Wednesday 05 July 2017
General Data Protection Regulation (GDPR) – everything you ever wanted to ask. A broad remit for panellists Michael Warren – Director at Stanton Allen, and Simon Morrissey- Partner at Lewis Silkin for this month’s PM Forum Event.
As the 324 day countdown began, Irene Redman from The Chartered Institute of Taxation chaired this session, which focussed on discussion around pre-prepared questions raised by the PM Forum public. In response, Michael and Simon provided some thoughtful insights into compliance best practices, as GDPR advances towards the horizon.
Question 1 - If someone is a client of ours already in what circumstances do we need to renew our existing consent? Are we allowed to send them information relating to the services we provide for them even if those materials are considered to be marketing materials?
“It depends” was the opening statement to the session. To elaborate further on this classic response, two points were raised:
Review of existing record of consent. Most people would not be able to track a record of initial consent for any given client, but that would be the first call, to check the record and see the existing permissions for that client.
Absence of any record. Where there is no record, GDPR actually offers a great opportunity to empower marketers to better understand their clients (through contact to obtain consent). GDPR is about compliance, but it also provides marketers with an opportunity to check their strategy around data collection and processes.
Question 2 - A partner meets someone at a conference and they gave them their business card, can I market to that individual?
The resounding thoughts here were that common sense prevails. Where a business card has been provided by an individual, there is a sort of unwritten understanding that contact will be made with the individual (otherwise, why exchange business cards?). Asking for explicit consent when a business card is exchanged could be a bit awkward, but it is reasonable to assume that there is an expectation of being contacted, when a person’s contact details (through the business card) have been provided.
However, this is not a trigger that opens a floodgate for marketing material to be sent to the contact. Best practice would be to set use this as an opportunity for a further introduction touch point to establish what information the client would like to receive.
Discussion then focussed on strategy around data collection with the emphasis on adopting a granular approach as we move away from the binary approach of all on or all off. A granular approach will give any individual the opportunity to choose specific preferences for receiving marketing material (type, frequency, channels etc.) There are of course rules that apply for engagement with this approach. Implementation of a sophisticated preferential management system comes with a practical note of caution, and processes must be in place to be able to deliver on the consent preferences specified by the individual. Additionally, the strategy around data collection should not be viewed as purely a role for marketing and business development. Everyone in the organisation has a role to play in managing consent, and this presents an opportunity for a clear company-wide strategy vis-a-vis engagement for management of clients.
Question 3 - What changes will I need to make to my data capture scripts and privacy statements on our website?
Insight here was that whilst there are exceptions, there will need to be consent to receive marketing material, and discussion reverted back to the binary versus granular question. Any existing consent is most likely to be of a binary approach, with no mention of data capture frequency or channels. Adopting a strategy for granular preferences will take away the problem of swamping people with marketing information, although again, processes must be in place to be able to deliver on these preferences with regards to consent to receive marketing material.
With regards to privacy statements, there is clearly an increase in the transparency of existing rights.
The Information Commissioner’s Office (ICO) provides good guidelines and information on the subject.
The key difference between GDPR and DPA is the opportunity this presents for marketers. GDPR is more prescriptive and does not focus purely on the outcomes but focuses on the processes of data. Outlining the actions to activate outcomes, has the advantage of effectively providing a checklist of key steps for data capture.
Question 4 - If someone has previously unsubscribed from receiving all of our marketing communications but then accepts an invitation to an event, what's your advice on how we should contact them?
Be practical! When contacting the individual, make reference to the fact that you understand their previous preference to unsubscribe from all marketing material. However, in terms of practicality, as they have accepted the invite, you need to use their contact details to contact them with information specifically related to the event.
However, it is important to note that this must only be used for communication relating to the event and should not be used as an opportunity to ask the individual about their subscription preferences for marketing material. In this instance, best practice for reactivating a client on your marketing database would be at the event, for example through a sign-up form included in the delegation pack, but this should not be pushed. Michael made reference to a specific, well timed, best practice opportunity where following registration at an event and waiting for the session to start, he received an email which gently prompted him to manage his preferences. This was a well-timed opportunity for preference management.
Question 5 - What information are we required to hold when it comes to tracking whether someone has given their consent or not?
Three words: Who? What? When?
All of this information needs to be recorded on CRM. Firms should look at their current legacy platforms and whether they already have facilities to do this, or whether they need to develop a facility that is capable of accurately recording this key data.
Regarding CRM segmentation, an option is to either segment CRM by territory or adopt a global approach. A note regarding international norms - some international data legislation benchmarks are much higher than GDPR, for example, Canadian Anti-Spam Legislation. Your strategy should be high enough to comply with international guidelines. Simon went on to highlight that plug-in solutions are a good way to manage consent, but it appeared that US models seemed to be ahead of European models in terms of responding to European tracking requirements.
Discussing timeframes for tracking. General guidelines are that data really should have been used within 1 year (as a benchmark) but ICO provides legal guidelines. Michael also raised the question that if you have Client’s data, but the Client has not been contacted through any touch points for 12 months, what is the purpose of having the data? Statistics generally indicate that 80% of communication goes to 20% of a CRM database. His advice on this, was ‘use it or get rid of it’.
The crux is that you need to be able to demonstrate you have people’s consent and clients will need to be contacted regarding their preferences before May 2018, so that this information (consent) is documented.
Question 6 - What is your advice in terms of how we should approach partners who have contacts in their Outlook that they have not shared with the firm's CRM? What are their obligations?
This depends on the reasons for the Partner having those contacts. For example, if the contact data is being used specifically to communicate with an individual regarding the delivery and performance of services (that the individual has purchased from the firm), then no consent is required. You are effectively contracted by the individual to contact them for delivery of services. The contact information is being retained for process of data, and has a different purpose to marketing.
However, this contact information cannot then be used for marketing–without the individual’s consent. Again here, specific consent would be required. The ICO offers guidelines on this distinction.
At this point, a question was raised from the audience regarding thought leadership and whether contact on this requires consent. The same analogy was applied in that if the data (in this case, thought leadership data) was being used to deliver services that the client has purchased, no consent is required.
Question 7 - If someone asks to be deleted from our system are there any circumstances when we can keep this data for the purposes of future suppression or do we have to delete them?
The irony here is that when an individual has requested that their details be deleted from a CRM system, this request actually needs to be recorded on the system (to be able to manage their preferences). So effectively, you will still have data on this individual, as you are keeping a record of their preferences (although the person will not be contacted, in accordance with their preferences).
Some Best Practice thoughts to avoid misleading statements around third parties were also shared with the audience. Simon advised that it is misleading to state that you will not share information with third parties. Marketers do pass information onto third parties – think cloud providers, posting providers etc. In this instance, the statement should be refined to provide a more accurate depiction, for example - you will not sell information onto third parties.
The session provided considerable insight, and whilst more questions will undoubtedly be raised as we get closer to May 28th 2018, some key summary thoughts to take from this session were:
Business Development Manager
Lubbock Fine Chartered Accountants