Customer Engagement under GDPR: A Primer
From London to Rome to Melbourne to North America and beyond, May 25, 2018, marked the epicenter of a major upheaval in digital communication. That was the day General Data Protection Regulation (GDPR) came into effect, a sweeping regulatory measure that led to consumers find their email boxes overstuffed with a deluge of updates, opt-ins, pleas to stay connected, and special offers.
The most comprehensive and rigorous regulation rolled out to date, GDPR raised the bar to dizzying heights in defense of the information privacy rights of EU citizens. For many brands, it’s been a mad scramble for compliance and an ongoing struggle to grasp the full implications of the new standards.
Regardless of their level of preparedness, brands have no choice but to comply. As many quickly learned, simply updating privacy policies does not suffice. It requires a fundamental rethinking of big data-driven customer engagement, a firm grasp on the both the sprit and substance of this watershed regulation and, more importantly, the data and marketing solutions necessary to flourish in the era of GDPR.
In a Nutshell
GDPR replaces the 1995 Data Protection Directive (DPD), an earlier EU directive that set the parameters for handling of personal information. GDPR significantly expands both the privacy rights of EU citizens and EU regulators’ ability to collaborate across borders.
If a business, regardless of its size or location, has an “establishment” in the EU, if it offers goods or services to persons in the EU, or if it monitors the behavior of individuals in the EU, it must ensure that its personal data related activities—storage, processing, and management—are firmly in compliance with the GDPR. The tricky thing isn’t just that GDPR is practically global in scope. It also will very likely entail an overhaul, not only of data processing practices and capabilities, but also the contracts that bind together those who control and those who process data.
Given their proximity to regulatory bodies, European businesses are particularly hard pressed to ensure GDPR readiness for themselves and their sub-contractors and service providers. A very real incentive compels brands to do this. The consequence of non-compliance include a maximum fine of €20 million, or 4 percent of a business’ worldwide annual revenue.
Principles and Rights
GDPR has delineated the principles that must govern the processing of personal data. Their focus rages from lawfulness, fairness, and transparency to accuracy, storage limitations, integrity, confidentiality, security, demonstrated accountability. Brands must be familiar with all principles and based any compliance strategy and architecture on them.
Arguably more important are the rights reserved for individuals under GDPR. In most cases, companies must respond to individual requests within a calendar month.
Right to be informed & Right of access
Individuals must be informed when their data is being collected, for what purpose and duration, and with whom it will be shared. The same goes for personal data obtained from another party. Individuals are also entitled to access their personal data. If a request for access is evidently excessive or lacks justification, a “reasonable” fee can be charged.
Right to rectification
Individuals have the right to have their data corrected or completed, and companies must respond within a month.
Right to restrict processing
Sometimes, individuals have the right to reject the processing of their data, and you are only allowed to store the data after the request.
Right to object
Individuals can object to the processing of their personal data in some circumstances, and they always have the right to object to its use in direct marketing. This is a right that must be made known to the individual.
Right to erasure
Individuals can have their data erased. There are several occasions when this right applies. For instance, when an individual withdraws their consent from data held on the legal basis of consent, or if the individual objects to your use of personal data in direct marketing.
Right to data portability & Right in relation to automated decision making and profiling.
To meet the right to data portability, brands must ensure that the data they collect is readily available in widely used forms and directly transferable to another organization. The last right also empowers individuals to reject a machine, or AI-driven entity, from making legal or significant assessments about them. They’re also entitled to be assessed by a human under such circumstances.
Local privacy laws compatibility
The shock of GDPR was in part a reaction to its enormous scope. But to develop a legally grounded, yet effective customer engagement strategy after GDPR, brands must understand the differences between their local privacy laws (or lack thereof) and GDPR’s new threshold of privacy protection.
In Australia, for instance, the Privacy Act 1988 exempts certain organizations, based on business model and size, from compliance. GDPR offers no such threshold—all businesses handling the personal data of EU individuals must follow its rules. There are also significant differences relating to consent and erasure, and GDPR penalties for non-compliance are higher. Also, the EU commission has yet to recognize Australia as having “adequate privacy laws,” necessitating additional safeguard measures for businesses interested in collaborating with Australia businesses.
Seamless customer engagement post GDPR
Seamless customer engagement and GDPR compliance must go hand in hand. The sheer volume and complexity of personal data have already proven challenging to many, a predicament exacerbated by dated data and martech solutions unable to account for the explosion of channels and data sources. Under GDPR, delay is no longer acceptable. More than ever, marketers must develop a unified view of the individual customer, distilled from a data platform with built-in privacy and consent.
If you are interested in how this can be done, the Resulticks white paper, GDPR Compliance for the Omnichannel Marketer, explores data consolidation, privacy by design and by default, and how to ensure easily accessible, unified customer intelligence to fuel omnichannel engagement journeys.