Loyalty marketers sleep walking into law breaking
The consumer opt-in consent protection for marketing campaigns is being rendered obsolete by new EU legislation. Jeremy Whitaker, chairman of Verso Group, explains what this means for marketers and how they can continue to use customer data.
From time to time some questionable marketing campaigns are held to account in the court of the popular media, but it is extremely rare for marketers to be known for actually breaking the law. However, many are heading that way unless there is major change between now and the end of 2017.
What is behind this is the fact that many are sleeping walking towards the introduction of the new EU data law, or General Data Protection Regulation (GDPR).
What lies at the heart of this is that the current level of consumer opt in consent used in nearly all consumer contact databases will not be sufficient under the new law. It will render data unusable, or there is the prospect of proposed fines running to hundreds of millions of Euros, plus consumers may be given the right to claim damages for misuse of data.
GDPR covers areas such as personal privacy and security, but from a loyalty marketing perspective it is about the new consumer opt in permission rules. It means all data will have to be audited against the new standards, and where it does not conform then it will need to be refreshed by asking for enhanced consumer consent. There is also a need to create an effective storing system for individual consent forms, and a method through which consumers can ask and have information on them removed.
These are not insignificant tasks, and they will not be quick to implement. But no matter the level of frustration generated there is no substitute for becoming compliant other than to accept databases will have to be written off. However, there is potentially positive news in all of this. If you have to contact customers and prospects to renew consent, it can be used to gain new data on a large and detailed scale, and at the same time make offers direct. The benefits can actually be made to outweigh the negatives.
Of course, there is a temptation to look for a shortcut, or to delay aspects of the compliance process, but really they only delay the inevitable, and are more costly in the long run. All companies at some stage will come under scrutiny from the Information Commissioners Office (ICO), or members of the public, and the combination of hefty fines and consumers having the ability to claim damages for misuse of information is difficult to ignore. There could even be the possibility of a PPI type move towards the public demanding compensation on a large scale, plus of course, harm to brand reputation.
From the start it is advisable to seek help. Few brands or agencies are equipped to manage the compliance task, and there are more than a few data suppliers that struggle to understand what is involved in GDPR. So when seeking support make sure it comes from established reliable sources. A compliance heritage is a must, and also ask detailed questions about the forthcoming regulations. If there is hesitate look elsewhere. Inevitably a small industry of compliance advisors will emerge, so make sure the right one is sourced.
The other job at the top end of the to do list is to appoint someone to be responsible for overseeing the compliance process. If nobody is given ownership there is a possibility that job will get pushed back and forth and ultimately not get done, or implemented badly. Either way the result could be costly.
Whoever takes charge their responsibilities should include the production of written guidelines on GDPR, and distributing them to all relevant personnel. The guide should set out what is, and what is not allowed in terms of consumer data so that individuals can do their jobs safe in the knowledge that they are not breaking the new law.
Data audits and changes to data protocol are not things that can be rushed, and may take months of work, including changes to software. Currently, for example, there are very few CRM software systems with a storage function for keeping consent forms.
Even though the new EU law may not be introduced until the end of 2017, or even later, the lawmakers and bureaucrats in Brussels are perfectly capable of acting more quickly than predicted. More importantly, it may take some data owners more than a year or more to prepare. Even starting work on compliance today will be too late for some. Delay is a risky strategy given the potential financial penalties, but also the investment needed in any last minute intensive bid to play catch up.
Three key tasks
To continue to use data there are three key tasks that have to be completed. They are establishing whether or not the current level of opt in permission meets the new unambiguous terms required, refreshing it appropriately if needed, and storing consent forms from every consumer, whether in electronic or paper form.
There is widespread confusion about the definition of the ‘unambiguous’ permission criteria to the forthcoming law. A good illustration is that it will be like a traffic light system. Consumer consent will have to be sought and provided if you want to convey information about a given subject to a customer or prospect through a given communication channel. Later you may wish to communicate about another subject in another way, and that would be like stopping at another set of traffic lights at which fresh permission must be asked in order to move forward once more.
Storing consent forms is something that most data owners have never had to do before, but in future all forms will have to be presented if requested to do so by the ICO. Creating a storage facility is therefore a key element of compliance.
The other task is to enable consumers to have their data removed quickly if they request it. The ‘take down’ clause as it is becoming known, means having to provide a clearly identifiable route for members of the public to make contact and make their request known and acted upon.
What is almost of equal importance to becoming GDPR compliant is maintaining a new data regime. Regular reviews will put any emerging problems right, and remove the risk of sanctions, or having to undertake data overhauls. The use of qualified third parties will be able to make objective assessments, and also give advice on making improvements to data protocol, and use of data.
To state that the new data law is unwelcome is an understatement. However, it does present a positive opportunity. If it is necessary to refresh opt consent levels by contacting consumers it is possible to use that contact to learn a great deal more about them, discover their real buying potential, purchasing triggers, and during that process sell or make offers directly to them. The compliance process can be used as an opportunity for improving market knowledge, driving sales or recruiting more customers.
A form communication that will come into its own in this situation is sophisticated telemarketing that uses top end operators that work to multi layered scripting. They can interview consumers to gain information while seeming to conduct non-interrogative dialogue. Valuable information can be obtained, verbal opt in consent can be taken and stored electronically, and they can make any one of a range of different offers based on consumer responses.
The new data regulations are an unwanted burden, but they can be used as a catalyst for improving knowledge and communication with consumer targets, generating new information and promoting offers. Rather than seeing GDPR in a negative light it is possible to meet the challenge in a positive way and get a return from it that more than pays for investment in compliance.