How to collect data about your customers without violating GDPR
Wed 10 Apr 2019 | Oksana Hatsenko
It’s almost a year since GDPR came into effect. What have marketers learned? And what can they do better?
Data is vital for modern marketers. From small and fresh online bookstores to famous gadget manufacturers to financial corporations, customers’ data provides for seamless interaction, personalization, and delivery. Tons of sensitive information like emails, phones, and even billing credentials are stored in CRM systems of various companies. Before 2018, you as an ordinary EU customer had little opportunity to control usage of your info. But things have changed.
Since May 2018, all businesses that work with the EU directly or indirectly are required to comply with GDPR. It comes with new rules in data collecting, processing, storing, and exchanging. As almost a year has passed since GDPR came into force, it’s time to remind key points and look at how entrepreneurs can legally collect private data.
To begin with, let’s figure out basic terms. GDPR is a set of rules introduced by EU legislators in 2016 and accepted in 2018. This law applies to all brands which work with the EU citizens and that keep their data. This means even offshore business registered outside of Europe, must meet GDPR key rules if they gather, use, and share information about clients from the EU.
The term “personal data” may appear quite complex but regulators define it clearly: it’s any info which can lead to the identification of a related person regardless of the way (i.e. directly or by implication). Obviously, this explanation covers surveys where participants mark their real information. Nonetheless, anonymous surveys are partially included in case they collect data which can be traced: IP addresses, browsers, etc.
Violations of GDPR rules lead to pretty strict penalties. They depend on the duration of the period when data was collected illegally, the quantity of this data, and consequences (e.g. leaks or hacker attacks). Fines go up to €20 million or 4% of the yearly turnover. A bonus for the UK-based brands: for as long as the Brexit process isn’t finished, British companies must also comply to match GDPR fully.
Important Changes to Know About
The primary changes of the regulations in comparison with previous laws can be reduced to eight points.
Extended Territorial Jurisdiction — One of the main changes of GDPR relates to clarity of location nets. Now, all teams which use data of persons or entities belong to the EU have to work under specific rules.
Strengthened Conditions for Consent — Brands must ask for consent in simple and clear language with a precise difference from other forms of acceptance. Users should be able to give or withdraw consent easily.
Right to Access — Any person who shares his/her sensitive information, can request the whole package of his/her data to be collected by any company. This service is free of charge.
Right to be Forgotten — Similarly, any person can ask to delete all gathered data and prevent its usage by third parties. The public interest should be considered here.
Data Portability — Information should be easily accessible for users who have options to move data between those who own it. Thus, corporations must store data in standard and portable formats.
Privacy by Design — Database owners should focus on optimised ways of collecting and processing info. Plus, they should follow the minimization principle and use only necessary info.
Breach Notifications — All industries where a data breach is likely to happen should include notifications for customers. They should be done within 72 hours after a breach.
Creating GDPR-Compliant Campaigns
So, the question is: how to gather important insights about clients and simultaneously comply with GDPR?It’s obvious that you should focus on meeting all the criteria described above, but there are more specific actions you can take. Let’s check the basic steps to start reshaping your in-house processes, so they will meet GDPR rules.
Map and Document Data — Tracking all data allows you to know where you get it, how you use it, who can access it, and which risks are related to all processes. With a clear knowledge about clients’ stats and credentials and, ideally, documentation, you will be able to enhance weak links and implement GDPR-compliant changes faster.
Determine Key Data — According to the minimization idea, you want to keep only the necessary data and get rid of redundant or useless information (at the moment of rethinking business processes). For instance, you can ask managers why they save extra data or what’s the potential revenue of keeping information instead of removing it. It will be more difficult to comply with new rules if you deal with extra sensitive data such as sexual orientation or religion. In this case, it’s better to consult with professional lawyers.
Give Users Control — In addition to the rights already listed (i.e. to access, to be forgotten, and to move to another controller), users can request correcting of inaccurate records, ask to prohibit the use of their data for various tasks like marketing, and demand to comply with extra rules for automated solutions. You are obliged to fulfill all requests.
Remember About Security — While GDPR itself doesn’t feature any exact rules or guidelines for security, you can start with basic things like website and data encryption. In addition to notifications about breaches, corporations must provide high-end security with regular tests. The checklist concluded by ICO is a good place to start with.
Let’s remember that GDPR is more an opportunity than an obstacle for salesmen. First things first, the very process of collecting and analyzing sensitive data is fair as long as people give their consent. Earlier, marketers had more options to engage users, e.g. they could send cold emails without the consent of recipients. But now employees should design more elaborate and personalized campaigns, work with clients who really want to get info and buy products/services, and increase revenue thanks to avoiding uninterested prospects.
And, surely, it’s always come to security. To prove that the team meets GDPR rules, it has to implement a dedicated reliable software such as data management system or protected database. Hence, all clients’ credentials will be stored in a safer place than earlier. Obviously, this fact can increase brand loyalty. All in all, this makes GDPR look useful, doesn’t it?