GDPR is a hot topic right now. We have guest blogger Will Kemble-Clarkson, from business consultants Ctrl-Shift, to tell you the five areas that businesses need to get to grips with.
In case you’ve missed the recent coverage, the EU General Data Protection Regulation (GDPR) is coming into force a year from now for businesses, and consumers alike, it is easily the most important, impactful regulation in recent times. Rooted in harmonising consumer rights across Europe, it strengthens consumer rights around how data is collected, used and shared as well as introducing a raft of new regulations that put consumers in control of their data.
Considering GDPR has been active regulation (but not enforced) for over a year, it has taken a while for businesses to take it seriously. As it hovers into view, web-chatter around GDPR has been climbing to a crescendo, and yet the impact the regulation will have on businesses has yet to fully sink in. Make no mistake, this is not a matter to palmed off to your compliance team and here’s why.
We’re moving from a world where businesses can, and do, capture and use customers’ data in ways these customers don’t know about to run much of their core marketing operations, to a world where business can’t. If businesses want to use the data, they’ll have to engage their customers in a conversation about their data (hard to do) and then convince them that the way that data is uses delivers good value to them (near impossible when it comes to marketing-related uses).
That means no more marketing, omni-channel tracking, web analytics, CRM, profiling and anything else that isn’t absolutely core to delivering the service the customer thinks they’ve signed up for.
Put simply, the way marketing used data today is all about to come to an end.
So whilst compliance teams will be focused on ensuring that their businesses are meeting minimum viable GDPR compliance by the May 25th 2018 deadline, other key business functions such as product, marketing and customer experience, have to step in to understand the implications for how they operate.
Businesses that fail to grasp this wider point when designing their GDPR response, risk a far worse consequence to their business than a whopping regulatory fine – they risk haemorrhaging their customer base. Here are five parts of the regulation that we see as critical for the wider business to get to grips with:
Consent: This is the beating heart of the regulation – the obligation for businesses to ensure that their customers understand what data is being collected, how it’s being used and get their affirmative, unambiguous consent to use it. No more pre-ticked boxes, bundled permissions and suchlike will be allowed, marketing are going to have to think carefully about how they present their case for access to customer data. GDPR also requires that businesses make it as easy to withdraw consent as it is to give it, so the permission will need to be earned and maintained.
Profiling: Customers will have the right to opt out of any form of automated profiling, which impacts everything from CRM and direct marketing to customised pricing. This will push businesses to be transparent about how customers’ data is being used and, critically, whether the value being created is balanced in the favour of the customer or the businesses.
The right to opt out of marketing: Once this is requested, all marketing must stop immediately. Consumer research has indicated that over 60% of customers will refuse permission for marketing which means, with the right to be forgotten (see below), businesses will permanently lose access to the majority of customer data which will kill growth and costs will go up, especially acquisition costs, hammering margins.
The right to be forgotten: Once a customer has decided to leave, they can request that all of their data is erased. The technical implications of deleting data from a multiplicity of databases aside, this will also impact systems that rely on the data to power CRM, pricing and other core resources management function. Plus, from a marketing perspective, it also means retargeting past customers will be impossible.
Data portability: Customers will be able to ask for a copy of their personal data in a machine-readable format. Whilst were still awaiting regulator guidance on exactly how much data and in what format (e.g. API versus CSV file) this is going to drive competition. Sectors that have become complacent in the face of consumer inertia, financial services for example, could find GDPR increases the chances of disintermediation. Customers will be able to give competitors access to their data to create a new value layer around the customer; possibly leaving the incumbent business with all the costs and the new service with all the margin.
If you’re reading this as someone responsible for any part of the customer experience and it comes as, if not a surprise, then much more than you’d expected then you have some hard yards to travel over the next 12 months. However, providing you follow some core principles in your response, then you should be fine.
Step One: Move, because the deadline won’t and you may have to make some fundamental changes to how you develop and deliver marketing campaigns.
Step Two: Build a foundation of knowledge around the data. Run a data audit to identify areas of risk, where data is being used in a non-compliant way. Once you have mapped out the risk areas, then cross-reference this with how becoming compliant will impact your business area if no action is taken other than the steps required by GDPR, i.e. asking customer to consent for profiling without changing how that profiling might improve the customer’s experience.
Step Three: Agree your GDPR for Growth strategy: with constraints of time and resources, where are the hotspots to focus on, where will you aim to achieve minimal viable compliance and where will you drive to improve the customer relationship through creating better data-driven services.
Step Four: Test, Learn and Iterate. Apply the same practices you use to develop new products and services: understand what your customers think of how you use their data, explore design options for consent journeys. You are operating in uncharted waters so make sure you’re able to adapt to what you learn.
At all times, ask yourself what does the customer want? GDPR is complicated and there are still areas where the guidance on what constitutes marketing is not clear. But if you can keep the customer at the centre of your decision making process then you will at least be compliant with the spirit of GDPR, even if not the letter – which the regulator, and more importantly, the customer may forgive you for.