Only 16% of marketers have adjusted to GDPR compliance right now
Our recent study with Econsultancy, the 2017 Email Industry Census, has highlighted data as the main challenge preventing the use of more personalisation. That's not really surprising as an earlier study with the IDM showed that the majority of marketers only collect names, addresses, and phone numbers. But while collecting more and better data has been a hot topic in the marketing industry for about a decade, there's something else making marketers stir at the moment: GDPR.
If you send email marketing campaigns to subscribers in the European Union and the UK, it would be very hard to escape the news of GDPR. Still, according to the survey of 1,200 marketers which formed the basis of the 2017 Email Census, 16% of in-house marketers and 23% of agency respondents aren't aware of changes that could affect their activities.
If you're already compliant with the law, kudos to you! But otherwise, make sure you look into the requirements of the regulation carefully. After all, neither 4% of global turnover nor €20m is really worth risking just because you didn't read the fine print carefully.
On the other hand, I salute the 54% of in-house marketers (and 52% of agencies) who think Brexit won't have an impact on the way they approach GDPR. You're right. With the UK estimated to complete the exit process by April 2019, that still leaves 11 months of GDPR compliance that marketers can't avoid. It is also expected that the emerging trade deal with EU27 will require the EU to issue the UK with a certificate of adequacy - which will mean we will need to continue to meet the GDPR requirements as a minimum.
Where do you start then? The ICO's overview page is updated monthly so I recommend you check that out, as well as the DMA website. And if that wasn't enough, on top of GDPR is the Privacy and Electronic Communications Regulations (PECR2003) which specifically covers email and SMS (this too is to be reviewed in 2018 in the form of ePrivacy Regulations).
So what can you do?
Explaining GDPR compliance in a few lines would be futile, so I'll just share some essential pointers:
- Explain why you need someone's personal data when you collect it and how you will use it
- Ask for consent in an obvious way, not by hiding it in your T&Cs
- Consent is not acquired by default, e.g. pre-ticked boxes
- Keep a record of how consent is obtained and managed
- Give consumers the chance to opt-out of profiling
- Name the third party companies that data will be shared with
- Make it easy to withdraw consent at any point
...and much more! But we're happy to help if you have any questions!