By Ken Magill
Marketers are understandably concerned about the ramifications the EU’s General Data Protection Regulation will have on their permission practices. But those who are most concerned about GDPR may be taking the wrong approach to it.
GDPR requires marketers doing business in Europe to get consent to process personally identifiable information from would-be email marketing recipients in clear language that lays out exactly how the information will be used.
It requires the ability to prove consent was obtained. It gives people the right to obtain any information held on them, the right to opt out and the right to have their information erased. It also requires notifications of data breaches within 72 hours.
Marketers are understandably scrambling to make sure their programs comply with GDPR.
But many marketers trying to figure out what they can and cannot do under GDPR are thinking about the issue upside down, according to at least one expert.
They’re thinking about what the regulation will and will not allow them to do and how they may have to change their methods. What they should be thinking about is what they want to do and how to make sure they can do it legally, according to Dela Quist chief executive of email marketing agency Alchemy Worx.
Rather than limiting email-marketing contact strategies based on perceived restrictions, marketers should first consider what they want their contact strategy to be based on their business mode and customers’ lifecycle, and then figure out how to implement that strategy under GDPR—which essentially boils down to explaining that strategy clearly to would-be recipients so they know what they’re opting into when they take the action required to give permission.
It’s the difference between looking at the legislation from the top—or preferred contact strategy—down rather than the bottom—or what GDPR theoretically restricts—up, according to Quist.
“If you go from the bottom up you’re going to say, ‘Oh, you can’t do this and you can’t do that,’” he said. “But if you say: ‘What do I want to do?’ and define that and document that definition and make it part of your process, then you can do pretty much whatever you want.”
According to Quist, the idea of looking at GDPR from the top down was first articulated by Steve Henderson, compliance officer at Communicator.
A crucial element to this top-down view of GDPR is accurately attributing email’s effects on sales. For example, if a merchant knows email drives sales beyond those that are opened and clicked—it does—the merchant should work that fact into its explanation of its data processing to would-be email recipients.
Also, different customer lifecycles will naturally require different contact strategies. The top-down view of GDPR simply requires mapping out that strategy and explaining it clearly.
For example, Quist said: “If you’re a motor company or a mortgage company where the sales cycle is five to 10 years, you can’t have the same rules of engagement as Amazon. [EU] legislators have wisely stayed away from trying to craft a piece of legislation that covers everything specifically in writing.”
As a result, organizations with long sales cycles should explain to people who opt into their email programs that because of the length of their average sales cycle, they will continue to send messages even after long periods of inactivity.
Taking a top-down view of GDPR reveals it isn’t nearly as onerous as it appears at first glance, according to Quist.
“If you tell someone what you’re going to do and they sign up, and you’re transparent and able to show them [regulators] you obeyed the rules that you set up for yourself, then you’re good,” he said.