Loyalty marketers may face intense pressure regarding their customer data when the European Union’s GDPR (General Data Protection Regulation) takes effect next year.
Companies across the globe will face more pressure to improve their data protection practices. The GDPR will force organizations to dramatically change the way they handle EU residents’ personal information. Although it’s an EU regulation, there are countless organizations worldwide that handle such data, including many in the U.S.
Loyalty360 talked to Eric V. Holtzclaw, Chief Strategist, PossibleNOW, about the importance of this topic to loyalty marketers in the U.S. PossibleNOW recently held a webinar on the subject titled, 8 Best Practices for Capturing GDPR Consent.
What is GDPR?
Holtzclaw: It’s the European Union’s new General Data Protection Regulation (GDPR). Adopted to strengthen data protection for individuals within EU countries, GDPR is designed to give people more control over their personal data, protect data from the risk of loss, and unify regulatory privacy and data requirements within the EU. Central to the regulation is a high standard for consent and fines as great as 20 million euros, or 4 percent of total worldwide annual revenue, whichever is larger.
Why should loyalty marketers be concerned about it?
Holtzclaw: Did I mention the fines? GDPR raises the bar for consent and brings stiffer penalties for violations. And it doesn’t just apply to companies inside the EU. It is applicable to any company that markets to EU residents or citizens, as well as any company with EU partners, vendors, clients, or employees. So that means many, many U.S.-based companies need to understand GDPR rules and restrictions.
For marketers, in particular, the regulation is challenging. GDPR requires that companies demonstrate lawful processing by either earning explicit consent, demonstrating a legitimate interest or another lawful means for data collection. Also, all identifiable personal information, regardless of where it is used, must be protected and proof of protection must be verified.
How critical is GDPR compliance?
Holtzclaw: It’s extremely important for two reasons. First, it allows companies to avoid litigation, costly penalties, and reputational damage. Second, it’s a great reason to accelerate customer-centric policies that companies need anyway. GDPR is simply the latest sign of a worldwide trend that has been gaining momentum for years. The future lies firmly in the hands of the customer and companies that can’t protect their privacy, respect their wishes, and personalize their interactions will lose. GDPR makes this extremely clear, even to C-suites slow to recognize it.
What are some best practices for earning consent under GDPR?
Holtzclaw: Ask for less. Structuring the ask from the customer’s perspective, at moments that matter, improves the odds of receiving permission to collect, store and use customer data at a later time.
Store customer and prospect data in one place. Only through a neutral, centralized, fully auditable system can organizations ensure compliance to GDPR and future changes in compliance.
Be careful how you use personal data. Implementing a governance structure that includes all individuals responsible for managing and using customer data for outbound communications is essential.
What should loyalty marketers anticipate once GDPR is implemented?
Holtzclaw: Lots of lawsuits. There are any number of gray areas and opportunities for conflicting interpretations that will be settled in court. For companies hoping to avoid legal fees and watch from the sidelines, conservative interpretations of the regulation are recommended.
We’ll also learn more about empowered consumers. GDPR gives EU citizens the right to be forgotten–in other words, they can tell a company to erase all data related to them. Will they do so in droves? Or largely ignore this and other new powers?
Finally, we’ll see more legislation and regulation around the world designed to protect consumers and limit companies’ ability to communicate without consent. While GDPR will be among the most robust measures of this nature for a while, it won’t last forever. Something else will come along that pushes permission requirements even further.