We’re only a few weeks away from the introduction of the EU’s General Data Protection Regulation (GDPR). What does it mean for our marketing? Legislation like this takes a long time to implement, so it’s coincidental that after many years coming together, GDPR should hit at the same time as political issues have drawn people’s attention to the scary amount of data businesses hold on them. Like most people, I’ve been astonished to find that Facebook has been lifting unrelated data from my phone. In some cases that’s included records of all our calls and text messages. So it’s unsurprising that even free-marketers who get worked up about so-called red tape accept that GDPR is a major step in the right direction.
As a really good background article on Techcrunch explains, “The EC’s theory is that consumer trust is essential to fostering growth in the digital economy. And it thinks trust can be won by giving users of digital services more information and greater control over how their data is used. Which is — frankly speaking — a pretty refreshing idea when you consider the clandestine data brokering that pervades the tech industry. Mass surveillance isn’t just something governments do.”
Under GDPR, individuals have the right to access their personal data; the right to have their data deleted; the right to transfer their data from one service provider to another; the right to require that consent is freely given rather than implied; the right to have information corrected; the right to restrict use; the right to object to their data being used; and the right to be notified urgently if there has been a data breach. What’s more, the fines can be huge. Some businesses have declared a Year Zero: last June, pub chain JD Wetherspoon announced that it has deleted its entire email mailing list.
I suspect that most businesses could fall foul of the regulations, and whether some appear to be made examples of may depend on the tenaciousness of awkward customers. The best approach may be to ensure that you’re making a serious effort to move in the right direction. I would task someone with writing a document which maps where all of the personal data in the business comes from and what happens to it. Get rid of data which isn’t used, and record the clean-up process: erase (not archive) by default. Specify who has access to the data and what security procedure is in place. Review your privacy statements and disclosures. And ensure that from now on, when people deal with you, they’re given clear information about what you intend to do with their details. If someone gives you a business card at an exhibition, they have not consented to receiving marketing material from you. That requires separate acceptance.
Not for the first time, the folks at Velocity have written a good piece. In What GDPR really means they say: “The really great news is that Generally Dickish Practice Retirement won’t affect you too much if you don’t have any generally dickish practices to retire. For good marketers, this is a huge opportunity. GDPR is like guttering against the deluge of crap marketing. If someone’s receiving rubbish from a company, they have the right (and ability) to make it stop. But the companies people want to hear from? They can get through without difficulty. And they’ll find a lot less competition in those inboxes.”