The article was first published in Communication Director, Issue 1/2018.
Everyone knows the power of data. Now the European Parliament and Council is handing you the greatest reason ever to put that data to work. The reason is the GDPR, an acronym that’s striking fear in the hearts of many, but should rather be greeted as an opportunity. What some well versed in the GDPR don’t know, however, is that the “D” in GDPR is wide reaching. It’s not primarily AI and VR data – we’re talking about every little bit of personal information stored in your CRM and other data bases, web technology, social media clicks, smart phones and even smart meters which show water consumption.
The GDPR requires you to build privacy safeguards into every digital product, service and website – and the default privacy settings for these must be in the “on” position. It’s not just Europe, either: it applies to anyone who does business with the European Union’s residents. Starting May 25, violators will be looking at fines of up to 20 million euros or four percent of their global turnover, whichever is higher. And that doesn’t include what the bad publicity will cost them.
If four per cent of your global turnover isn’t reason enough to get your data in order, consider the fact that the way many companies use personal data is already annoying the customer. The Wall Street Journal recently reported that 90 per cent of organizations claim to focus on personalising the customer experience, but only 40 per cent of shoppers say the emails they receive are relevant.
Take me, for instance. Last month I booked a Paris hotel room online only to immediately begin to see ads suggesting I spend a weekend in Paris. I received the ads only after I’d already bought the service. If the booking website had bothered to use transaction data, instead of just discovering that I was lurking on their website, I’d be a far happier customer. I’m still receiving two emails a day. It’s 2018 and this kind of thing doesn’t have to happen.
The way many companies use personal data is annoying customers, this should not happen in 2018 @codimag #GDPR
Equally important beginning May 25: it’s a use of data that customers don’t mind. If it isn’t exactly news to anyone that data can be used to improve the customer experience, why aren’t more companies doing it? It’s because many companies don’t even know what kind of data they have. Bigger and older companies are sometimes put off by the prospect of merging 15 different CRM systems, legacy systems and data coming from everywhere. But the GDPR has now given them a reason to take action: not complying will be more expensive than doing what they already should have done.
My view is that companies will need to choose one of three approaches:
1. Panic. The most risk-averse approach is to seek consent everywhere. Without consent you remove a person from your CRM. You even strip personal data from company cell phones. But since consent is not the only possible legal way to process personal data, this approach seems extreme to me.
2. Screw it! Some will take the position that as long as you’re not completely stupid, the GDPR won’t affect you. They’ll say that if you’re not spamming you’re probably okay. This may be theoretically true, but FlyBe and Honda ran into trouble in early 2017 with electronic marketing campaigns. They were fined for sending marketing emails to consumers without their consent. Honda’s mistake could have happened in any massive organization where data is collected in many places by a variety of people. Yes, it was preventable and they should have been more careful, but if it can happen to Honda it can probably happen to you, making the “screw it” approach not my first choice.
3. Keep calm, and market on. I advocate the middle ground, which means that you document everything about how you process data internally, have a person in charge of managing your data, and base your activities on legitimate interests whenever it is legally possible. Weigh your company’s raison d’être against the hassle of having to obtain consent in order to process the data of individuals. If you don’t need consent under national law, you may in certain situations rely on legitimate interests for marketing. In particular, email marketing could indeed be considered a legitimate interest from time to time. Another proponent of the middle ground approach is my company’s senior marketing automation consultant, Mathias Jonsson. “Shit happens and will continue to happen,” Mathias says. “You have to take precautions, and if it happens you have to inform people.”
Your first step is to clean up your data and take an inventory of everything you have. Don’t forget your excel lists and sales lists stored on Sharepoint or elsewhere online. These are also subject to the GDPR. Once you know what you have, start to consider if keeping that data has a legal basis, such as for example your legitimate interest as a commercial enterprise.
Perhaps you keep a list on Google Drive of everyone you sent a corporate Christmas present to in 2014. (Was that the year you gave the cheese plate?) You will either need to erase this list or stipulate that you’re holding it because you plan to give the same people a Christmas present in the future. This may be your legitimate interest. (You could also view the GDPR as an argument not to give crappy presents.)
You could view the #GDPR as an argument not to give crappy presents @codimag
Carefully consider the personal data you hold, present both in emails as well excel files or elsewhere. Perhaps you have iPhone data about customers’ heart rates. Marketing to those people about walking more steps would not only be a bit creepy, it would probably be unlawful, except if you have an explicit consent from the customer.
Abuse of mobile phone data is also where the higher fines may come in. The companies most affected will be those who possess the “creepy” data – Google, Facebook, and Apple. It remains to be seen how these companies will choose to deal with this data.
Of course you should have begun examining your data a year and a half ago. But if you didn’t, and if you start right now, it will likely take a minimum of six months until you’re ready to follow best practices. While it’s impossible to say what it will cost your company, the GDPR compliance readiness projects my company, Nortal, has worked on have started at around 500,000 euros. For bigger companies it can even exceed 10 million. The good news is that this is money well spent – do it right and the money you spend on compliance can eventually produce a positive ROI. After all, you’ve long known about the power of data. Look at the GDPR as the best excuse you’ll ever have to finally put that data to work for you and your customers. I’m not usually one who cheers about more government regulation, but the GDPR really is good for everyone involved.
Consider this: how you use data will be a huge part of your brand perception in the future. Think of the way corporate social responsibility is viewed today and you’ll have an idea of data’s future importance when it comes to corporate image. Not only will the correct use of data allow the hotel booking sites to stop annoying me, they’ll be able to put their marketing money much lower in the funnel. What they spend will produce a much higher return. Marketing communicators will quickly come to understand that better use of data can actually produce a better society. Those who think this way will thrive under the GDPR.
The article was first published in Communication Director, Issue 1/2018.