GDPR and digital marketing one year on …
It’s almost a year since the General Data Protection Regulation (GDPR) was introduced on 25 May 2018. GDPR replaced the previous Data Protection Act and was designed to offer consumers better protection and more control over how their personal details are collected, stored, processed and used.
The consequences for non-compliance with GDPR can be severe, with a penalty scale in place that culminates in fines of up to €20 million or 4% of your global turnover in the event of a data breach. Despite this, many smaller businesses still aren’t complying with GDPR. And according to a survey by insurance firm, Hiscox, 39% of SME owners still don’t know who the regulation affects and 90% don’t understand the new rights it gives to consumers1.
In this article, I’ll take a look at some of the key compliance areas you need to be aware of in relation to GDPR and your online marketing activities.
Consent to be contacted
In digital marketing terms, there are two main scenarios where it’s acceptable to contact consumers under GDPR: cases of legitimate interest and where consent has been clearly given. Legitimate interest is something of a grey area, but it’s usually OK to send marketing communications to existing clients or people you’ve worked with recently. Ask yourself if the person would expect to receive emails from you. If not, it’s best not to contact them.
GDPR email collection
If someone has emailed you and asked to be kept informed about your business, you can add them to your contact list, provided you save the original message as proof of consent. Contacts made through social media, such as LinkedIn messages, are a bit more problematic. You could send the individual a message asking them to email you directly so you can reply with a link to a sign-up form on your website or email marketing platform.
In short, implied consent isn’t an option under GDPR. Best practice is to collect data using a digital sign-up form that has double opt-in functionality. In other words, once the form has been competed, your contact will receive an email asking them to click on a link to confirm their consent to be added to your mailing list. Once they’ve signed up, you’ll need to include an option to unsubscribe or change their contact preferences with every email.
‘The right to be forgotten’
A key right under GDPR is that consumers can ask for their contact details to be deleted. At the same time, business owners are obliged to actively identify and delete contact details that aren’t held in line with the rules. Typical scenarios include where it’s no longer necessary for the data to be stored or processed (e.g. the individual is no longer a client); the data has been unlawfully collected or processed in the first place; there’s no legitimate interest; or the consumer withdraws their consent to be contacted.
If your contact list includes people who gave consent under the old Data Protection Act rules, you’ll need to revisit their records to ascertain whether their consent stands under GDPR. Unless a compliant audit trail for consent is in place, you’ll either need to delete these contacts or get in touch asking them to give you explicit consent as outlined above. Note that if they don’t reply or give consent, you’re not allowed to contact them again.
Privacy Notices, Cookie Policies and Website Terms & Conditions
GDPR compliant contact forms
Having an SSL certificate means your URL will start with https:// instead of http://. Your website will have inbuilt security features that offer added protection when people enter their personal or financial details into the site. The only websites that don’t need an SSL certificate under GDPR are those that don’t collect any consumer data – but how many sites don’t have a contact form these days? Probably not many!
Having a secure website is also important in terms of trust. Research shows that 75% of consumers will abandon an online transaction if they don’t feel the site is trustworthy2, just as most people will leave a site that’s badly designed or unwelcoming. What’s more, Google uses SSL certification as a ranking factor, so having one in place will help with your SEO rankings as well as boosting conversions and decreasing your bounce rate.
The positives of GDPR
Yes, there are some benefits to the new legislation! After all, GDPR isn’t designed to stop you communicating with bona fide customers and contacts. It’s simply there to help keep consumer data safer and protect people from receiving communications they don’t want. GDPR is a great opportunity for you to cleanse your data and increase the quality of your contact lists. In turn, this will help improve your online engagement and conversion rates and reduce your website bounce rate.
In addition, asking people about their preferences means you can gain a deeper insight into your target audience and segment your messaging accordingly. By targeting your communications rather taking the traditional ‘one size fits all’ approach, you’ll have a better chance of turning prospects into paying customers.
GDPR might sound complex, but the core principles are quite simple:
- Don’t contact people who aren’t expecting to hear from you
- Don’t just assume people want to hear from you
- Buying random databases and making cold contacts isn’t a good idea
- Research your audience’s preferences and respect them by restricting your communications to what’s interesting and relevant
- If you’re not sure whether someone wants to hear from you – just ask!
By following these rules and implementing the best practices outlined in this article, you’ll be well-equipped to create compliant mailing lists that benefit your contacts as well as your business.
Need help making your website GDPR-compliant?
Chartered Marketer and CIM Fellow offering a personal and tailored web consultancy service to UK business owners and self-employed professionals. I formed Imagine Digital Marketing in December 2016 and I really enjoy helping my clients make the most of online opportunities.