With the EU General Data Protection Regulation (GDPR) on the horizon, one might be forgiven for thinking it’s just an issue for IT security teams. In fact, GDPR is about protecting people’s personally identifiable information (PII), which has huge implications for marketers, as this information tends to be the lifeblood of the marketing department.
Marketing teams cannot afford to bury their heads in the sand and pass the GDPR buck to the IT security department, particularly with a YouGov study speculating that almost 17% of the UK marketing and advertising sector would go out of business if they were hit with a non-compliance fine. Instead, they should look at data-centric strategies that incorporate IT security into the process. There are a few general rules to follow:
Protect the Data
Think about what kind of systems are used to store and process data. Many marketers use Cloud applications such as Salesforce or Microsoft Dynamics for their Customer Relationship Management (CRM) and managing customer interactions. These systems have created more agile marketing departments, but they’re ultimately not responsible for the security of your data – though they do offer encryption solutions.
Encryption is a great way to protect data, but only if the keys to access that data are held separately from the very data it’s protecting, i.e., if the Cloud or SaaS provider is also in control of the encryption keys to your data, it’s not going to go in your favor should breach notification or investigation be deemed necessary.
Organizations need to take the control of protecting the data themselves in order to reduce the scope of GDPR and ensure they’re protected from extensive fines in case of a breach on the cloud provider.
Opt out is no longer an option
The Information Commissioner’s Office (ICO) in the UK, for example, has set out in its GDPR guidance that pre-ticked, opt-out or default settings are no longer sufficient for marketers when sending communications. It explicitly says that organizations “must ask people to actively opt in” to receive communications about products and this process must be regularly reviewed.
A great example of a business turning this into a positive for its marketing strategy is Lloyds Banking Group. The company started early to review processes and make sure that it is implementing steps now which will put it in good stead for the official roll out of GDPR in May next year.
As with many things in life, preparation is key. Look at what others are doing and try and implement changes now, however small, in order to get it right when it counts.