CYBER WEEK – Black Friday through to Cyber Monday around Thanksgiving in the US, and increasingly the days either side of these dates is becoming by far the most lucrative online trading period of the year. LawBriefs lawyer, Barbara Jamieson, recently wrote on our blog about some of the key legal aspects for making your business' Cyber Week a commercial success. Here we put on our marketer's hat and look at the impact of the European Union’s General Data Protection Regulation (GDPR) on some of those core marketing techniques that you have used for previous Cyber Week campaigns.
The new landscape
Only last year The Economist said that personal data was the new oil and the world’s most powerful resource. The ways in which businesses can use personal data in their marketing activities has been fundamentally changed with the introduction of GDPR, the new set of data protection regulations that have changed the face of marketing as we knew it. GDPR has also resulted in customers becoming increasingly aware of their digital footprint and personal information usage rights. These two things together have resulted in marketing teams now needing to be completely GDPR compliant in their communications efforts to acquire and use consumers’ personal data.
What data is affected by GDPR?
The EU has defined ‘personal data’ as including any information which can be used to directly or indirectly identify an individual or ‘data subject’. This includes information such as someone’s email address, name, age, photo and IP address.
The Consumer view
Interestingly, research recently conducted by Marketing Week has revealed that most consumers do not feel any better off in term of their personal data’s usage. When asked ‘What impact has GDPR had on your overall experience with brands?' 65% said ‘no change’. While over a third (36%) believe that companies have used their personal data without their consent since the introduction of GDPR. It’s not all negative from the consumer’s side, however, a recent survey by the DMA found that 73% of people agree that in today's online world there is an acceptance that you have to provide personal information in order to benefit from certain services.
Advice for marketers
Although on the surface GDPR may seem incredibly extreme in its scope for businesses, especially those operating on a smaller scale, there are a few practical, common-sense steps you should take to help you towards compliance. Marketers should really focus on these three specific areas to avoid problems:
The new landscape
Only last year The Economist said that personal data was the new oil and the world’s most powerful resource. The ways in which businesses can use personal data in their marketing activities has been fundamentally changed with the introduction of GDPR, the new set of data protection regulations that have changed the face of marketing as we knew it. GDPR has also resulted in customers becoming increasingly aware of their digital footprint and personal information usage rights. These two things together have resulted in marketing teams now needing to be completely GDPR compliant in their communications efforts to acquire and use consumers’ personal data.
What data is affected by GDPR?
The EU has defined ‘personal data’ as including any information which can be used to directly or indirectly identify an individual or ‘data subject’. This includes information such as someone’s email address, name, age, photo and IP address.
The Consumer view
Interestingly, research recently conducted by Marketing Week has revealed that most consumers do not feel any better off in term of their personal data’s usage. When asked ‘What impact has GDPR had on your overall experience with brands?' 65% said ‘no change’. While over a third (36%) believe that companies have used their personal data without their consent since the introduction of GDPR. It’s not all negative from the consumer’s side, however, a recent survey by the DMA found that 73% of people agree that in today's online world there is an acceptance that you have to provide personal information in order to benefit from certain services.
Advice for marketers
Although on the surface GDPR may seem incredibly extreme in its scope for businesses, especially those operating on a smaller scale, there are a few practical, common-sense steps you should take to help you towards compliance. Marketers should really focus on these three specific areas to avoid problems:
- Data permission
- Data access
- Data focus
The key point is that individuals must be able to both easily access their personal data and remove consent for its use. An example of this would involve you ensuring that you include an unsubscribe link within your Cyber Week promotional emails. You should also have a separate link which goes to the user’s preferences and allows them to manage how you communicate with them. Reliance on ‘legitimate interest’ as a route to compliance is not really the best policy from a business legal advice standpoint. It may well keep you covered within the regulations in the B2B environment but for B2C the threshold for consent is much higher. This means that activities involving third-party data sources such as buying data lists, affiliate marketing and use of ad tech companies as data processors are all far less attractive for many advertisers. This extends to the use of behavioural data as a whole for your marketing activity. The use of cookies to track individuals online activity has become far reduced because of GDPR. A combination of search engines enacting policies to block third-party cookies and ad blockers means that retargeting of display ads will potentially continue to fall in comparison to contextual content based display ads. Facebook is one platform who are creatively trying to work around possible advertising revenue losses by moving towards using a first-party cookie with their Facebook pixel.
