What you should ask your marketing agency about GDPR

On the 25th May new data protection and privacy laws came into effect for all individuals living in the EU, but these laws have far-reaching implications around the globe.

The legal framework, known as the General Data Protection Regulation (GDPR), came after a four-year long preparation and debate, with the intent to give people more control over their personal data and ensure that all businesses operate on a level playing field[1].

There are hefty fines for companies that don’t comply, and although the laws were written for the EU, they’re still relevant for Australian businesses who offer goods or services in the EU, or have customers that fall under EU law (even if they’re living in Australia). Businesses who ignore these laws can face a fine of up to 20 million, or 4% of their worldwide annual turnover[2].

If you use a marketing agency or marketing automation platform to maintain and process customer data, you may want to review your current practices.

Here are five things you should ask your agency to make sure you’re in the clear:

1. What do our privacy policies look like?

Businesses often write their privacy policies in lengthy and complicated language, and publish them at the bottom of websites or in inconspicuous places. From now on, the GDPR insists that companies write their privacy policies in clear, straightforward language, and it may be something you want to think about too.

2. How do we ask our customers for their consent?

Hiding a request to use a customer’s details for marketing communication or statistical reporting is not an uncommon business practice. Sure, you may have included it in the terms and conditions, but who actually reads those longwinded legal documents? Silence doesn’t mean consent, and under the GDPR a user will need to give affirmative consent before their data can be used by any business.

3. Are we transparent about the purposes of data collection?

Up until now, businesses in Europe have been able to transfer data to other entities without any issues, as well as process data for purposes other than what was originally disclosed to the customer at the time of collection. With the GDPR now in effect, businesses in the EU are required to clearly inform the user about any transfers, and clearly define the purpose for data collection and processing.

4. Do we use algorithms to make decisions about our customers?

If so, then pay close attention. Prior to the GDPR, it hasn’t been necessary for businesses to disclose that they use algorithms based on personal data. Often customers have no idea that businesses are determining outcomes for their lives just with algorithms (think about when you ask for an insurance quote or apply for a loan and may be turned down because of non-contextual decisions made by algorithms, for example). Now EU businesses have to inform all users whether they use automated processes or not, and give them the option to contest it.  

5. What’s our process when customers ask for a copy of the personal data we have stored, or want to delete their records with us?

Often businesses do not let customers take their personal data and move it to a competitor, and it can be difficult for customers to ensure their data is completely erased. From now on, customers have more rights when it comes to personal information. Businesses have to let customers move their data to competitors and be prepared to erase that data entirely. Those customers may come back someday, but will need to be treated like new customers entirely.

Though these questions will get you thinking in the right direction, we haven’t covered all of the GDPR requirements and suggest you do some more research if you’re unsure of your legal obligations.

Overall the introduction of GDPR has established a global standard for companies operating in the digital age, and shone light on the importance of honesty and integrity between businesses and customers. Personal privacy is now the highest priority.

In Australia, a common misconception that has emerged is that adherence to Australian Privacy Principles will also cover GDPR compliance.  This is not the case.   There is certainly overlap in parts between the two frameworks, but there are areas where GDPR compliance is clearly more stringent.

If you need guidance implementing a marketing automation platform that complies with these laws and helps you manage your customer information more effectively, don’t hesitate to contact us today.

[1] https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

[2] https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-changes_en.pdf