Marketing departments may not realize the seismic impact a new regulation will have on their plans for 2018. And if they don't begin planning today, CMOs may discover that after May 25, 2018, their teams will not be able to execute campaigns and activities in the way they used to—at least not without facing the risk of legal action against their companies resulting in dramatic penalties and brand damage.
The specter of the General Data Protection Regulation (GDPR) has loomed large since it was adopted last year by European Union (EU). When it goes into effect next year, this new regulation promises to radically change every phase of consumer data management within the EU—and worldwide.
And just because your company or its servers are not in the EU doesn't mean you'll be able to get around the issue.
A change of this magnitude requires a dedicated and serious response from any organization that either does business within the EU itself or has a customer base or employees that include European residents.
Yet, confusion regarding GDPR is pervasive, and many companies don't fully appreciate the scope of its impact.
GDPR Threatens to Derail Marketing Initiatives
GDPR institutes strict data protections for all persons within the EU and places limits on the export of personal data outside the EU. All companies that possess lead, prospect, or customer data about persons located in the EU will be affected.
With GDPR taking effect in less than a year, efforts to comply with the new regulations should already be well underway. That's simply not the case at many companies, however.
A recent survey on GDPR preparedness from PricewaterhouseCoopers found that 23% of respondents hadn't even begun taking steps to comply with GDPR; only 6% stated that they had completed preparations and were ready to operate in a post-GDPR environment.
Although 92% of survey respondents listed GDPR compliance as a top security concern through the rest of the year, it's important to keep in mind that this is not strictly a security or IT problem. Unfortunately, many department leaders continue to view GDPR compliance as completely outside their purview.
However, marketing teams, in particular, need to recognize the sweeping changes that will go into effect next year if they want their 2018 customer engagement strategies to be successful—and, in many cases, if they want their marketing campaigns to be legal
Data-driven customer engagement has all but become the cornerstone of modern marketing. According to the Winterberry Group's January 2017 study, customer data is "critical" to the marketing strategies of approximately 80% of organizations across the globe. GDPR is going to completely upend what is considered acceptable usage and management of consumer data. If those guidelines aren't taken into account now, many marketing teams may well need to scrap their plans for 2018.
Considering that GDPR violations can be punishable by up to 4% of a company's annual global turnover (revenue) or €20 million (nearly $23 million), whichever is greater, we can safely assume that even laggards will fall in line eventually once costly fines begin to be doled out.
Where does that leave their marketing teams in the meantime, though?
What You Need to Know About GDPR
There are many changes in store for companies once GDPR goes into effect, but certain guidelines will hit marketing departments the hardest. Here are some of the highlights to keep in mind:
- It applies to any organization that processes EU consumer data, no matter where the company resides or where the servers that collect, store, and process the data are located. If you have customers residing in the EU (whether or not they are EU citizens), you will be held accountable for how you handle their personally identifiable information (PII).
- The definition of PII has been expanded significantly to include location data, cookies, device IDs, and even IP addresses. Just about any data-driven customer engagement strategy will incorporate this broader set of information, so you need to prepare accordingly.
- The GDPR introduces strict and narrow rules on how to obtain consent from customers before collecting and using their data. Today, most marketing organizations make heavy use of registration forms (say, on landing pages for gated content for lead generation) that use pre-checked options to collect profile data, and often these forms come with either no information or ambiguous information about what the data will be used for. GDPR no longer allows "opt-out" practices. You can collect information about your customers only if they explicitly allow it.
Another significant new requirement is that customers need to be able to go back and view what data is being collected and what they gave approval for, and they need to be able to change those individual approval settings at any time.
Chances are your website and marketing automation stack are not set up to support these requirements, and it's a non-trivial change. Most importantly, it's not just something marketers can throw over to their IT department to solve as the implementation can have significant impact on user experience that might impact everything from sign-up rates, retention rates, conversion success and user loyalty.
- Even with consent, customer data can be gathered only for an explicit, specific purpose. Companies will no longer be able to bundle a wide variety of data with no clear objective. For example, if you are targeting different ads to past customers depending on their age or gender, but don't have their explicit consent to use this data for that purpose, you will no longer be allowed to do so.
- EU residents can request to have their personal information completely erased from a company's database upon request. This requirement means that all of that great consumer data you've been collecting over the years could be lost forever if customers wish. Maybe more important is that you need to be able to execute this deletion of data across all your systems and databases that make up your sales and marketing automation stack—including systems maintained by third-party contractors. Given the plethora of systems and databases in larger organizations, this is typically a nontrivial task.
Add it all up, and GDPR effectively puts an end to the Wild West days of consumer marketing in the EU, and globally for every company collecting data oo EU residents.
Will Your Existing Customer Database Be Useless After May 25, 2018?
What adds dramatically to the complexity of these new requirements for marketing and business line owners is the often overlooked fact that the GDPR does not allow your existing data to still be used after May 25, 2018: There simply is no grace period and no grandfather clause.
In other words, if your existing customer data was collected in a way that is not GDPR-compliant (which is probably true for almost 100% of cases), then you can no longer use it once GDPR takes effect.
You will have to make the extra effort to re-collect approval from your customers to continue to use their data, and this time you need to do so in a GDPR-conforming manner. And, of course, you want to make sure this new and additional request for consent doesn't turn into a customer-experience nightmare that will drive customers away and have a negative impact on your KPIs and business. Consent lifecycle management can no longer be an afterthought.
Marketing and other business line teams need to understand what this new regulation means for their 2018 plans, and in particular its impact on personalized marketing—from newsletters and email campaigns digital advertising—or the use of behavioral data to display personalized content on digital sites. Else they will have to pay a big price.