It’s a year since GDPR – or the General Data Protection Regulations directive – came into force and transformed the face of data protection in the UK.
Project teams were formed, privacy policies were rewritten and everyone argued long into the night over consent and legitimate interest. In businesses and consumer groups alike, there were misconceptions and half-truths about what would happen, and some dire predictions over what would happen to those who broke the rules.
It’s been an interesting year. It’s probably fair to say that the world didn’t change as much as some had feared, but there have certainly been some high profile moments.
It’s important to remember that GDPR – and its enforcement – is an ongoing issue for every business. So we thought it would be worth having a quick review of what’s happened since it came into force, and what may lie ahead for the unwary marketer.
Pay attention class…
LESSON 1: Don’t try to hide
Google fell foul of the regulators for not being clear about how they were using data. Essential information was spread across a number of documents, making it hard for consumers to understand how their data was being used. They received a €50 million fine for their troubles.
Don’t make the mistake of hiding your policies – either by accident or design. Consumers have never been more aware of data protection laws and if they think you’re hiding something, they’ll go looking for it.
LESSON 2: Know your customers
Without a doubt, there’s been a massive increase in the number of Subject Access Requests received. We’re seeing it across all of our clients, some of whom hadn’t received a SAR in living memory.
If you haven’t got an automated process to deal with SARs, then it’s time you put one in. Gathering all the data about a customer from across the business and making sure nothing is missed is both time-consuming and prone to error.
And remember that it needs to be both complete and intelligible to the consumer. Amazon and Netflix are just two companies who have had complaints filed against them for not providing complete, or easily understandable, responses to customers.
LESSON 3: Consent means consent
If you’re asking customers to give their consent to you using their data, then make sure you’re doing it right.
Consent needs to be specific and freely given. An all-encompassing data policy, with a single request for consent, won’t cut it.
Google learned this the hard way when they were found to have bundled a number of data uses into a single consent, which breaches the rules. Worse still, they had some pre-ticked boxes. Again – not acceptable.
LESSON 4: Know how your cookies crumble
Although cookies weren’t one of the most discussed aspects of GDPR, it’s essential that you have an appropriate policy.
Make sure that you’re giving your website visitors the opportunity to manage their cookie preferences. Some will be essential to their use of the website (such as to remember what’s in their shopping cart) while others will not. Be clear and be open.
It’s impossible to know what future regulation might bring, but there are two things we can be fairly certain of.
Firstly, customers will increasingly demand to be given control of their own data – and regulators will be minded to give it to them.
And secondly, the need to have total, granular control of your data will increase. The days of a single opt-in/opt-out for all marketing channels and keeping data for ever are long gone, and they’re not coming back.
So make sure you’re future-proofing yourself. Put a Single Customer View in place, make sure your permissions are granular and most of all, regularly review your processes to make sure that your whole organisation is adhering to the same standards when it comes to data.
As always, if you need some help in getting your head around your data, just get in touch.