Q&A

How The GDPR Could Affect Your Marketing Strategy

A conversation with a team of GDPR Advisory Board experts

Marketing Do’s and Don’ts

As we wrote previously, the General Data Protection Regulation, or the GDPR, is the European Union’s new regulation on data and cyber-security that will become law in the EU on May 25, 2018. It’s designed to legally strengthen data protection for everyone living in the European Union, and create a single data protection regime for businesses and consumers to rely on.

The GDPR will apply to anyone doing business in the EU that handles personal data — it doesn’t matter whether you’re based in the EU or not. One area of interest has been GDPR for marketers and a team of GDPR Advisory Board experts took time to provide straightforward advice and help for those with queries about this new EU legislation.

The following questions were answered by CIM (Chartered Institute of Marketing) which has worked in association with Me Learning to launch a tailored GDPR online course for marketers — GDPR for the Marketer.

Q: How will GDPR affect all different types of marketing for the retail sector, such as email marketing, loyalty schemes, and databases?

CIM: As a retailer, B2B as well as B2C marketing will be affected under GDPR. If you’re selling into the E.U. then, from May 25, 2018, the way you approach contacts need to be in a GDPR compliant way. Recently we’ve worked with the Chartered Institute of Marketing who worked with us to create tailored training specifically for the marketer. CIM has provided useful insights into GDPR for the retailer.

GDPR has an impact on a wide range of marketing activities including how data is used, how customers are contacted, and how data is held — which in turn affects email marketing, loyalty schemes, and general marketing activities. With potential fines for non-compliance amounting to nearly $25 million (€20 million) or 4 percent of a business’s global annual turnover, GDPR needs to be taken seriously and embraced by all organizations quickly and with diligence. It’s not all doom and gloom, marketers in particular should see the positive side of the new legislation which provides a once-in-a-generation opportunity to wipe the slate clean and radically overhaul the way customer data is collected and used.

Q: When should marketers start to embrace GDPR?

CIM: Now is the ideal time for marketers to persuade their organization’s financial team to invest in new data analytics tools — perhaps even those with predictive analysis and artificial intelligence (AI). By populating these tools with only the most important, useful, and legally compliant data, organizations will be able to operate in a far smarter manner, securing higher response rates for email marketing and driving closer relationships with customers in loyalty schemes.

Data rationalization should mean an end to customers getting multiple email mailshots because they appear more than once on a database (or are duplicated across legacy databases). Furthermore, having a single, consolidated view of the customer should also facilitate more informed responses when that customer engages with a call center or other service point.

Q: How do I get consent from my customers under GDPR?

CIM: It’s worth remembering when looking to deploy an email marketing campaign that after May businesses will no longer be able to include a pre-ticked box, which the customer must untick in order to opt out of consent. Instead, the customer must actively choose to opt in, giving their consent freely and of their own accord, without coercion, undue incentives or penalties. As such, gaining this GDPR-compliant consent should be among your organization’s top priorities in the run-up to the legislation’s launch.

The following question was answered by Piers Clayden, founder of Clayden Law and member of the GDPR Advisory Board.

Q: Do you expect most businesses in retail to be compliant in time for implementation or is there going to be a problem?

Clayden: Because of the lack of clarity in some of the drafting of the GDPR, and the slow release by the regulators of any useful guidance, it is going to be very difficult for businesses of any great complexity to say they are 100 percent GDPR compliant by May 25, 2018. But it is important they nevertheless try to move towards compliance as quickly as possible — we suggest taking a risk-based approach and prioritizing those areas where the business faces the greatest exposure or liability.

Q: What are potential pitfalls the retail sector should be aware of?

Clayden: These are the top five things to get right under GDPR:

  1. Demonstrating they are taking data protection seriously — up-to-date policies, record keeping, and staff training are all important elements of this.
  2. Ensuring the public-facing information notice reflects the reality of how the business actually does use and treat personal data behind the scenes.
  3. Ensuring the business has proper organizational and technical measures and policies in place to keep personal data safe and secure — having a robust information security policy which is actually adhered to throughout the business is part of this.
  4. Making sure that if the business were to suffer a security breach (i.e. in short where personal data was accessed outside of the organization without authorization) you would be able report this to the regulator (the information commissioner’s office) within 72 hours of becoming aware of this breach.
  5. Making sure that, where personal data is processed on your behalf by an external organization, you have contracts in place that meet the requirements of the GDPR.

Failure to comply with the GDPR could expose the business to fines, claims for damages from individuals, and perhaps more damagingly, loss of reputation

The following question was answered GDPR Advisory Board member Nick Richards, CEO of training provider Me Learning.

Q: Do all sizes of retail business need to have a Data Protection Officer? What about a single-site operation? A small coffee shop?

Richards: Not all organizations require a data protection officer. Under the GDPR, you’re obliged to appoint a DPO if you are a public authority (unless you are a court acting in a judicial capacity), if you carry out large-scale systematic monitoring of individuals or the processing of special categories of data, or you use data which relates directly to criminal convictions and offences.

The DPO’s job is to (independently) oversee GDPR compliance and advise staff who deal with personal data. They should have expert knowledge of data protection law and practices. It is crucial your data protection officer has no conflict of interests; so the DPO should not also be a controller of processing activities (for example, your head of HR). They should also not be on a short- or fixed-term contract and should not report to a direct superior or line manager (i.e. they should be senior enough to report to top-tier management). If you’re a small coffee shop you will need to comply with GDPR but you won’t need a DPO.

About Me Learning

Me Learning has worked in partnership with legal experts at Clayden Law to develop a comprehensive suite of GDPR e-learning courses which help to clarify exactly what organizations need to do in order to be GDPR compliant. To find our more visit www.melearning.co.uk/gdpr.

About The GDPR Advisory Board

To contact the GDPR Advisory Board please visit www.gdpr-board.co.uk by email info@advisory-board.co.uk.