GDPR came into force in 2018 outlining new data privacy laws. As customers, we’ve all had our inboxes flooded with emails informing us of new policies and requesting us to opt in to receive marketing, many of which we weren’t aware we were even subscribed to begin with.
With the increased fines being introduced by the GDPR, data compliance has firmly been placed on the boardroom agenda for organisations. What’s more, the heightened publicity around the GDPR, notably due to the recent Facebook/Cambridge Analytica scandal, has meant individuals now have much greater awareness of their rights in respect of their personal data.
It’s no wonder organisations are concerned about GDPR with many seeing it as a hurdle to overcome, and a tick-box exercise to make sure they don’t get burned by regulators. Organisations should shift their focus from doing the bare minimum required by the GDPR to focusing on the customer and doing what’s right by them in line with the new regulations.
GDPR is an opportunity to make sure you’re employing good practices and always putting the customer first. Organisations which take compliance seriously will build customer trust in their handling of personal data and make progress towards building a culture of awareness. These misconceptions around GDPR give you insight into how you can use the new regulations to your advantage.
1. Everyone has to run a re-permissioning campaign
No doubt you’ll have already received hundreds of re-permissioning emails as organisations require a higher standard of consent with the GDPR. It’s important to remember a couple of points here rather than jumping to the conclusion that all organisations need to run a re-permissioning campaign.
Firstly, if your existing consents meet the GDPR gold standard, you don't need to re-permission. Don’t automatically assume you need to re-permission, make sure to do a review first.
Secondly, if you use soft opt-in for direct marketing under the Privacy and Electronic Communications Regulations (PECR), you don’t need to get consent if you’re relying on "legitimate interests" as a legal basis for processing, making the re-permissioning exercise unnecessary.
But, if you are asking customers to re-opt-in to receive marketing, you’d better make sure you have permission to email these contacts in the first place. Sending a re-permissioning email in itself is considered marketing, so if you haven’t got consent to email everyone in your database and you do so, you could find yourself in hot water. Worse still, if in doing so you send emails to contacts who have previously opted out of direct marketing, you’re breaching both PECR and the GDPR, so think carefully before sending out mass re-permissioning emails, and always make sure you segment your database.
On the other hand, many organisations who have run re-permissioning campaigns correctly have used them as an opportunity to re-engage with customers and enhance their customer relationships. ASOS, for example, nailed it and nurtured customer trust.
2. You can’t communicate with anyone unless they’ve opted-in
Many organisations have been scared by all the GDPR smoke and mirrors out there into thinking they can’t send any communications to individuals without having first obtained their consent.
However, service-led email communications (i.e. ones that don't contain any promotional/marketing content) can be sent without prior consent, as organisations are able to rely on their "legitimate interests" as a legal basis for sending such emails.
For example, transactional emails such as order confirmations, delivery information and reminder emails can be considered communications that rely on an organisation's legitimate interest to develop its business and enable it to enhance and personalise the customer experience.
3. GDPR is an obstacle
You’ll have heard that a lot of people are panicking about GDPR. But while preparing for GDPR is no easy feat, the fundamentals of the new regulations are to protect and empower your customers, putting them in control of their personal data and how it's used.
And don’t we all want to provide a better customer experience and create happy customers? At the end of the day, the better the experience you provide to your customers, the more likely they are to return and the more successful you’ll be as a business. Research Cloud.IQ conducted in October revealed that 64% of people recognise the value of their personal data as a currency in exchange for a more individualised experience. And with the imminent arrival of GDPR, more and more people are starting to realise the value of their personal data.
Organisations should approach GDPR as an opportunity to offer customers real value in exchange for their data and to create meaningful and personalised customer experiences. Those that see it as an obstacle are setting themselves up for failure.
4. May 25, 2018 is the hard deadline
Although GDPR brings about some big changes, it is more evolution than revolution. It was introduced to replace existing laws and to ensure proper and effective regulation for organisations who are developing and using more advanced technologies which collect and process personal data.
May 25, 2018 is just the beginning. Any organisation promising to be 100% GDPR-compliant should be approached with caution, as it’s not clear at the moment what "GDPR-compliant" looks like. Businesses won’t suffer if they can show they’re taking meaningful strides towards compliance, and if you approach the GDPR in the right way, the rewards will be high - better customer relationships, loyalty and brand reputation. Moving forward, organisations will need to constantly evolve their strategies to ensure continued compliance in the interest of their customers.
At Cloud.IQ, we were early embracers of GDPR and the need to embed these new requirements within our business. Our team has dedicated a lot of time over the past few months to ensure our business is ready. We’ve put in place compliance measures to demonstrate that our clients' customer data is in safe hands, from introducing new policies and updating our existing policies and terms and conditions, to providing organisation-wide training, releasing an employee handbook, and introducing safeguarding measures for upcoming products and services.