As you might have already heard, European Union has a set of new regulations coming into effect in regards to collecting contact data of private individuals – the set of regulations is known shortly as GDPR. So far companies have had a change to use private individuals’ information for, for example, marketing without having the consent of the person whose information they are exploiting. But in May 2018 that is all going to change. Collecting and using private individuals’ information how ever companies want is not going to be possible after GDPR comes into force. GDPR puts EU citizens on the driver’s seat and companies have to accept it, but what does all that actually mean from the companies’ and marketers’ point of view? What is going to happen in May 2018? We have collected the main points of this development here for you to consider.
What is GDPR?
Firstly, GDPR, also known as General Data Protection Regulation, is a set of new European privacy regulations and it comes into force on 25th of May 2018. These regulations’ idea is to have the same directives in all of the EU countries when it comes to collecting and storing up personal information, and to give more power to EU citizens in knowing how their personal information is used.
According to GDPR, personal information includes all information that can be related to a person. That basically means photos, addresses, email addresses, computer IP addresses, bank details, cookies, location information and names. The same thing applies to the B2B sector. After May 2018 cooperating companies are seen as individuals. This is because under the GDPR, the cooperation is seen as something that is happening between people, individuals working in the companies instead of whole companies being seen as the individual player.
GDPR puts individuals in charge of how their personal information is used and gives less power to the companies collecting and using that kind of data for monetary benefit. That’s why under the GDPR individuals have certain rights which are listed below;
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
What does it mean for your company?
First thing that everyone handling personal information databases in their company should appoint someone who is solely in charge of the GDPR compliance (Data Protection Officer). If and when asked by data protection authorities, companies and organizations have to be able to explain what exactly they are going to do with the database that they have, to report how they are going to secure this information and what they know about the risks involved when handling personal data. Also, companies and organizations have to know at all times exactly what kind of personal information they have, where the information is collected from and who are handling the data. In order to verify all this, companies should have a Data Protection Impact Assessment where you have everything documented so that if someone in authority asks how the GDPR has been taken into account in their company, you can show them their DPIA.
How does this affect tele- and email marketing?
Companies must be able to clarify what personal information they are going to collect, why they need that information and how they are going to use it. Companies can only collect and store data, which is seen necessary for them. For example, if a company has collected personal information for marketing purposes and in the database you can also see those individuals’ dogs names too, there has to be a clear context as to why (e.g. company is marketing toys for dogs).
Under the GDPR companies are also responsible to clarify how long they are going to store the information. Nobody can keep individuals’ personal information in their database forever. This takes us to the point that companies are not allowed to send marketing emails to the customers who have not bought any products or services from them lately, more specifically for 8-12 months. Also, companies have to have individuals’ consent for sending marketing emails, and even if they have the consent, the company still has to offer an ‘easy way out’ to individuals who do not want to receive any more marketing emails. Last but not least, companies must be able to prove how, where and when the consent was given.
Same rules apply to telemarketing. Companies are not allowed to make marketing calls to numbers whose owners have not given consent for that. Also, if the company has collected phone numbers for some other reason, than making marketing calls, they cannot call them in marketing purpose without asking for the consent first.
Not a problem, an opportunity
Even though the sanctions are substantial (the digest fine can be 20million euros or 4% of worldwide turnover), companies should not see the GDPR as a problem. Of course this all means extra work and companies need to invest time and money in it, but it is also profitable.
When the GDPR comes into force, companies have to clear their databases from information which does not have further use (customers who have not bought any services or products from the company for a while or have not given consent for approaching them). This means that their target groups are going to be smaller and companies are not using their resources for marketing to people who are not even interested in what they have to offer. This is going to make companies’ marketing more effective, because they only contact people who have used their services lately and are more likely to also be interested in them in the future. In the long run it is actually going to save money and who would not like that?