The European Union is soon going to be rolling out the General Data Protection Regulation (GDPR), meant to help protect the privacy of individuals’ personal information. The GDPR has far-reaching implications on how data is used, stored, shared or collected, and provides very specific guidelines. Companies that do not comply with the GDPR may attract fines amounting to 20 million Euros or up to 4% of a company’s revenues.
Truly, the stakes are very high for marketing agencies that depend on personal information to run campaigns and engage in various marketing activities. The law applies to anybody who uses the information of an EU resident. One doesn’t even need to be a citizen of the EU. For instance, if an American is traveling in Europe for a short while, his data will automatically be protected and regulated under the GDPR.
Even if you are trying to contact the American from your agency in the US, you could potentially open up yourself to lawsuits and fines. This is why, marketing agencies need to prepare themselves for the GDPR rollout, and ensure that they comply with the new regulations.
Let us try to understand what the GDPR defines as personal data
Personal data according to the GDPR may include name, email address, location related information, cookies, IP address, etc. This means, pretty much whatever you capture using lead-generation software programs will come under the purview of GDPR. You will need to change the procedure of collecting such information, and will now need to obtain explicit consent before using any of the above mentioned data. It is going to be difficult for marketing agencies unless they comply with GDPR and make the necessary changes.
In addition, personal data may also include behavioral and demographic details, which marketers use all the time. Profiling individuals based on demographic details may prove to be even more contentious legally. For example, you will not be able to market products to certain ethnicities unless you can prove that you are not engaging in racial profiling. Certainly, more clarity is required regarding how marketers can continue to do what they do, while also complying with the GDPR. This article gives a brief insight.
How is GDPR going to affect your marketing activities?
Practically every marketing initiative will be affected by the GDPR. You will need to be extra wary about the new rules because it is particularly targeted at marketing agencies that often use and sell personally identifiable information. All social media, organic and paid ads will come under the GDPR and if you engage in any of the following activities, you will need to be very careful and make sure that you comply with the new regulations.
1. Google Analytics
Google Analytics invariably captures IP addresses, behavior data, emails, cookies, personally identifiable information, etc. All this information will need to be anonymized. You will also need to add a pop-up box or something of that sort which seeks the explicit permission of the user, informing them that their data will be used for the purpose of Google Analytics, even before they enter your website.
2. Remarketing Ads
Remarketing ads and tracking of pixels can be very problematic when it comes to GDPR compliance. You will have to obtain affirmative consent for data to be used, even before they enter your website. For example, if you have set up Facebook Pixel ads, you have to make sure that visitors are informed of this even before they enter your website. Make sure to have a pop-up that gets documentable consent from visitors.
3. Affiliate link and display ads
4. Social media
If you are going to use social media marketing, you will need to make sure that you inform people how you will use the information you collect during social interactions. While social engagement probably doesn’t need permission, if you collect and process that information, you will need the consent of the individual. Make sure to draft a policy that includes your social media marketing activities too.
How a marketing agency can comply with GDPR
While it may seem difficult, marketers can do a lot of things in order to comply with GDPR regulations. It is not too late, and there is still time before the GDPR starts rolling out. To make sure that your marketing initiatives and social media campaigns are done lawfully and in full compliance of GDPR, here is what you can do:
1. Seek affirmative consent
Seek explicit consent of individuals while collecting their personally identifiable data. According to the EU’s GDPR, this consent should be voluntary and the user should take an affirmative action to provide the consent. Before they provide their consent, you will need to make it clear how you are going to use the data, and with whom you are going to share it. To make this happen, you will need to rewrite your terms and conditions, cookies policies, etc, to reflect the fact that you will use information for marketing purposes.
This needs to be written in simple English (or whichever language is applicable in your area), without any jargon. You might also have to redevelop your websites and forms so that pop-up boxes seek explicit consent. Make sure that you do not check boxes by default. The individual has to manually check boxes confirming consent, and you will need to integrate web scripts that document this consent.
2. Maintain privacy and ensure data-related rights
Thanks to the GDPR, everyone has the right to be forgotten, to withdraw consent, and also to protect their personal information from privacy breaches. You will need to notify individuals when their privacy has been attacked, and also notify authorities as and when necessary. You will have to change the privacy settings to very strict terms, and also provide options for the individual to manually change privacy settings. All data needs to be protected, and should be safeguarded from various kinds of threats.
It is also important to note that every individual has data-related rights and you will need to be careful how you use it even after getting their consent. Do not use personally identifiable information for tasks other than what you have permission for. For instance, if you have the permission to send email newsletters, do not start contacting the individual on social media as well.
3. Hire data protection officer
If your company deals with a large amount of sensitive information, such as information related to race, genetic data, ethnic details, and even political opinions, you may need to appoint a data protection officer. You will also need to hire a data protection officer if you process large amounts of personal data, with far-reaching effects. Most marketing agencies may not need to hire data protection officers but if your agency deals with genetic data, or with ethnic/racial information, you might have to hire a data protection officer.
Compliance is also required when it comes to processing children’s information. If you plan to market youngsters below the age of 16, you will require the exploit consent of their parents. You will also need to verify their age and make sure that you have taken all the necessary consent required form the parents.
Take a look at this ICO document that explains how to comply with GDPR.
GDPR may open doors to new opportunities
Certainly, GDPR rollout is giving sleepless nights to marketing professionals. However, this is not something that one needs to fear and can be looked at as a new opportunity to clean up databases, enhance marketing communication, and get more efficient. After all, complying with GDPR will give you a more focused target audience that actually wants to be contacted. Indeed, you might need to put in a little extra effort in the beginning, but once you get used to the regulations, you will be back to your marketing activities as usual, albeit ethically.
You may also like: