The GDPR has been in place since 2018, and yet the number of violations are on the rise. This article is for marketers to understand what they need to know about the GDPR and how they can ensure compliance, while still creating the most relevant, personalised communication possible.
If you’re based in Europe and work in marketing – or use the internet at all – then you have been affected by the EU’s General Data Protection Regulation. The GDPR has been enforced since 2018, and yet there have already been over €1.28 billion in fines. And, it seems like the fines are increasing in frequency: according to Finbold, the total number of GDPR violations has increased by over 113% from July 2020 to July 2021 – and the fines have also surged by 124.92%.
It goes without saying that you do NOT want your company to end up with a massive fine.
So, how can you, as a marketer, do your part to ensure that your company is GDPR compliant – while also doing your job and sending personalised communications that boost conversions?
This article is a collection of the best practices for compliance as developed over the last three years, paired with information on how to enact these practices within the Agillic platform. Please note: this article is by no means comprehensive and should not be substituted for legal advice. Please read the full GDPR here, and seek legal guidance to ensure compliance.
How does the GDPR affect marketers
To comply with the GDPR, you need to know how it will impact your work – so let’s go over the basics.
Under the GDPR, you can only process data when doing so is legal, fair and when it is transparent how and why the data is being used. Legally speaking, you may only collect the minimum amount of data necessary to accomplish your business goals. That data must be accurate, confidential, and securely stored, and data collectors must be able to demonstrate GDPR compliance at any time.
As a marketer, your work is most impacted by the GDPR as it pertains to consent, data access and data scope.
Consent: As a marketer, there are only two circumstances in which you are allowed to process data under the GDPR: if you have clear, recorded consent to process the data, or if you have “legitimate interest” to process someone’s personal data (like being able to invoice a customer).
To collect data and send communications to an individual, you must have “freely given, specific, informed and unambiguous” consent. When gathering consent, you must make the request in clear language and separate it from other information. Keep the permission documented, and know that it can be removed at any time.
The only relevant exception for marketers is the case of “legitimate interest”. What constitutes a legitimate interest is ambiguous – it can include marketing materials, such as transactional emails or even upselling messages such as abandoned basket emails – but caution is advised when collecting data or sending communication under legitimate interest. For a comprehensive exploration of what “legitimate interest” means, please read this article.
Data Access: Data subjects have the right to be informed on the usage of their data and to access, correct, restrict processing of or remove their data from its usage. They also have the right to data portability, the right to object to its usage, and rights related to automated decision making and profiling. They can exercise these rights at any time, and you have to be ready to demonstrate what data you have on them, where you are storing it, how you are using it and why.
Data Scope: You are legally only allowed to collect the minimum required data necessary to achieve the outlined goal. If there is another, less intrusive way to reach your goal, then data collection is not warranted and therefore not legal. You must be able to demonstrate and justify what data is being collected and held, and why. This means that you will need to gain consent to collect different data for different uses. For example, you would need separate consent to communicate via email, SMS and to track a user on your website. You would also need separate consent to send product-related content and to send company-related content. Personal data can only be employed for the specific purpose for which it was collected; consent will need to be obtained before it is used for any other purpose.
Legally speaking, you may only store data for the shortest possible time, given the reasons why your organisation needs to process the data. You should establish a timeframe in which to review or delete the data stored, and ascertain that it is up-to-date and accurate.
Best Practices for GDPR
Despite the restrictions it puts on your ability to collect and use data, the GDPR essentially pushes marketers to do better work. The law only allows marketers to contact people who want to be contacted, for the topics that they are interested in. Ultimately, it forces you to send out more relevant communications to a more receptive audience. Read on below to learn how you can market effectively while complying with the GDPR.
Keep your recipient database clean and organized
Ensure that you have obtained opt-in permissions for ALL of your contacts. Should contacts choose to revoke this consent and opt-out, be sure they are removed across all of your systems. Segmentation is key – since you have to collect permission to contact subscribers for different channels and communication types, make sure that your contacts are clearly separated into the categories for which you have permission to contact them.
Align with third parties
If you have third parties that have access to the data you collect, minimise the number of people with access. Ensure that those with access are GDPR compliant and that they are securely storing your data.
Align across departments
Run opt-in campaigns
Utilise other channels, such as social media, website, app etc., to prompt potential customers to subscribe to your contact lists. Offer them a discount, freebie or piece of content in exchange for their permissions, and tell them what they will gain from your communications. Best practice is to run a double opt-in campaign, which ensures that their information is correct and that consent has been freely given; this is how you set up a double opt-in campaign in Agillic.
Once you have a recipient’s consent on one channel, or for one purpose, use it to leverage consent for other channels or categories by running campaigns and illustrating the benefits of receiving these other communications from your organisation. Read about how to manage permissions in Agillic here.
Create strong processes
Make sure that you are ready to demonstrate your compliance with the GDPR. Create a page on your website where customers can request their data information. Designate a team member to check for data information requests, and ensure that the member knows where to retrieve the required information. Read our guide on how to make a GDPR export in Agillic. All requests must be addressed within one month to be GDPR compliant. Make sure that you are prepared with communication materials so you can respond quickly in the event that a data breach does occur.
Fundamentally, the GDPR is there to protect customers’ privacy and mitigate risk of harm due to misuse of their personal data. While it does present some challenges, the GDPR makes your marketing stronger by making sure you are sending targeted and personalized messages, only to the people who really want to receive them. Our Product Specialists have compiled an article about how to use the Agillic platform to comply with GDPR; please read the article for more information.
Take a look at how other businesses are achieving their goals by delivering personalised customer experiences.