What Businesses Need to Know Post-GDPR
A lot of questions remain, and more attention needs to be paid to the "right to be forgotten."
We've learned a number of things in the months following the introduction of sweeping new data rules under GDPR -- some enlightening, some frustrating.
The initial influx of "we'd love to stay in touch" emails and much more upfront cookie and privacy notifications splashed across websites might have been a little tiresome, but on the face of it, they seem to have done the trick. However, the deeper, more far-reaching aspects of GDPR such as the right to be forgotten have yet to be properly tested.
While the dust settles and the mist clears, here's an overview of what we know so far and some tips on how to survive in the post-GDPR landscape.
No one is sure how email marketing works now
As businesses scrambled to preserve their mailing lists, hundreds of consent emails in varying formats and states of compliance hit people's inboxes just before the GDPR deadline. According to the Direct Marketing Association, pre-GDPR the average consumer was signed up to 12 mailing lists, but 80 percent believed that at least half of those weren't relevant to them. So, it's not surprising that many saw this as an ideal opportunity to unsubscribe. As a result, some businesses saw their mailing lists drop dramatically -- some brands have reportedly lost up to 80 percent of their marketable lists.
The truth is that many businesses may have sacrificed their mailing lists for nothing -- the legal position is that if you had consent to communicate with your list before GDPR, that consent probably carries over. Even if it doesn't, there are other approved reasons to continue communicating, including "vital interests" and "legitimate interests," which are sufficiently vague to cover most promotional activity -- in fact, they're described by the Information Commissioner's Office as "particularly flexible and may be applicable in a wide range of different situations." Until specific reasons for keeping personal data are tested in court, there is no established precedent and there will be varying interpretations of what is and isn't allowed, generally based on the company's public profile and attitude to risk.
The current state of play is that a significant number of businesses don't have a clear idea of what they can and can't do, which is why a Google search for "how to get around GDPR email rules" yields almost 30 million results. And this means that the legislation designed to protect consumers will simply see them receiving more specifically crafted prospecting emails, and more tangled justifications for sending them out.
Businesses aren't paying enough attention to the "right to be forgotten."
While marketing and sales teams were focusing on the immediate issue of email consent, other, more far-reaching parts of the regulations seem to have been overlooked so far. One of the most important parts of GDPR is the customer's "right to be forgotten" -- businesses have an obligation to remove or anonymize all the data they hold on a customer at their request. Customers also have a right to see their own data and receive a copy in a commonly readable format so they can exercise their right to transfer personal data from one product or service provider to another.
There's potential for this to be hugely disruptive to businesses -- research by media agency the7Stars revealed that around a third of people in the U.K. plan to exercise their right to be forgotten, and there's no way for most businesses, with their siloed processes and data systems, to comply with this without committing considerable resource to data extraction and reformatting. This is backed up by a recent survey conducted by ICSA: The Governance Institute, which shows that 78 percent of U.K. businesses are finding becoming compliant to be a huge drain on resources and a handbrake on growth and productivity, citing co-ordination between jurisdictions, group-wide solutions and third-party engagement as particularly problematic.
All that it will take to bring this issue to the public's (and the C-suite's) attention is a viral social media campaign that triggers consumers to ask for their data to be removed as standard when interacting with brands. Suddenly, everyone will realize that the majority of brands will be unable to truly fulfill this request.
The data originator is the data owner.
Data communication and management issues aside, the one clear principle which can be used to guide all others is that the person who originates the data -- has the email address, date of birth, purchase history, etc. -- owns it. He or she has ultimate control over how it is stored, used and passed on to others, and this should be the driving force behind every business's data strategy.
A lot of companies have yet to "get it" -- that a data strategy is a core requirement -- but it should be their key concern, starting now. U.S. data integration company Talend has found that 70 percent of businesses have failed to respond to requests from individuals asking for a copy of their personal data within the GDPR one month deadline. With non-compliance penalties of up to €20 million or 4 percent of annual global turnover, it's not something these businesses can continue to ignore.
Tips for survival post-GDPR
1. Audit the customer database every quarter and ask:
- Is there explicit consent from every person on the list?
- Is there a vital or legitimate interest in keeping data -- e.g. it is client information, the business is using it to prevent fraud or measure the effectiveness of business activities?
- Is the business up to date in removing everyone who has unsubscribed over the quarter or objected to their data being held?
2. Make sure data across all departments is harmonized and systems "talk" to each other.
Build a comprehensive data strategy which acknowledges the need to facilitate customers' rights to access.
Find and deploy a data integration platform which can extract data from any and all existing systems, including third party and legacy, and is able to present the information in a readable format.
Regularly run data extractions so that the business knows it can meet GDPR deadlines and avoid hefty fines -- this has the added bonus of giving a snapshot of business activity, right down to individual customers.
See the regulations as an opportunity rather than a threat -- getting data to work for the customer means it's also working for the business.
3. Remember the right to be forgotten.
Make the right to be forgotten a specific part of your data strategy so that the business can't overlook it.
Automate the process -- if the business deploys the right platform and arms its sales or service staff with the right data management tools, it can instantly and visibly demonstrate to the customer that their details have either been removed or anonymized. This kind of undeniable evidence of compliance is a win for both customer trust and GDPR observance
Make it easy for customers to leave and they'll find it easier to come back -- it's a tangible example of two-way loyalty
Work with GDPR to make customers' experiences reflect their requirements -- it can only drive the business forward