Marketing, CRM & GDPR – The Perfect Storm
In a recent survey, 92.3% said they maintain databases to host information on customers or prospects. With this in mind, GDPR is going to be a huge data nightmare and as you will read below, may lead to drastic steps! Getting data right in CRM has always been a challenge and ongoing investment. Getting it right now is going to be a compliance need.
The GDPR (General Data Protection Regulation), coming into enforcement in May 2018, has significant and far reaching implications for marketers and those responsible for CRM data. It will affect any organisation that collects and/or processes personally identifiably data of any EU citizen. The UK’s Brexit will NOT exempt UK businesses, as GDPR is already agreed and in place ready for enforcement in the UK.
As CRM is mostly used for prospect and customer data and to record information on and communications with real identifiable people, this falls firmly into scope. Furthermore, most CRMs are used to feed marketing tools such as Mailchimp, Dotmailer, Marketo, Eloqua and the like, feeding data out of the CRM into a marketing automation workflow.
Getting consent to contact
Often, data is inserted in the CRM by a sales rep, who then ticks a box to add the contact to the mailing list; there could also be rules to automatically add any new contact to a marketing nurture list and push them across into the mailing tool used. Now consent to mail to that contact may have been given (by email or verbally) or it could have not even been asked at all. Under GDPR, this practice could leave you in a bad place.
A recent DMA Survey found that 70% of marketers were most concerned about how GDPR would affect marketing consent and interestingly, only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant by the deadline.
Marketing and its approaches have to be reviewed and quickly to ensure data, processes and activities leave you in compliance or close enough to it not to be at risk from complaints and fines.
Under GDPR, there are some key areas marketing must address and get right:
- Opt in consent
- Rights to use data and what for
- Length Data can be kept
- Right to be forgotten
Traditionally, consent was often obtained via an opt in tick box on a web form for example, potentially a catch-all option (i.e. we and partners can mail you about anything), at times even pre-ticked, the default being you are opting in unless you untick.
Data was also used to send content years after receiving the 1st ‘opt-in’, if indeed it truly was received!
And finally, we have all tried removing ourselves from a mailing list and received content from them again and again afterwards. This has improved with clear opt-out/unsubscribe options in the past few years, but it still happens.
Now for the changes!
Firstly, GDPR mandates that consent must be ‘freely given, specific, informed, and unambiguous’. You will no longer be able to have a pre-ticked box and opt-in based on inactivity. You need to gain consent and store that proof clearly, if getting consent over the phone, start thinking how you will record calls and link those to the CRM record of the customer to allow easy retrieval if needed. You must also clearly specify what the scope of use will be – i.e. if you will pass to partners and to which partners. Individual companies must be named when requesting consent for third-party marketing.
You need to have a reasonable legal basis for processing personal data, which should remove the collecting of data for unnecessary or frivolous reasons and remove the random scans at shows. You also do not have carte blanche on the use the data for anything you wish. The data you hold is on loan from the citizen whose information it represents (and they can recede the loan at any point).
You cannot hold that data forever
You cannot hold that data forever, but only for a reasonable time deemed necessary to serve the purpose given. So expect to see re-subscribe checks to ask if you still want to receive any newsletter and affirmative action to be required to stay opted in.
Oh! And don’t think about negative enticement to keep them subscribed, stopping access to a service if a user withdraws or withholds consent will not be allowed!
Much of this led to the recently publicised and unprecedented announcement of a major brand deleting its entire marketing database rather than trying to clean it.
Finally, you have the right to be forgotten, an important and not necessarily easy one to deal with. This gives the right to the data owner to contact a business and enquire for free what data they are holding on them and, if they wish, to request that it is all deleted, i.e. they forget that citizens information in whole. There are caveats and exceptions. For example, you can apply for and be granted dispensation for special data, where there is legitimate reason to retain such data and refuse the request (for example, criminal records or medical records). Also, you will need to keep something on the individual to record that they are unsubscribed and not to be marketed to.
For many however, this alone may prove a challenge. Firstly, you need to provide an easy method whereby the citizen can make the request and receive the required information. You then need the capability to search all data you hold in all systems and backups to identify if you have data and if it fits the scope, to remove it (i.e. not specially carved out). And finally, you need to ‘truly’ perform the removal and confirm to the citizen it is completed. In organisations I have spoken to, this has been identified as difficult in a single request instance, let alone when citizens become widely aware of their data rights and 200 such requests are received in a month! Will we see more doing the same as Wetherspoons, drawing the line and taking their traditional marketing to social, where interactions are expected and easier to justify the users to opt in, for example to your Facebook page?
Non GDPR Compliance is not an option
The level of detail to be considered is also underestimated, with backups and cookies. You prompt for consent when first storing data on an individual, but they are going to need to have an easy way to remove their consent to be cookie tracked and remove past stored data… who does that today?
So for a marketer, there is a job ahead. Firstly, to comply with the legislation, you need to understand it. Marketers need to be set up to react quickly and appropriately to requests to view, amend or destroy data. There is a need now to change the approach to data collection, database building and data management.
Non GDPR Compliance is not an option and the clock is ticking quickly to the enforcement data of May 25th 2018. GDPR has some grey areas and nuances for sure, but relying on these to protect you will not be acceptable. Marketers need to be starting their GDPR journey now, ensuring legal and valid consent is stored and documented and that data and processes are reviewed and polished.
Ian Moyse is Sales Director at Natterbox and sat on the Boards of Eurocloud, FAST and the Cloud Industry Forum and in 2016 & 2017 was a judge on the UK Cloud Awards. Ian has been rated #1 Global SaaS influencer (Klout) and #1 Cloud Social influencer from 2015-2017 (Onalytica). He is recognised as a leading cloud Blogger and was listed in the EMEA top 50 influencers in Data Centres, Cloud & Data 2017. Ian was awarded UK Sales Director of the year by Institute of Sales Management (ISM) and is widely known as a leading Social Seller.
Ian can be followed on twitter at www.ianmoyse.cloud and Linkedin at www.ianmoyse.co.uk