The General Data Protection Regulation (GDPR) comes into force in May 2018 and replaces the Data Protection Act. It’s intended to give more control over data back to the consumer and places stricter rules around what can and can’t be done with that data.
The GDPR is applicable to any entity that will hold data on any resident of the EU, regardless of entity location.
How will this affect digital marketing?
1. The definition of ‘personal data’ has been expanded
Previously, ‘personal data’ included elements such as email addresses, name, phone number, etc. Now, it includes other information such as IP address and cookie ID. Brands should begin a full audit of what data is collected now if this hasn’t already been done (see below).
2. Explicit consent is required before using cookies
Consent for cookies cannot be written into website terms and conditions, and neither can it be required in order to use a website. Users must also be able to easily opt-out of any previously given consent and be able to delete personal data on-demand.This is an important part of the new regulation and businesses that have not made arrangements to audit their current set-up should do so without delay as it could take some time to bring a current website up to standard, or even build a new one from scratch.
This is an important part of the new regulation and any business that has not yet made arrangements to audit its current set-up should do so without delay as it could take some time to bring a current website up to standard, or build a new one from scratch in order to comply.
It’s worth noting that users will also need to opt-in to the use of any website analytics.
3. Re-targeting will require opt-in from the user
Re-marketing is a highly effective method of recapturing failed conversions (read more here) but as with email marketing, the user will need to opt-in before it can be used. While it’s not entirely clear yet how this could be achieved, some 3rd party services are trying to build this into existing products before the regulation comes into force.
4. You cannot pre-tick any opt-in or consent box & users need to ‘double opt-in’
Hopefully, most businesses have ditched the practice of pre-ticking email opt-ins, but if not, this needs to change now.
Perhaps the most significant part of this update will be that users will need to provide a ‘double opt-in’ – this means providing consent twice, which is usually done by sending an automatic email to the subject and asking them to confirm the original opt-in. Any data – including previously held single opt-in data – cannot be used once the GDPR kicks in.
What can businesses do to prepare?
The first thing to do is audit current data collection processes, data storage methods, and marketing practices. Then make sure that everything meets the new regulations. A good start is to go through the list below.
- How is data collected? Has each user double opted-in?
- How is data recorded? Businesses will need to prove their methods.
- How is data stored and accessed? What is the level of security and privacy?
- Who is data shred with?
- How is data managed? Can users easily request removal?
Be aware that a contravention of the GDPR could mean a fine of four per cent of annual turnover. It would also be wise to seek legal advice on any wording you intend to use for marketing opt-in elements.
Finally, check with any 3rd party marketing services, marketing agencies, and freelance workers that they will also comply with the new regulations.