Could Marketing Tech Hold the Key to GDPR Compliance?

The upcoming General Data Protection Regulations (GDPR) have plagued marketers’ thoughts for months now, with many industry professionals wondering how they’ll do their job compliantly when the complex legislation is implemented this May. The ICO website is certainly the place to go for details about the legal intricacies of GDPR, but when it comes to real-life adherence to the rules, what role will marketing tech play? Force24’s commercial director, Nick Washbourne, offers some thoughts in this DemandScience guest blog…

As an industry, the world of marketing has been talking about GDPR for months. As a company, we’ve been thinking about it for even longer.

That’s because there can be no denying that it will change the way that thousands of marketers capture information, store data and communicate with their contacts. And the changes, for many, will be vast. The risks of non-compliance are simply too great to ‘hope for the best’ when it comes to adherence to the rules. People need to be clued up and ensure their processes fit the bill.

As a UK-based provider of a marketing automation platform, we’ve not been able to bury our heads in the sand either. We know that to stay on the right side of the law, marketers need to work with compliant partners. So, we made a conscious decision, very early on, to ensure our tech ticks all the boxes. Because isn’t that why technology exists, in any walk of business life? To alleviate administrative, resource, and compliance pressures?

We embraced the impact that the upcoming data protection regulations will have, and this is the first important point to make—GDPR should not be seen as a bad thing.

Thinking More Carefully About Data

GDPR will force all marketers to stop and think about their ‘data subjects’ or contacts. The days of lazy, impersonal batch and blast emails will finally be over. And isn’t it about time?

Yes, some marketers will need to work harder as a result but, by delivering better, more contextual journeys, they will undoubtedly reduce their costs and achieve greater ROI. This is a positive step!

The Need for a Privacy Policy

Because one of the key premises of GDPR is that data should only be collected fairly and lawfully, when truly needed, privacy policies will become more important than ever. These documents will need to highlight exactly what a company will do with the data and how they will handle it.

To make life easier, marketers should also only retain or collect the information that they can truly justify as being reasonable to hold. For example, a footwear retailer will understandably want to know a consumer’s shoe size, but to ask and store information such as waist size is simply creating an unnecessary issue.

Don’t Forget Accuracy

Data should be maintained and kept up to date too, but brands need to think carefully about how long they should store the information. If it’s no longer relevant, the rationale for keeping it is low. So, in the footwear example, it is reasonable to assume that the average person buys a pair of shoes every six months and, in the instance of adults, the shoe size will remain constant. If someone has not bought anything from the retailer in 3-4 buying cycles, it is arguably no longer necessary to hold the personal information relating to that contact. That’s not to say they should be removed altogether if they’re happily reading the company’s email comms. But the retention strategy should be highlighted within the privacy policy, and it must be reasonable.

Fight for Your Rights

Data subjects have now got the right to request—free of charge and within 28 days—the following from a business:

  • A right of access
  • A right to object to processing
  • A right to prevent processing for direct marketing
  • A right to object to decisions being taken by automated means
  • A right in certain circumstances to have inaccurate personal data rectified
  • A right to claim compensation for damages caused by a breach of the Act

It sounds like complex stuff, but, with the exception of the final right, all of this can be handled by a marketing automation platform. How different company departments uphold these rights is of course a different matter, but marketers can breathe a sigh of relief in this respect.

Data Security and International Considerations

It is no surprise that security is one of the key principles of the new data protection regulations. Brands have always had obligations to ensure their data remains safe, but things are tightening up. So how can marketing tech help?

A compliant platform will act in accordance with the client’s data protection policies. Force24, for example, gives users the option of two-factor authentication and can set user permissions in line with their data classification handbook. The infrastructure of the system itself is also important. Strict data access is crucial.

GDPR also dictates that, if the individual has not given permission, data cannot be shipped outside of the EEA unless the country has a data agreement with the EU. The number of such approved places is small. As a result, sending data to a large number of online mail providers is now prohibited!

The USA is not in the EEA for example. It could be argued that GDPR recognizes the US Privacy Shield, but this requires individual companies in the USA to sign up for it and when it comes to data agreements, America has a challenging record. We only need to think back to the Safe Harbour framework that collapsed in October 2016!

The safest and simplest option is to therefore ensure data remains in the UK. Why ship it anywhere else and heighten the risk of a GDPR breach, when it can be processed here?

Will Busy Marketers Break the Rules?

Understanding GDPR and its key principles is the first challenge—this is a new and complex regulatory system that will take some time to fully comprehend. Applying the principles is the next giant hurdle, and in busy marketing teams, this will be no mean feat. So where should marketers start?

There are many basic tips that can be adopted far before the legislation comes into force.

It’s time to stop using Excel to process or report on data, for instance. Not to single out this application, but think about what is involved. Simply editing a spreadsheet on a computer does little to reassure contacts about complete data security, and it is also likely that the marketer will create multiple copies of the data without even realizing it. They may download and edit it, save it, make a change and save it again. They may automatically create a backup—in iCloud perhaps—and within a short space of time, the data will have been duplicated several times. If the spreadsheet is emailed to a company’s management team, it will then reside in the marketer’s ‘sent items’ folder, with duplicates in each recipient’s inbox.

This all sounds very innocent, but with all of these data copies floating around, it could be a nightmare if a contact wants to enforce one of their rights. It would be worse still if the data was segmented and uploaded into an online mailing platform based outside of the EEA. Imagine if an individual invokes their right to erasure, but their details are accidentally missed from one of the spreadsheets and this is the list imported into the mailing platform on the next occasion…that is an instant breach.

The Key to GDPR Compliance

So, what is the secret to GDPR compliance? Of course, people play a huge part here. The legislation is complex and company-wide colleagues need to be adequately trained to understand the rules. But, from a marketing perspective, tech can help significantly. For instance:

  • Look for a GDPR compliant automation platform that will enable marketers to hold and segment data, build reports and execute campaigns. It will then provide a single source of data.
  • The platform should be UK based so that personal information never leaves the country.
  • It should keep a record of when and how consent was obtained from each data subject, and what was agreed.
  • The system should automatically hash an individual’s contact details if they wish to be removed, ensuring no future accidental sends, however innocent!
  • Use the technology to build intuitive, personalized journeys that stand the best chance of delivering contextual messaging to each individual.
  • Common sense needs to be applied too—if a data subject shows very little or no engagement with the marketer’s efforts, arguably the communication should cease.

Don’t Be B2B Brazen

A final note must be given to B2B marketers who have long relied on the PECR (Privacy and Electronic Communications Regulations), which allow emails to be lawfully sent to representatives within an organization. This will remain the same, however, the lines become blurred if an email format is ‘firstname.lastname’. This now constitutes personal information which the ICO is said to be addressing within GDPR. The current position states that the marketer may email and process this information on the grounds of legitimate interest. But, I urge B2B marketers to reserve judgment and await further clarification on this matter.

Remember I am not a GDPR practitioner and so I can only offer anecdotal advice. Also, GDPR doesn’t just apply to marketers. However, it’s naturally an area that Force24 is homing in on. For further information about the key principles of the legislation and how our compliant automation platform can support marketers moving forward, download a free copy of Force24’s compliance statement.