25 May marked a year since the General Data Protection Regulation came into force.
It was heralded as life-changing for marketing as we know it. But has GDPR really changed marketing activity in the last twelve months?
What does GDPR compliance entail?
The General Data Protection Regulation affects any organisation that:
- Possesses or processes data pertaining to an identifiable person
- Contacts those individuals via email, phone, SMS or mail
- Tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual
It removes the distinction between business and personal data – previously, data used for B2B marketing was not subject to such stringent rules as that used for B2C.
The regulation applies to any EU citizen, no matter where in the world the data is held.
How did firms respond to GDPR?
There was a huge flurry of activity in the run up to the new legislation.
- Selecting a lawful basis
The regulation gives firms a choice of six ‘lawful bases’ under which they can process data.
In the lead up to 25 May 2018, many firms had focused on using consent as their lawful basis of choice. There was a great deal of debate about how to achieve consent from your contacts so that you could carry on marketing to them via email.
In practice, when it came down to the wire, a lot of firms in fact shifted to use ‘legitimate interest’ as the lawful basis under which they would continue emailing their clients and prospects.
- Focusing on other marketing channels
With email becoming potentially more challenging – and firms’ contact lists at risk of being decimated by opt-outs – has marketing activity changed in the last 12 months?
There was predicted to be a shift towards other digital marketing– particularly SEO and social media. Paid social, in particular, is a popular choice for firms wanting to minimise their GDPR risk, as the compliance responsibility sits with the platform, not the advertiser.
SEO, social media and pay-per-click (PPC) are the top three areas handed over to external agencies, according to a survey. If you’re looking to use external experts to help with increased digital activity, beware though – this brings its own challenges.
If you’re regulated by the FCA, avoid the potential pitfalls of outsourcing by making sure your approach is compliant with the regulator’s rules.
- Refining data and content
Of course, it’s not all doom and gloom. In fact, the GDPR provided firms with a real impetus to clean up their act. ‘Spray and pray’ marketing – indiscriminately emailing large groups with no real targeting or focus – shouldn’t be any Marketers chosen approach.
Having a smaller, laser-focused, list of contacts and creating content that talks to those people; that should be your Holy Grail.
What’s the point of emailing 2,000 people if 1,500 of them are irrelevant to your product or service? Building relationships with the remaining 500 should not only be your objective, but should deliver far better results, with % open and click-through rates going through the roof.
Clean up your data and focus on building the most effective marketing content strategy that will maximise engagement with your content marketing.
- Getting marketing activity under control
One of the biggest challenges Marketers face is keeping control of their activity. This can be particularly true in professional services firms, where a wide range of people can be involved in creating and issuing marketing communications.
You cannot be 100% confident that you’re complying with legislation if you don’t have oversight of all your financial promotions.
How have marketers performed when it comes to compliance?
Not always brilliantly, in truth.
A report released in July last year claimed that UK employees are more likely to be told off for failing to keep the workplace tidy than they are for breaching the GDPR.
And a survey in December found that two-thirds of EU firms were not fully compliant with the regulation.
With some commentators having suggested that data breaches could be the next PPI scandal, and that the new regulation poses a bigger compliance challenge than MiFID II, GDPR is something that all businesses should be taking seriously.
What next for GDPR compliance?
In a blog to mark the anniversary of the regulation, Elizabeth Denham, the Information Commissioner noted that:
‘there is much more still to do to build the public’s trust and confidence. With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes.’
Denham’s office will focus over the next year on providing support to ‘all parts of the UK business community, from the smallest SMEs to the biggest boardrooms, to deliver what is needed’.
You can read advice on GDPR compliance for small businesses here.
A move from tick-box compliance to a cultural shift
In the second year of the GDPR, Denham says the focus ‘must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals’.
This move away from ticking a box towards organisational behaviour that embeds good governance will be familiar to regulated marketers. If you’re regulated by the FCA, the push for compliant cultures is nothing new – one reason why regulated marketers may have been better prepared for GDPR than their unregulated peers.
Make sure your firm complies
If you want a refresher on what you need to do to comply with GDPR, this blog on the regulation’s launch might be useful.
And whether or not you’re regulated by the FCA or another body, the GDPR is just one of a number of rules you need to follow.
You can find out more about the compliance requirements even non-regulated firms face by downloading a copy of Compliance for non-regulated businesses. The whitepaper’s free, and you can get a copy from our here.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.
How can we help?