Success in the Engagement Economy hinges on customer engagement. By creating experiences that feel personal and human, that are founded on trust, and delivered with care we will win the hearts and minds of our customers.

To build and maintain that trust and care we, as marketers, need to be attuned to the how, when and why our customers want to be engaged and respect their preferences.

How these preferences are managed and respected, as well as being good practice, is the subject of a significant piece of European Union (EU) legislation—General Data Protection Regulation (GDPR)—that went into law last year and after a 2-year grace period will be enforced from 24th May 2018.

As a marketer, what impact will this have on you? We’ll explore this further in this blog and for more guidance, you can download the SiriusDecisions GDPR Core Strategy Report, which introduces a step-by-step guide to their Implementation Framework.

Seize The Opportunity Presented by GDPR

Rather than looking at GDPR as an obstacle, marketers should seize the opportunity offered by GDPR. The opportunity is to ensure our marketing practices live up to our promise to listen to our customers and provide them with an experience that is informed by our understanding of their behavior’s and preferences. The arrival of this legislation provides marketers with a chance to look at their data management policies, and ask themselves some hard questions about their processes and systems, but more importantly, it gives them the opportunity to do things better.

As a consumer, I have never thought “I wish Company A marketed to me more” or “I wish Company B would send me more email”. Yet, as marketers, we often fall into the trap ‘more is better’. More emails. More event invitations. More retargeting.

Winning the hearts and minds of your customers requires the delivery of authentic and personalized experiences. This requires that we understand their preferences but also respect those preferences. So if GDPR puts a stop to bad practices that deliver ineffective and damaging marketing then that can’t be a bad thing.

An Overview of The EU General Data Protection Regulation (GDPR)

GDPR is broad in scope and your own legal team will need to offer counsel as it relates to your business. At its core, it sets out to strengthen the data protection rights of EU citizens across several areas. Here are some key aspects of the legislation:

  • Collection of personal data: Though not the only consideration for marketing, one of the key areas GDPR impacts marketers is the requirement for consent from customers before compiling and using personal data for marketing purposes (see below for an explanation of the two different levels of consent).
  • Who does it apply to? It is worth noting is that GDPR applies to any organization inside or outside the EU who is marketing goods or services and/or tracking the behaviors of EU citizens. If you do business with Europe this legislation applies to you.
  • Repercussions for noncompliance: Punishments for non-compliance are significant, with large fines for those in breach of the regulation. (The maximum fine for a single breach is €20 million / 4% of annual WW turnover—whichever is greater).

Affirmative consent applies to the communications preferences of customers in most circumstances. It requires ‘a clear affirmative act’ that establishes ‘informed and unambiguous consent’. A clear affirmative act can be described as express consent or as an opt-in—they are the same. Sensitive personal data, however, requires a higher level—explicit consent. Techniques such as double opt-in and cookie notices are established methods of gaining affirmative consent and are used today in Canada and Germany, both of which have already adopted tighter legislation.

Explicit consent is required for certain processing of sensitive personal data, profiling activities or cross-border data transfers. Sensitive personal data is described in Art. 9(1) of the GDPR and includes categories such as physical or mental health data, racial or ethnic origin, trade union membership, etc. While the GDPR does not separately define the term “explicit consent”, it likely retains the same meaning as given to it by the Article 29 Working Party under Directive 95/46/EC; “all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information.” Unfortunately, the distinction between affirmative consent and explicit consent is not altogether clear and hopefully, guidance on this topic will be forthcoming.

Of course, customer preferences change over time and rarely exist in perpetuity and GDPR has something to say about this too— namely that organizations, specifically marketing, make it easy for any changes in preference be easy to make.

If we are truly building customer relationships based on trust and care, then this should not cause fear. As a Marketo customer, you have the tools your marketing team needs in order to comply with GDPR, for instance, you can quickly and easily build an email preference center in Marketo, check out this great example.

Accountability & Compliance

An important principle within GDPR is the notion of accountability, namely that anyone storing or processing customer data must be able to demonstrate how they comply with the principles.

Forward-thinking companies are already reviewing and updating data processes, employee skills, and appropriate technologies as they rethink organizational compliance.

The SiriusDecisions Data Privacy Compliance Model helps organizations understand the building blocks needed to establish a comprehensive compliance program. We have licensed the report for your use and you can download the SiriusDecisions Core Strategy Report here.

Has your organization started tackling GDPR? Do you have a dedicated team or resource working on it? We would love to hear how other marketing organizations are getting their hands around GDPR—tell us how you are doing in the comments below!