General Data Protection Regulation (GDPR) is a European Union (EU) privacy regulation that was signed into law in April of 2016. By May 25th 2018, businesses worldwide need to be compliant if they hold any data from EU citizens.  However there is still a lot of confusion on how to implement the new legislation into your business and avoid the hefty penalties for non-compliance: fines of up to 4% of revenue or $20 million.

I’m commenting as a marketer, not a lawyer, so please do also take legal advice for the specifics of your organisation.  Whilst I’m no fan of EU red tape and extra legislation, I think the requirements for GDPR are broadly a good thing. By complying with them you will improve your marketing, increase return on investment, and clean up databases.  I won’t repeat the details of what is involved in GDPR, instead I suggest you click here to read the Information Commissioner’s Office summary of the legislation.

In essence, GDPR gives individuals more control over their own data and how it is used.  It expects businesses to be ethical in how they collect and hold data and avoid spammy tactics such as confusing ‘check for this’, ‘uncheck for that’ option forms.  Having a clean database in your business means that the money you spend on marketing to the database will be more effective and your digital metrics such as email open rates will improve.
So beyond all the legalese, what do you need to do to comply and how will your digital marketing be effective?

Let’s start by firstly looking at your website, where you will need to extend your privacy policy to make it clear how you use collected data.

The second step is to make sure you have a good CRM (customer relationship management) system in place, so you can store your data in a secure and organised way.

There are lots of CRM systems on the market, the two I often recommend for clients are Active Campaign or Ontraport depending on the complexity of the solution required and the size of your database.  If you’d like more specific advice on CRMs, get in touch.

You need to be able to prove where the data in your system came from (such as an IP address-logged contact form on your website) and what channels you have permission to contact that person through.  This means that if you want to send direct mail, emails and text messages, then you will need permission for each channel.

You are expected to not keep data on your system for longer than is necessary.  Unfortunately, this is where it gets a little bit woolly, because there is no specific guidance as to how long is too long.  This will vary by business – if you run an ecommerce business and someone hasn’t purchased from you in 2 years then there is a stronger case for deleting their data from your records than for an event which only runs once a year.  My advice is to consider your business type, the average number of times a customer buys from you (your customer lifecycle), and the frequency of purchase; then decide what is appropriate.

How is digital marketing affected?

Email marketing

You can continue to email market to your existing database but will need to get them to pro-actively opt-in to a standard compliant with the new legislation.  In practice, this means getting proof that a subscriber has agreed to receive marketing related emails from your company.  What is proof?  You need to be able to show how and when a subscriber opted in (or re-opted in).  This information would typically include the IP address of the subscriber and the form they completed.

If you are going to use the email address for other purposes such as combining with purchase history to send specific emails then you need to disclose this.

Remarketing advertising

Let’s look at this by remarketing advertising type.

If you are remarketing based on website visits then you need to make website visitors aware of this via your privacy policy and cookie opt-in.  There is still confusion about how specifically to implement website permissions, a bit like when the cookie control law was introduced in 2011.  Opinions vary from a soft opt-in such as the existing cookie control pop-ups to a specific landing page that requires people to choose their preferences before proceeding to their desired landing page on your site.

You need to get opt-in for all cookies on your website, even those that don’t track personally identifiable information such as Google Analytics.    If someone chooses not to opt-in to cookies then you need to obey their wishes and not track them.  You will need to make them aware that they may have reduced functionality on the website if they choose not to opt-in.

Remarketing using personal contact information such as emails or phone numbers.  This will continue to be permitted as long as you have collected permission to do it when you gathered the contact information (or asked people to opt-in again when cleaning old data).

Remarketing based on social media activity.  Permission to do this is covered by the terms and conditions of the social media website.  For example, a user must agree to Facebook’s terms and conditions when opening an account with the website.  If you choose to show adverts on Facebook to your Facebook page likers, then Facebook is holding the data (acting as a data controller) and is responsible for getting user permissions,  in order to be able to show adverts for your company to their users on their platform.

Lookalike audiences

You can continue to use lookalike audiences in your advertising.  Similar to remarketing based on social media activity, the social network that the lookalike audience is created in remains the data controller. You as the advertiser never get access to the individual contact details of the audience members, so are not a data controller.

However if you are creating the lookalike audiences from your website visitors then this must be included in your website privacy policy and cookie opt-ins.  Likewise if you are creating lookalike audiences using customer databases of emails and phone numbers, then you must have permission from the individuals in the seed audience to use their data for this purpose.

I hope that gives you some idea of how GDPR is going to affect your digital marketing campaigns in 2018.  If you’d like some more specific advice or help with implementing the new requirements, get in touch.

This is a commentary on GDPR as Blacktype Digital interprets it. This document is provided for informational purposes only and should not be relied on as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a qualified legal professional to discuss GDPR and its impact on your organization to ensure compliance. Blacktype Digital makes no warranties, express, implied, or statutory, as to the information in this document.