them the choice to allow or restrict.
GDPR Compliance Beyond EU
Moving towards GDPR compliance is a good thing because it inherently promotes better marketing practices. So why limit a good thing to just your EU operations. In addition, those regulations are aimed to protect all EU citizens. Not only residents! This means that every American, Australian, or expat in the UAE is protected by the new regulations. So if you collect information of Dual Citizens, you’re bound by the regulations. Think of Matt Canavan as an example of how far reaching that EU is..
DNA’s John Mitchinson feels that GDPR could serve as a basic data privacy and security policy across the organization, not just the EU. Marketers can additionally comply with any local data privacy laws in different countries if they demand any particular practices above and beyond the GDPR.
There’s a lot happening around GDPR, and even for marketers with the best intentions, things might get a little overwhelming at times. So here’s a list of GDPR resources that might be helpful. However, you might be looking for answers to your specific questions and those aren’t easily available.
But a really pertinent advice from Shell’s Rob French is that ‘don’t let that stop you’ from working towards compliance. His take on this is to document what you think is the right way to go, and then move forward with it. As long as you have the basic principles on consent in mind, you should be fine.
The way I see it, GDPR is a huge opportunity for marketers. It’s our chance to create a really effective communication with our audience and tell them that we care about their data privacy.
At Orange Sky, we’ve already started to implement GDPR compliant policies because it’s a great framework to improve our marketing practices sobre esto.
I truly hope more businesses will follow suit.
