Since the EU announced sweeping changes to its consumer data privacy and data protection laws in 2016, many marketers have been working out how they will be affected. Both B2B and B2C marketers have been poring over the legislation to evaluate how the law will affect the way they collect and use customer data. With less than a year to go before the General Data Protection Regulation (GDPR) is implemented, we thought it would be useful to highlight some of the key issues for B2C marketers.
What is the GDPR?
From May 2018, the GDPR will apply to all businesses that handle the personal data of EU citizens, with large fines for non-compliance. The goal of the legislation is to simplify existing data protection laws across the single market and to give private citizens more control over their personal data.
Over the last 20 years, there have been unprecedented shifts in how consumers use the internet, what they use it for and how they interact with their favourite brands. In the UK, the current legislation, the Data Protection Act (DPA), has been in place since 1998. It is generally accepted that the changes are long overdue, and that the GDPR will better reflect today’s ever-changing digital environment.
The effect on consumer data privacy
Any organisation that handles consumers’ personal information – e.g. name, location, email address, social media posts, IP address etc. – will be accountable. The collection of this kind of data has become increasing crucial to modern marketing practices, so it is highly likely that you will need to prepare for the changes. But what to prepare? What are the main implications for B2C marketers?
A good way to start is to divide the issue into two separate parts:
- The new powers given to consumers
- The new responsibilities for marketers
New consumer powers
For consumers, the GDPR provides more control over what happens to their data – in particular, which companies collect their personal information. Following a number of high profile data breaches, consumer data privacy is high on the news agenda. The general public has grown cautious about what their data is being used for, where it is stored and how long it is stored for. The new legislation has been influenced by these concerns.
As soon as the new legislation kicks in, consumers will have more power to:
- Make informed decisions about their data
- Withdraw their consent for how their data is used
- Decide which cookies to enable based on their function
- Opt-out of decisions made by automated processes, like profiling
- Demand to see the personal data any organisation has collected on them, through Subject Access Requests (SAR)
- Ask organisations to delete their personal information, a.k.a. the right to be forgotten
New marketing responsibilities
The GDPR imposes stricter rules around consent. The days of pre-selected opt-in boxes are over. Marketers must offer options to activate and withdraw consent at all times, making all language clear, age-appropriate and unambiguous.
Marketers need to have this in mind at the onset of any campaign, so that their landing pages, blog posts, emails etc. meet the new requirements. As consumers become more careful about who and what they sign up to, mailing lists will inevitably take a hit.
So, marketers must find creative new ways to persuade customers that (a) they can be trusted over their competitors and that (b) their service/product/promotion adds value. When trust is established, privacy concerns diminish. The new changes give marketers the opportunity to build better customer relationships and become more competitive.
Profiling is an automated process that uses data to make predictions about behaviour, preferences and interests. Marketers use the technique to target ads and content more precisely at potential customers based on their interests. Under the GDPR, consumers will have more power to challenge and avoid marketing based on automated processes like this.
The GDPR emphasises that, in this case, it isn’t tracking consumers that’s the problem, it’s the decision-making aspect – the big shift is that consumers now have the right to know the consequences of the decisions being made for/about them. They also have the right to challenge the decision or opt-out of the service.
The GDPR aims to protect people from a broad range of scenarios, especially those that have legal implications. These include evaluations based on “performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
In a discussion paper on profiling released this year, the ICO suggests that organisations need to be able to show that their automation is for “legitimate” reasons, i.e. that it is “necessary” and “useful” to consumers. The ICO encourages marketers to begin seeking feedback from consumers about profiling, cookies and consent. This will help organisations find a legal sweet spot and provide a framework to work within.
Everyone in an organisation, including marketers, must share the responsibility for GDPR. Employees are expected to be able to show why, how and where their company is holding consumer data.
The GDPR requires that organisations with more than 250 people employ a Data Protection Officer (DPO). Many smaller organisations are choosing to do the same, as they see the need for an expert within their organisation who knows the ins and outs of the GDPR.
If your agency or company is one of these, you should insist that the marketing team work closely with the DPO to establish any lines that can’t be crossed. This is a sensible way of ensuring that your future campaigns are fully compliant.
Are you GDPR-ready?
At bluesource, our goal is to ensure that everyone is prepared for the new legislation, and that includes marketing agencies and in-house marketers. We provide a range of assessments to help recognise where you are susceptible to the changes and understand what you can do to be fully compliant. If you’re worried that you lack the tools or resources, then get in contact and we can advise and assist you.