Countdown to compliance: What marketers need to know before the GDPR deadline
As May 25 approaches, contributor EJ McGowan suggests three important tenets to keep in mind while revamping your data practices.
The clock is ticking for marketers to comply with the European Union’s General Data Protection Regulation (GDPR). In fact, a recent survey found that 87 percent of marketers are unfamiliar with the upcoming mandate. (And even those who are aware of it may be operating under misconceptions.)
With just a few short weeks left to prepare, companies who communicate or conduct business with EU citizens must change their current marketing practices to avoid large fines and better protect consumer data.
While many marketers may leave compliance to their IT and cybersecurity counterparts, the truth is that marketing departments are greatly affected by this regulation due to the way they collect, share and use personally identifiable information — all of which are protected under the GDPR.
Among other things, marketers must now rethink their subscription process in order to become compliant. Keeping the following tips in mind can help marketing decision-makers take essential steps toward bringing their efforts up to code and remaining compliant in the EU and across the world.
(Disclaimer: I’m not an attorney, and this column shouldn’t be considered legal advice. Be sure to discuss compliance with your own legal counsel.)
1. You must receive explicit permission: Add permission agreements to all subscription and sign-up boxes
One goal of the GDPR is to help consumers better understand who has their information and how it is being used. The regulation makes it imperative for marketers to look at all aspects of the data collection process and receive explicit permission from consumers to store and use their information. According to the regulation, permission to use personally identifiable data should be “freely given, specific, informed and unambiguous.”
In practice, this means companies need permission to send emails and text messages to subscribers and can no longer automatically add emails to lists. Companies now hold the burden of proof and must store a record of when and how the subscriber opted into communication.
To do this, marketers should add an exclusive checkbox at the time of subscription for subscribers to actively click and state they are allowing correspondence. This agreement can be as simple as “Yes, I agree to receive email, phone calls and texts from your company.”
2. Marketers must be clear and transparent: Use simple language
Under the new regulation, brands must be clear and concise about how they plan to use consumers’ data. This includes disclosing whether they intend to share information with other brands or third parties.
While marketers will be challenged with becoming compliant, there are also benefits of implementing these mandated changes. By being clear about their intentions and letting subscribers easily determine what benefit they will be receiving by sharing information, marketers will increase transparency between their brand and consumers.
In order to meet GDPR requirements, marketers must use plain language and keep messages short. If information will be shared with another brand, marketers should clearly state they will be providing data to another company and the reasons for doing so.
Common examples are entering current subscribers in sweepstakes or providing information to a partner company hosting a webinar that a subscriber expressed interest in viewing. In these cases, marketers must make their plans and intentions clear and give subscribers the option to opt out of participation.
3. Consumers have the right to be forgotten: Implement a process to delete information
Security breaches are increasingly being pushed to the forefront of consumers’ minds and raising concerns about the personal information shared with brands. The GDPR allows concerned consumers to conduct a digital cleanse and choose to remove their personal data from brands they no longer interact with. For marketers, this means having a process in place to permanently remove or anonymize all information upon request from consumers.
To comply with this clause, businesses must enact a process and utilize a system that allows marketers to quickly find any personally identifiable information and remove or anonymize that information. According to an online survey conducted by Solix, two-thirds of organizations are unsure whether their current processes result in an individual’s personal information being purged from all systems forever. But this is an essential move for marketers to strengthen consumer trust and remain compliant.
Businesses around the globe are racing against the clock to become GDPR-compliant, and marketers need to accelerate their compliance strategy as the clock ticks closer to May 25, 2018. CMOs, marketing managers and all marketing decision-makers should elevate GDPR compliance conversations to ensure it is a business priority.
Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.