The EU General Data Protection Regulation (GDPR), which was agreed in January 2016, will change the face of B2B marketing: From ad IDs and cookies to email data sourcing, IP addresses and opt-in based permission marketing, this article outlines how marketing will change in the next two years.
Guest post by Rob Diggle:
“Data is the currency of today’s digital economy. Collected, analysed and moved across the globe, personal data has acquired enormous economic significance. According to some estimates, the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020. Strengthening Europe’s high standards of data protection is a business opportunity.”– European Commission press release, 27th January 2014
For those of us who work in direct marketing, it’s important to stay up to date on the ever-evolving laws regarding personal data. In the digital age, it’s unacceptable to plead ignorance about how we can and cannot conduct our marketing. The guidelines are out there, the penalties for non-compliance are significant, and the debate about personal data is rarely out of the news.
In Europe, the Data Protection Act (DPA) was formulated in 1998 to establish a European digital marketplace in which all member states share the same high standards of data protection – the ability to manage what personal information organisations hold – so that data can be transferred easily across borders without the need for special agreements or red tape. The DPA states that non-European countries can only process our data if they agree to abide by these same standards, meaning that European citizens have some of the highest levels of data protection in the world.
Since 1998, the world has changed completely. The Privacy and Electronic Communications Regulations (PECR) were drafted in 2003 to complement the DPA by defining, in detail, how and when organisations can contact individuals. It forms the basis of all current direct marketing legislation. If you work in direct marketing, you’ll recognise a lot of the principles, such as providing an easy way to opt out of marketing emails, screening phone calls against a “do not call” list, and always stating exactly how you plan on using personal information, and for how long.
The digital world evolves at a rapid pace, however, and many now feel that both the DPA and the PECR no longer provide adequate protection against organisations looking to get their hands on European citizens’ data. This view was recently backed by the European Court of Justice who declared “Safe Harbour” (the agreement between the US and the European Commission that allowed American companies to access European data providing they abide by the principles of the DPA) to be invalid in the wake of the Edward Snowden revelations.
The agreement, the European Court of Justice argued, no longer guaranteed the safety of European data and American companies, such as Google, Facebook and Microsoft, would now have to establish individual agreements, known as model contract clauses, in order to transfer data across the Atlantic. Some US companies have now set up separate data centres within the EU specifically to handle European data.
This has fairly large implications for digital marketing, which relies on the free exchange of personal information across borders in a range of forms.
In January of this year, the General Data Protection Regulations (GDPR) finally became EU law, with a two year lead-in period before the law becomes enforceable. It tightens the restrictions on personal information further, and expands its range to include new concepts such as cookies and other “online identifiers”. Many are wondering how this will affect their marketing practices, and what the new standards of “responsible data collection” are. This is a short (and not exhaustive) guide on what, as a direct marketer, you need to know…
- This is a Regulation and not a Directive
Directives are legal guidelines that EU countries must achieve by their own means, whereas Regulations have binding legal force and all come into effect at the same time. In other words, it’s an objective, pan-European law. It’s a Big Deal.
- There is no longer any difference between “business” and “consumer” data
All data that identifies an individual, such as a name or an email address, is now considered personal information and subject to the same rules. B2B businesses will need to update their processes to ensure the same levels of protection are given to anyone they wish to contact.
- Opt-in replaces opt-out
The tricks many companies use to gain opt-ins such as pre-ticked permission boxes, double negatives (untick this box if you don’t want to receive…), or otherwise making opt-in the default option are now invalid. Data controllers need to be able to prove that users gave positive, informed, contextual consent and knew exactly what they were agreeing to. The so-called “soft opt-in” – that is, marketing to existing customers about a related product with the option to opt-out – will now be obsolete.
- Business data may start to look very different
The new rules on permissions will make it much harder to obtain full, explicit consent for B2B marketing, and data controllers will start to use more creative methods such as content marketing to gain an opt-in. Data that doesn’t identify an individual, such as a company information, turnover band, and number of employees, however, will not be subject to the Regulation and can therefore be used for telemarketing – providing the marketer asks to speak to someone by job function and not by name – which could change the landscape of B2B marketing down the line.
- IP addresses and cookies are now considered personal data
Any method of tracking an individual, from cookies to ad IDs, are now considered personal information and subject to permission-based controls. This could have big implications for personalisation and web analytics.
- Right to be forgotten
Individuals now have the right to force data controllers to delete all information they hold on them, including any details retained on a “do not contact” list. Businesses will have to work out new processes to ensure all personal information is thoroughly and permanently erased.
- Data on EU citizens will be treated the same wherever in the world it’s held
The Regulations grant enforcement bodies greater powers that apply anywhere in the world. Expect to see big changes in the way non-EU businesses process European data.
- Companies with more than 250 employees will now need a Data Protection Officer
This will be mandatory for public sector organisations. Private businesses, however, will only need a DPO if they engage in “systematic monitoring of data subjects on a large scale“ – this is clearly an attempt to place tighter controls on the larger corporations that find themselves subject to hacks, breaches and data misuse scandals.
- Non-compliance is not an option
The new law strengthens enforcement bodies. Each country will have a National Supervisory Authority to investigate breaches who can issue fines of up to €1 million or 2% of global turnover.
There’s a lot more to talk about, but that’s for another piece. For now, I’d recommend that anyone whose job entails processing personal data familiarise themselves with the Regulations, keep a keen eye on what changes the key “players” in the EU make to their terms, websites and processes, and always stay up to date on ethical best practices.
- Better safe than sorry
The safe option, of course, is to err on the side of caution. Ensure your marketing permissions are as clear as possible and keep detailed documentation about how it was obtained. If you purchase data lists, ensure you choose a reputable broker with a long history in the industry, and get proof of where the data was sourced and how and when permission was obtained.
Direct marketing is not going away, and the European economy can’t afford to restrict it any further, but there will be big changes in the next two years before the Revised Data Protection Framework comes into force in 2018. This is all good news for us as individuals, of course, and if we as B2b marketers and digital professionals don’t like it, there will be plenty of Data Protection Officer roles that will soon be advertised…
About the Author:
Rob is Marketing Manager at Manchester-based Databroker. He likes writing about data protection, marketing and design. In his spare time he likes football, boxing and all things creative.