It’s on its way. In 12 months’ time, the whole data landscape will change forever. 25th of May 2018 is the D-Day for this monumental change to privacy, the end of a two-year grace period given after the legislation went through the ratification process within the European Commission.
“Sod GDPR – we’re leaving Europe!”
Not so fast there, sunshine. The timelines don’t quite fit. And ICO has clearly started the UK will be mandated by law to adhere anyhow. If any of your employees, customers or suppliers are based within the EU – you’ll have to process their data in line with the GDPR anyway. In practice, this makes it a pretty global standard that requires an intensive look at its impact on your business.
There’s so much on GDPR, you couldn’t really cover it in one article. There’s some really meaty stuff on how data should be managed, the ‘right to be forgotten’ and loads of other nifty changes. We’ve also got the ePrivacy Regulations adding more compliance caution into the mix, but that’s not even been passed by the European Council yet – so let’s cross that bridge when we come to it. For now, we’re going to concentrate on consent.
Consent has been a talking point within marketing for as long as I’ve been in the field (15 years). Marketers and businesses’ understanding of consent ranges usually sits somewhere between blissful ignorance and ‘it’s someone else’s job’ depending on the type of organisation they’re working in.
And as marketers, we’ve been able to get away with it. Enforcement has historically been so rare and similarly punishments even for huge global companies and the bottom of the pile PPI shysters was always relatively small.
Just so we’re clear what I’m talking about, it might be worth clearly defining consent. We’re talking about an individual giving you permission to do something specific (in this case, with their data).
GDPR has really got to grips with consent in a way that we haven’t seen before. And this is going to mean that marketers must make a monumental movement some of the common tricks of the trade they deploy to hoodwink people into actions that without the intent.
The Ambiguity trick
What marketers might have said
“Well yes they never opted in, but they never told us not to email them either”.
“Course they’ve consented they signed up for the service”.
One challenge previously with the requirement of the data protection act was how organisations tactically leveraged ambiguity to tie the customers and website visitor up in knots.
As you can see from the simple comparison table below, the wording with GDPR has some pretty fundamental differences highlighted in bold.
Unambiguous consent by a statement of clear, affirmative action.
When you consider this through a digital marketing lens – particularly thinking about a customer or prospects web journey – the line above really has quite a profound effect. A statement of clear affirmative action most commonly will be ticking a box. For it to be ambiguous, this box will have to be clearly labeled and very specific about what the effect will be on the person ticking the box’s privacy.
Pre ticking the corporate box
Anyone used to getting quotes for insurance products online will be all too familiar with the myriad of different consent tactics deployed. There’s the click the box to opt in, click the box to opt out, and what seems to be a common favourite – pre-ticking an opt-in box.
Reading all of the small print, especially when it was purposefully designed to be as difficult as possible to follow, is enough to send anyone’s head into a freefall spin.
GDPR is having none of that. The old trick of pre-ticking boxes for website visitors filling in forms is specifically named within the standard. By “named”, I mean “banned”, obviously. To be clear, you will not be able to pre-tick forms for consent on your website.
The ‘one opt in to rule them all’ hack
It’s been commonplace in some darker corners of marketing for a number of years to try and get a single catch-all opt-in. A generic statement like “I opt in to receive marketing materials.” This was a way that marketers used for a while to get an overarching consent to send them then whatever they hell they felt like.
GDPR is very specific on this point. The consent that you get must be granular for the different processing methods – in marketing speak – the different channels. That means boxes for each of the different ways in which you are going to process a person’s data. No shortcuts.
The hazy memory excuse
“They have opted in, it was on a different system a few years ago.” “I’m new to the role, I’m not sure when they opted in but I’m sure they did.”
They say time is a healer. And when it came to consent, it was the saving grace of many marketing lists. The lack of clarity when an individual consented to share their details with you has been very apparent in many businesses.
Some of that has been a genuine symptom of circumstance. When new people have joined an organisation and the organisation has not had any real data control practices in place. When they get trained to use an existing email marketing system that already has data sitting in marketing lists, you can feel for the new marketer whose keen to impress the hungry MD breathing down his or her neck to ‘get some campaigns out and fast’.
GDPR isn’t going to stand for wooly ‘get out of jail free’ cards like this. It is clear in its ask, that clear records must be kept by the organisation that detail the consent, when it was given and the method. This should be in an auditable format so that if the Information Commissioner’s Office ever comes knocking as part of their enforcement work – that everything’s in ship shape condition.
Hazing over unsubscribe detail
“Bury the unsubscribe detail in the footer of the page.” Make them write to us through the post to unsubscribe.” Many marketers will have been involved in these discussions in days gone by.
Some really unscrupulous marketers over the years haven’t got you on the front end. They’ve got you on the back end. They’ve not played any silly games in getting you signed up, actually making it simple and straightforward and being clear about what you’re signing up for. But when it comes to changing your preferences, or unsubscribing, they’ve made it as difficult as it could possibly be. Tricks include hiding the detail in lesser visited areas, using more difficult communication channels that are out of context. We’ve seen it all,
GDPR overcomes this by stipulating that organisations must give individuals the right to withdraw their consent. This is a firm statement of a person’s right to withdraw. The methods used to withdraw consent must also be easy. EASY!
One thing you see quite a bit from naughty marketing people is bundling opt in with joining the service. This trick involves putting a random line in the terms and conditions that no-one ever reads, getting them to accept said terms and conditions with a tick box, and then counting that as an opt in to receive content. “Well it’s there in writing”: yes, and so is a specific line in GDPR that organisations must treat consent for data processing as part of accepting terms and conditions. It should be separate, clear and unambiguous.
What does all this mean in practice for marketers?
I think it’s fair to say the amount of work that will need to be done to get an individual organisation compliant will depend solely on what they’re doing at the moment. Some organisations will already be most of the way there in following the guidelines set out by the likes of the Chartered Institute of Marketing and the Direct Marketing Association. Some organisations who have been using the tips and tricks highlighted above to try and get one over on people are going to find themselves with a much bigger uphill battle to contend with.
Regardless of which it is, marketing departments and businesses need to act now. Some of these projects require meaningful change management programmes in their own right and so that you’ll be able to meet your regulatory requirements while still bringing leads and business through the door.