The introduction of the General Data Protection Regulation (GDPR) on May 25 2018 saw the vast majority of companies doing business in the European Union or providing a service to European Union based individuals change their business and marketing strategies in order to avoid any potential fines under the new data protections laws.
Customers and clients were asked to reaffirm their membership of email lists and to confirm their permissions to allow various tracking of their website viewing behaviors. it was no surprise that a considerable number of people declined to renew memberships and revoked previous authorization that had been provided. This resulted in a new challenge for Information Technology and Marketing department who are reliant on information such as this in order to track the success of their marketing campaigns, among other things. They must now identify new ways of gaining sufficient trust from those viewing their platform so that they will will provide these permissions so that they can be used in campaigns that are fully compliant with GDPR.
There are a number of steps that companies should complete in order to articulate that the data is being used in an authentic and GDPR-compliant fashion:
- Embed personal data sharing controls into existing and pre-authenticated customer touchpoints. This will allow customers to make the choice of changing, re-establishing or revoking their consent. Doing so gives the customers complete power and management over how their data is going to be used.
- Complete a privacy impact assessment (PIAs) to show how personally identifiable information (PII) is gathered, used and distributed. The PIAs means that privacy by design is default in a business. As personally identifiable information can be present across a variety of platforms, including cloud based applications or internal utilities, all data needs to be listed. If it can be shown that there is a risk based approach to data protection– using deletion, encryption or redaction of data, dependent on its sensitivity – then there will be a greater trust relationships between the company and the consumer.
- Customers should be aware that, in the unfortunate event of a breach occurring, a breach notifications to the relevant local data protection body will be submitted in 72 hours or less.
- Allowing a greater deal of personalization to the consumer in relation to the management of their private data is likely to result in them being more willing to participate in marketing campaigns you are conducting and also allowing you to track their metrics to ascertain the success of these campaigns.
- Ensure that all third party partners are complaint with GDPR. Make sure that all software including CRM, Marketing Automation, SEO etc. is GDPR compliant and that all staff with access to these programs have been trained in how to use them in a GDPR-compliant manner.
With the advent of GDPR customers are becoming more aware of what their data is being used for, and how companies must be compliant with this legislation. In addition to this the introduction of GDPR has seen an increase in the activity of privacy advocacy groups across the E.U. who are keen to ensure that all companies are acting in a responsible manner when it comes to private personal data and how it is used. The implications for a company that suffers a GDPR breach are severe as the highest possible fine is €20m or 205 of the previous year’s global revenue, whichever figure is higher.
All companies doing business in the European Union should move quickly, if they have not already done so, to foster a trusting relationship with their customers in the GDPR environment.