GDPR has redefined the way you process data. The digital marketing landscape is changing for the better. The European Union’s General Data Protection Regulation, as we know it officially, is legislation that protects the privacy of consumers and employees in the EU’s 28 member states.

And just to clarify—even once the UK leaves the EU (or doesn’t… who knows), citizens of the UK will be under the protection of the GDPR.

GDPR not only better protects a person’s privacy, but it gives a person (we’ll be referring to people as data subjects throughout this article in the main, so keep your eyes peeled) more control over their data.

Here are a data subject’s rights:

  • The right of access.
  • The right to rectification.
  • The right to erasure (this one is making the rounds as “the right to be forgotten”).
  • The right to data portability.
  • The right to object.
  • The right to be informed.
  • The right to restrict processing.
  • Rights regarding automated decision making and profiling.

Now, the question is how are these new and improved data subject rights going to affect your marketing strategy?

 The importance of data in marketing

Companies of all sizes and across every sector you can think of use data to inform their marketing strategies and the campaigns they unleash.

Browsing habits online can help a business use search engine marketing (SEM) to follow web users around their internet journeys with targeted ads. What? Surely you didn’t think it was a coincidence that the guitars you’ve been looking at online kept popping up as ads on the non-guitar websites you were on?

Brand loyalty can help companies drive campaigns that focus on upgrades and customer retention; knowing someone’s annual salary can help you choose which products to advertise to them, based on what disposable income they might have left… and how much non-disposable income they might be willing to suddenly make disposable for the enticing product.

What does GDPR mean for marketing

By having the data to analyse, and by being able to predict customer behaviour, companies can weaponise seemingly innocuous data to the benefit of their marketing campaign: think date of birth or age data. If your businesses sells clothes or mobile phones, for example, you might launch a whole range of new products around September and April time.

Why? Well, your primary demographic is likely to be students and adults in their 20s and 30s—and when do student loans get processed? A quick search on Twitter can give you a good indication of what students intend to do when their student loans “come in”.

Will marketers have to slow down?

The fuel any business’s customer relationship management engine needs is data. In fact, the Economist labelled personal data the “world’s most valuable resource”. If your business seems to be accumulating less data since 25th May 2018 when the GDPR rolled into town, you might need to look at new ways of marketing your product and services, engaging with consumers, and attracting talented employees to work for you.

Review the tools you use

As part of any marketing strategy, most businesses use some type of software or online tool. You should contact the provider of any products or services you use, and ask them how they’ve optimised their product for GDPR. You might not have noticed, for example, that they’ve redesigned their set of consent form templates, with more of a focus on the data subject actively and voluntarily “opting in”.

Because that’s what consent must be—actively and voluntarily given

After all, the active consent is the main crux of GDPR now. Forget about silent consent. Forget about inactive consent. Not saying no… does not mean yes.

Saying yes means yes.

A data subject must also be able to give their consent freely

A consumer or employee can’t give their consent freely if they have no choice but to opt in to something.

Should you have a separate marketing strategy for EU countries than the rest of the world?

In a word, no.

The likely reality is that once non-EU countries and state groups begin to see that GDPR is having a positive effect on how businesses interact with personal data, they’ll begin to impose stricter regulations themselves for their citizens.

For this reason, you’d be better off bringing your organisation’s entire marketing strategy under the banner of GDPR compliance. By doing this, whenever another country passes new legislation to further protect their data subjects, you’ll be close to (if not already achieving) compliance.

But what exactly do we mean by “data”? 

What exactly counts as data, anyway?

It’s a great question, because the list of answers might well be inexhaustible.

Personal data includes a data subject’s full name, their date of birth and birth certificate, their National Insurance number, passport information (including photocopies), their living address, their contact number(s), email address, bank details, salary history, any copies of their CV, qualifications and certification history, references about them, login details, social media interactions, IP address, internet browsing history, any billing history.

We’re not done yet—any information about their protected characteristics, such as their age, religion and beliefs, race, nationality, disability, relationship status, gender, sexual orientation, and sex—this is all data.

How GDPR effects business

Be thorough, and separate each purpose for collating data

When you seek consent, you must treat each purpose as its own process. Think of all the possible reasons you could want to contact a data subject, and treat each one separately. For example:

  • Product news.
  • Company announcements.
  • Promotions
  • Press
  • Urgent messages.
  • Career opportunities.
  • Privacy and data policy updates.

The easy way to complete this separation task is by using a simple form with different tick boxes for each reason.

At the end, include a tick box that delineates whether or not the data subject consents to you sharing their data with third parties.

Always include a link to your privacy/data policy on pages where you seek consent

Your company’s privacy policy should be either a page on your website or a downloadable document (or both if you please). Either way, within each page of a customer journey that will require data subject consent, make sure your privacy policy is accessible.

Remember, your policy should:

  • Explain what you will use the piece of data for.
  • List any third parties you will share the data with, and expressly state that you share responsibility for the lawful use of your data along with any third parties—you’re not passing the buck.
  • How you will store the data.
  • What a data subject should do if they want to alter, erase, transfer, or attain their data.
  • Be transparent—it’s not your data after all.
  • State that you record the date whenever a piece of data is collected.

Separate the options for contacting data subjects

Some people prefer for businesses to contact them by email; others favour good old-fashioned post; and then there’s text/SMS messages and telephone calls. Make each individual option a tick box, and ask the data subject a simple question consent question:

“Would you like us to contact you by:

  • Text message.
  • Phone call.
  • Post
  • Email

There’s absolutely no need to get tricky with the psychology of your wording. Avoid double negatives. Avoid all negatives, for that matter. Something like:

“Please do not select the options that you do not wish to be contacted via.”

You already know whether your business does this—if it does, hang your head in shame. Keep things simple, honest, and transparent, and you’re more likely to prevent customer anxiety at the end of their sign-up journey; and you’re more likely to retain their loyalty in the coming weeks and months when they only receive marketing communications through channels that they know they agreed to.

Always consult your legal team

Or, if you don’t have an in-house team, find a law firm that specialises in data and privacy law. Whenever you’re unsure about anything—the GDPR itself, or what you should include in a privacy policy, whether you need to further unpack a form template, your data processes—ask for their expert advice.

What are the consequences of non-compliance?

First time non-intentional non-compliance will usually only result in a warning. After this, the sanctions could get rough, with maximum fines set at €20 million or 4% of your company’s annual turnover—whichever figure is higher.

With this type of top-tier sanction, it’s critical that you take GDPR seriously—gone are the small fines and slaps on the wrist.

What should you do if you suffer a data breach?

In the event of a data breach, you must inform your data subjects within 72 hours of logging the breach. If you end up in court because of a data breach, the court will be attentive to whether you adhered to this rule or not.

Finally, make the option to unsubscribe nice and easy

Nobody enjoys reading the fine print at the bottom of a recent marketing email while he or she tries to find the Unsubscribe button.

Being open, honest and transparent with your data subjects includes letting them know that, should they ever wish to cut ties with you, the process is well-lit and simple.

About the author

Adam Hardingham

Enthusiastic entrepreneur, Rivmedia Owner and Proud father. Specialising in organic SEO, link building, content marketing. when I'm not hard at work ( which is rare :D ) I enjoy a round of Golf, Cycling and spending time with family.