GDPR: What Marketers Need to Know?

After the recent episode of Cambridge Analytica on data mining, data brokerage and strategic communication to the users, an alarm has been raised all over. Today, the big question is, when a tech giant like Facebook can be tricked by Cambridge Analytica, then what blunders can other hackers do to the personal information of millions of users? Hence, consumer’s data with regard to any context is a major concern.

The European Union has taken a strict initiative against this and has enforced new set of rules GDPR (General Data Privacy Regulation) on 25th May 2018. These rules will be promising to give users in the Europe and beyond, more authority over how their personal information is used online.

GDPR will significantly change the way of handling data as far as marketing is concerned. In terms of storing marketing database, the companies will have to follow a certain set of rules compliant with these standards.

What is GDPR?

GDPR (General Data Protection Regulation) will be superseding the former law called the Data Protection Directive. GDPR primarily, is aimed to equip the citizens with complete control on how their personal information is used and stored by businesses. It will simplify the regulatory environment and even caters to the export of data outside EU. It ensures more transparent reforms for data collection and sales and empowers the users with a number of rights with regard to processing and usage of their personally identifiable information (PII).

Replacing the privacy guidelines where not updated since 1995, GDPR will keep a strict check on companies and avoid usage of vague, unfair and confusing language to have the user agree to whatever they wish.

There are some significant changes in the set of rules to avoid data breaching:

• Companies would adhere to use a clear set of boundaries to collect the information from the users which are directly relevant for the intended use. They should use a language which clarifies the purpose of collecting the user’s data. Taking the consent of the users will be mandatory if data collectors or processors wish to share it with anyone else or for any different purpose.
• User has the right to access all the information which a company holds about him. In such case company should provide them copy of their data when requested. If the consumer wishes to switch to another service, he must be able to withdraw consent at any time and can revoke the permission. The company has to erase all the records of personal information of the consumer and from all the platforms where they shared the user information on his request.
• Organisational and technical processes must comply with the guidelines and ensure personal data is secure. And only that data can be held which is ‘absolutely necessary for the completion of duties’. Fostering that compliance, they should maintain the records and documentation of marketing list which ensures the security of user’s private data.
• Breach Notifications: if the data breach occurs, business organisation and the data processors will be required to notify the appropriate national bodies within 72 hours of awareness of breach.

Privacy Policies

Just being aware of GDPR rules will not serve the purpose. If you are a company who is collecting, analysing, storing or using the data of any of the citizens of European Union, then you need to update your Privacy Policy before 25th of May. In case you have not able to do so, the following questions can guide you on how to write a GDPR compliant Privacy statement. According to the new standards, you should write a transparent, concise privacy policy in a plain language comprising of the following:

• Who is collecting the data?
• What data is being collected?
• What is the legal basis for processing the data?
• Will the data be shared with any third parties?
• How will the information be used?
• How long will the data are stored for?
• What rights does the data subject have?
• How can the data subject raise a complaint?

Google Analytics and GDPR

Google Analytics is broadly used by marketing agencies to generate better business results. Heading towards the data protection wave, Google Analytics has implemented some revolutionary changes to become compliant with GDPR standards. It has added a new feature called “Data Retention Control” with which the user data is automatically deleted after 26 months when set to default settings.

If you’re admin to GA account, you have the option to retain data for : 14 months, 26 months, 38 months, 50 months, or Do not automatically expire. In this case do not send any personally identifiable information (PII) to Google Analytics. As the IP addresses which formerly was not considered in PII is now classified as an online identifier in compliance to GDPR standards. So you can still get the insights of visitors on your site by turning on IP anonymization.

Impact of GDPR on Other Types of Marketing

Google Adwords

As per GDPR, advertisers using the Google Adwords will now have to take extra steps in obtaining user’s consent. The permission of user will be needed for the use of cookies while collecting and sharing of personal data for personalized ads. In case where the information is used legally, the data processor should conspicuously identify the party which uses the user’s data. If a person doesn’t sign up for sharing personal information, Google Adwords should serve them non personalized ads.

Email Marketing

As GDPR has been enforced on 25th May, one of the major areas of change in the marketing industry is Email Marketing. GDPR has raised the bar to a higher standard of consent for subscribers.

Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service.

Under the compliance of GDPR, you should not send the subscription to the countries listed in EU, In case you are sceptical about the emails and how they opted in. Make sure you segregate them in different lists and send new email asking them to confirm that they would like to continue receiving messages from you.

As a digital marketing agency you should follow and implement these practices under GDPR compliances:

• New consumer opt-in permission rules;
• Proof of consent storing systems
• A method through which consumers can ask their personal information removed.

As a marketing agency, our advice is always to be as transparent as possible with consumer data to build more relevant, valued relationships with our customers and consumer.

Although the implementation of the GDPR is likely to cause some businesses more difficulty than others (such as enterprise firms that offer “big data” products), it’s important to remember that this legislation is being introduced to protect users’ rights in a time at which almost every conceivable aspect of our lives is stored online – and is highly vulnerable to exposure and exploitation.