Google’s only the beginning: data compliance checklist

In response to Google’s whopping fine, Sebastian Kummel has some data compliance and consent lessons for Australian marketers.

People have a lot to say about Google’s recent AU$80 million dollar fine for breaching the General Data Protection Regulation (GDPR) – and rightly so. It’s the first time a tech giant has gained a financial penalty under the GDPR. The fine has served as a signal to all businesses – not just those in Europe – that having generic consent collection practices is no longer acceptable.

Many Australian businesses are still yet to adopt best practice when it comes to data and consent collection. This leaves them exposed. The Google fine should be a wake-up call for these businesses, especially their marketing teams, who may still think of the GDPR as an abstract set of rules and guidelines for European companies.

Marketers are often the first to collect and manage personal data from consumers. Thus, it’s critical marketers understand how GDPR applies to them. In my conversations with people in the Australian industry about GDPR, however, it’s clear that many still don’t know where to begin.

Others in the industry have found themselves in a situation in which they haven’t had the most optimal data collection and consent management practices in place and are unsure of the best way forward.

 

Where to begin?

A good place to start is understanding the intentions behind GDPR. Central to the legislation is the notion that companies don’t own consumers’ personal data, they simply borrow it. The data companies collect is on ‘loan’ from the customer, with the expectation that it will provide them with a more personalised experience to the point of purchase – and not leave them feeling exploited.

This should be front of mind for marketers when designing campaigns and executing tactics.

 

Collecting consent

Google was fined for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. The French data regulator that implemented the fine determined “essential information” was “disseminated across several documents.”

Clear consent is far more stringent under the GDPR. It requires that consent is freely given, specific and informed. Marketers cannot hide consent for data processing with generic permission statements. Rather, they must be clear in their language about what consumers are consenting to. In return, consumers have the right to ask how, where and for what purpose their personal data is being used.

One of the most important ways for marketers to build trust in their customers and increase opt-in rates is to make clear what the contact is subscribing to, and how they can opt out again.

A simple tip: provide two un-ticked checkboxes for users to action as part of the registration process – one checkbox for the privacy policy and the other to receive marketing communications. One benefit of using this method is that it gives businesses the ability to communicate with subscribers immediately, resulting in a more engaged list.

 

Marketing to existing databases

The Google fine has led many marketers to doubt their existing data and consent collection practices. No marketer wants to hear they need to delete their database and start again. The good news is, this doesn’t have to be the case.

Before sending any marketing communication to an existing database, ensure all data is compliant. This includes checking that there are existing records that prove your business has permission to send communications to each and every customer. This needs to be clear across each channel of communication.

 

What does this compliance checklist look like?

  • Strengthened consent conditions: You can no longer rely on a pre-checked box to collect consent. Be mindful of how long the existing customer relationship could be considered valid and if there are appropriate records on file. Have users checked a box manually or updated their preferences when visiting a website?
  • Active versus inactive users: Not keeping an up-to-date subscriber list, clean of inactive, lapsed and unengaged subscribers is one of the most common mistakes. You don’t have much time to get permission from unengaged subscribers, but this can be easily solved. Consider running a re-permissioning campaign to ask for further consent to grab their attention—this could be in the form of incentives, offers or upgrades.
  • Transparency: Add a prominent link to your privacy policy in all communications to ensure customers understand by who, why and how their data is being processed. This will create greater transparency from marketers around consent.

 

Creating a customer first, data-led culture

Consumers have the power to ask for access to their data and receive an electronic copy of their personal data free-of-charge. More critically, they have the right to be forgotten and request for marketers to delete all existing personal information.

If customer data is to be the centre of marketing, ethical practices should be carried out for its use. It’s no longer a conversation about adopting better practice but committing to a customer-first, data-led culture. GDPR – alongside Australia’s Notifiable Data Breaches scheme – gives users more rights to protect their personal data and businesses need to make sure their practices are compliant.

A lot of the advice around compliance for GDPR induces fear, but the regulations are a step in the right direction. It encourages marketers to be better, while putting consumers back in control of their data.

Businesses that already have mature governance and security practices are in a far better position to comply with the next wave of privacy laws. Compliance ensures businesses are able to stay ahead of the curve and gain better results from their marketing.

 

Sebastian Kummel is client services director at Emarsys.

 

Image credit HONGQI ZHANG © 123RF