In the panic of preparing and protecting databases for GDPR, many big and trusted brands, Moneysupermarket, Morrisons, Flybe and Honda, have fallen foul to fines posed by the existing Data Protection Act whilst attempting to re-engage some of their existing data, without those contacts having given permission for them to do so. After the May 25th deadline, those fines could be as much as forty times higher.
What could these companies have done differently? And more to the point, what should companies do with their older, lapsed and non-engaged data now before GDPR and the updated Privacy and Electronic Communications Regulations (PECR) come into force? These are just some of the questions we’re being asked more and more frequently as the GDPR deadline approaches.
The first response is a principle about the data itself. Ask yourself ‘why are you holding it’? If it was collected as part of a one-off transaction for a product or service from your company, it shouldn’t be held ‘for longer than is necessary’ in any case. While this is clearly open to interpretation, under GDPR, unresponsive or disengaged data without marketing permission must be immediately removed from your data environment. Retaining it is in breach of the new regulation, let alone attempting to market to it.
If you do have older, lapsed data, running it through a data hygiene bureau to remove any deceased estate lists, ‘goneaways’ and ‘movers’ will significantly increase its quality. If your data is over a year old, the collective of these activities will be a reduction in the quantity of that data by around 15%.
Assumed permission via a soft opt-in is a possibility if your data subjects have purchased more recently. It is reasonable to expect that if they bought from you recently, gave you their details and did not opt out of marketing messages, they may be open to receiving marketing communications from you regarding similar products or services in the future, even if they haven’t specifically consented. In such an instance, you could proceed to contact a recent customer (taking into account your specific business type). However, you must ensure you provide a clear opportunity to opt out – both when you first collected their details, and in every message you send subsequently – and of course you must act upon any instruction they give you.
Within the ICO guidelines on GDPR and subsequent to the May deadline, businesses must be able to prove the equity of the data they have collected before using it. If a complaint is made where date stamped permission and channel have not been specified, businesses may face a fine.
In summary, the emphasis should be on conscious, permission-granted contacts where you can focus on creating engaging personalised content within your smaller, existing database and improving your future marketing. At the recent DMA hosted Data Protection Conference on Friday 23rd February, the Information Commissioner and many of the speakers warned against re-engaging contacts without carrying out the correct assessments first both in terms of a LIA (Legitimate Interest Assessment) and ensuring the necessary consents are in place.
There’s much more on our dedicated GDPR microsite, including how we can provide you with a one-day GDPR permission-focused workshop to cover the three key aspects of GDPR across data, channel and brand. The ICO also offer very practical help on email marketing in relation to the existing PECR regulation which will remain with us for some time. Following the latest Data Protection Conference the new ePrivacy regulation is now expected to be delivered in Spring 2019.
Want to know more? Get in touch and work with us on your GDPR strategy. Email [email protected].