If you have read anything about the General Data Protection Regulation (GDPR) – and a recent Econsultancy survey suggests 67% of marketers have at least read some of the Information Commissioner’s Office’s (ICO) guidance – then you might still be grappling with some knotty issues. Can I rely on implied consent? Have the rules changed for B2B? Are my interests legitimate? The list goes on.
But rather than getting too close to the legalese, marketers should take note of its key themes. Personally, I think the GDPR is as close as we’ll get to a religious text for data-driven, customer-focused marketers – that’s how powerful I believe it can be.
Firstly, the principle of accountability means that marketers can no longer fly by the seat of their pants. During a discussion at this year’s Marketing Week Live, Marketing Week columnist Mark Ritson nominated the word ‘agility’ to be banished to Marketing Room 101, saying the word is used as an excuse by marketers that have no strategy.
Well, accountability in GDPR means marketers in the midst of cooking up campaigns or new products will have to give much greater thought to planning and strategy as it pertains to data privacy. This includes not just recording what happens to personal data (what is collected, when, how it is processed and under what legal basis) but also applying ‘privacy by design’. That means data minimisation, pseudonymisation, and asking questions about the necessity of processing.
Marketers may have long parroted the line that they ‘put customers first’ but under GDPR they must back this up, putting customers back in control of their data and granting them their rights. As marketers we should be accountable to our customers. If we do not comply, we risk a fine but also, more importantly, irrelevance and reputational damage.
New thinking needed
There are many parts of GDPR that signal the need for a change in mindset among marketers. One is ‘purpose limitation’. No longer can marketers process personal data for a purpose incompatible with that which was specified when the data was collected. That means marketers must change how they view their databases – this is not data as an asset that can be mined whenever the need arises, it is personal data that the subject has control over and which the marketer must process only with complete transparency and accountability.
A related point is that of data minimisation, part of privacy by design, as mentioned earlier. Too often marketers have been of a mind to collect as much personal data as possible, to hoard it because it may just come in handy. Now it is clear in the GDPR that unless the data you collect is necessary for processing for the specific purposes outlined then you shouldn’t be collecting it or holding onto it. No harvesting location data just because you can, for example.
Alongside accountability, transparency is the second pillar of GDPR. This is where marketers should get excited. After all, getting our message through should be what we do best.
The gauntlet has been thrown down and we should be crafting privacy notices that are concise, transparent, intelligible and easily accessible. These notices need to be written in plain English and detail, among other things, the data subject’s rights, what processing will take place, how long personal data will be stored for and whom it will be shared with.
Marketers may have long parroted the line that they ‘put customers first’ but under GDPR they must back this up.
Crafting these messages and incorporating them neatly into the user experience flow might mean only a small tweak for some, but for others could be more of a job. Similarly, some businesses will already have methods to enable the withdrawal of consent and the right to be forgotten; others will have to build new functionality, making it as easy to withdraw consent as give it.
Transparency will only be achieved if marketing teams work closely with compliance, where relevant, to translate what needs to be conveyed into what customers will understand. This might mean just crafting some copy, or it could mean creating some video content to explain what will happen to personal data and the rights that individuals have. The point is that this sort of education should sit with marketing if we truly believe we are the voice of the customer.
Marketers at businesses using profiling or automated decision making (often using artificial intelligence or machine learning) will also be impacted by a renewed push for transparency. If this profiling is fully automated, processing must be done under a contract or consent basis (the latter is mandatory for special categories of sensitive data) or you may be required to regularly check systems for accuracy and bias, and feed any changes back into the design process.
It’s clear that, as we use AI-augmented martech more and more, we cannot ignore this issue of giving customers a look inside the box if they ask.
The GDPR text and the EU working party guidance make for a heck of a lot of bedtime reading, but the headlines are that marketers now have to do some of that stuff we said we did all along. No to pre-ticked checkboxes, yes to informed customers.
Ben Davis is editor at Marketing Week’s sister title Econsultancy.