What to do in case of a data breach
You must notify the ICO within 72 hours of any breach you discover. You must also ensure that any third parties who you work with are aware and able to respond quickly. The ICO has a detailed set of guidelines on what is required in the era of GDPR in the case of a data breach.
Enforcement and potential fines
While the ICO has yet to issue a penalty for a breach of data since the full implementation of GDPR, there have already been some very high profile cases this year involving data breaches which may eventually result in substantial fines. We do know, however, that non-compliance can result in significant levels of administrative fines, with the two tiers being: up to 10 million Euros or 2% of an organisation’s annual turnover – whichever is greater. up to 20 million Euros or 4% of an organisation’s annual turnover – whichever is greater.
Moving forward
When engaging with your customers through your outbound comms you should shift focus into only requesting information that you genuinely need and move away from asking for those bits of information which can be classified as ‘nice to have’. It is unlikely that behavioural data collection will end completely. The use of cookies, device tracking, and internet monitoring will continue especially outside of the European Union and the jurisdiction of GDPR. For the time being, even within the European Union, consumers can still assume that their behavioural data is being stored – although with increased transparency and accessibility if and when requested.
The business upside
It should be remembered that GDPR is not designed to stop businesses from communicating with their customers. A commitment to quality data practices has rewards for marketers as well. As discussed in a previous LawBite blog article, there are many ways that being fully GDPR compliant will be of benefit to your organisation. If you are not sure that you are fully GDPR compliant, LawBite is here to help. Please get in touch with a member of the LawBite team to receive a 10% discount on our GDPR Rescue Pack including: 12 GDPR compliant templates and a 30-minute GDPR audit consultation and 2 hours of specific GDPR legal advice for only £445 + VAT. Please quote discount code CYBER10, valid until 26 November 11.59pm. This article is written by Michael Jaiyeola from LawBite. For expert business legal advice, please do enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.
Journey further… GDPR Checklist GDPR Products and Services LawBite GDPR Rescue Package GDPR FAQs Disclaimer: This blog post should not be used as a complete guide to EU data privacy nor as legal advice for your company to use in complying with EU data privacy laws like the GDPR. This post is for informative purposes only - you should not rely on it as legal advice or recommendation of any particular legal understanding.
What to do in case of a data breach
You must notify the ICO within 72 hours of any breach you discover. You must also ensure that any third parties who you work with are aware and able to respond quickly. The ICO has a detailed set of guidelines on what is required in the era of GDPR in the case of a data breach.
Enforcement and potential fines
While the ICO has yet to issue a penalty for a breach of data since the full implementation of GDPR, there have already been some very high profile cases this year involving data breaches which may eventually result in substantial fines. We do know, however, that non-compliance can result in significant levels of administrative fines, with the two tiers being: up to 10 million Euros or 2% of an organisation’s annual turnover – whichever is greater. up to 20 million Euros or 4% of an organisation’s annual turnover – whichever is greater.
Moving forward
When engaging with your customers through your outbound comms you should shift focus into only requesting information that you genuinely need and move away from asking for those bits of information which can be classified as ‘nice to have’. It is unlikely that behavioural data collection will end completely. The use of cookies, device tracking, and internet monitoring will continue especially outside of the European Union and the jurisdiction of GDPR. For the time being, even within the European Union, consumers can still assume that their behavioural data is being stored – although with increased transparency and accessibility if and when requested.
The business upside
It should be remembered that GDPR is not designed to stop businesses from communicating with their customers. A commitment to quality data practices has rewards for marketers as well. As discussed in a previous LawBite blog article, there are many ways that being fully GDPR compliant will be of benefit to your organisation. If you are not sure that you are fully GDPR compliant, LawBite is here to help. Please get in touch with a member of the LawBite team to receive a 10% discount on our GDPR Rescue Pack including: 12 GDPR compliant templates and a 30-minute GDPR audit consultation and 2 hours of specific GDPR legal advice for only £445 + VAT. Please quote discount code CYBER10, valid until 26 November 11.59pm. This article is written by Michael Jaiyeola from LawBite. For expert business legal advice, please do enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.
Journey further… GDPR Checklist GDPR Products and Services LawBite GDPR Rescue Package GDPR FAQs Disclaimer: This blog post should not be used as a complete guide to EU data privacy nor as legal advice for your company to use in complying with EU data privacy laws like the GDPR. This post is for informative purposes only - you should not rely on it as legal advice or recommendation of any particular legal understanding.
