With the imminent entry into force of the General Data Protection Regulations (GDPR) in a few months, a feeling of panic is gaining the attention of marketing professionals.
In many companies, the implementation of the GDPR will result in some adjustments to existing data processes and will not result in any significant organizational upheaval. For marketing professionals, the RGPD presents the unique opportunity to put their data in order and sustain the relationship of trust with consumers. For that, they will have to understand the principles underlying this new regulation to know where to start with the compliance.
In this perspective, here are the four most important aspects of RGPD that marketers need to familiarize themselves with ...
Data protection delegates facilitate the process
For any business, the first step in preparing for RGPD compliance is whether or not to appoint a Data Protection Officer (DPO). In certain circumstances, a DPO has to be appointed, primarily when a company regularly and systematically monitors large-scale data subjects, such as behavioral monitoring, which is most often handled by marketers.
Although the designation of a DPO is not mandatory, companies can call on a specific individual to advise and inform their employees about their data obligations. A DPO can monitor compliance with various data regulations, perform internal data audits, provide training and serve as a single point of contact for supervisory authorities, employees and data subjects.
The role of the DPO can be a permanent commitment or can be outsourced. This role can be assigned to an employee to the extent that its function is compatible with data protection and does not create a conflict of interest. A DPO should have a thorough knowledge of data protection laws and practices, and ideally, maintain good relations with the CNIL. It will thus be able to keep abreast of the evolution of the regulations and better apprehend the practices of application.
Centralizing data simplifies compliance.
The next step in RGPD compliance, which a designated DPO can facilitate, is to understand the flow of personal data within the organization. Marketing data is frequently collected and processed through highly fragmented processes and stored in siled departments or channels. At a minimum, marketers must understand the information they receive, their storage mode and location, and their function. Ideally, they will also take the opportunity to unify or centralize data collection and processing, as this simplifies compliance and also provides measurement, segmentation and targeting capabilities across multiple channels.
In addition to understanding their own internal data collection and processing practices, marketing professionals will also need to identify third parties who have access to this data. The complexity of the technical marketing and advertising ecosystems means that personal information is often exchanged within long chains of analytics, tracking, and advertising providers. Data controls usually require marketers to ensure that third-party service providers comply with the GDPR and to revise associated contracts to ensure that they bear their share of the responsibility for breaches.
Consent builds trust and commitment
The RGPD requires that companies have a valid legal basis for data processing, and for marketing professionals, it is often a consent. The process of asking consumers to accept the collection and processing of their data gives them a free choice and puts them in control, most of them being willing to consent if this results in an optimal experience. Demonstrating that they respect the confidentiality of personal data and store it securely allows marketers to build trust and engage consumers.
Regarding obtaining consent, the RGPD sets strict standards that must be respected. Approval requires positive acceptance and not implicit or default, which precludes the practice of pre-ticked boxes, for example. Marketers must clearly state the purpose of the data collection and processing approach and obtain separate consent in each case.
Consumers: new rights of access to data
Under the GDPR, consumers have the right to access all data held about them to identify processing activities and to verify their legality. In case of an access request, companies must send a copy of all stored information to the applicant free of charge, within one month, except in exceptional circumstances.
In addition to being able to access their data, consumers also have the right to rectify inaccurate ones, to restrict or oppose the processing of data, and to transfer their information to another company. In certain exceptional circumstances, they have the right to request the deletion of their data, the so-called "right of forgetting." By designating a DPO, simplifying data collection and processing across the enterprise, and keeping consent records, marketers will be able to process these requests quickly and efficiently, demonstrating that they deploy RGPD implementation efforts.
The RGPD is the perfect opportunity for marketers to be transparent in their data protection practices, build trust with consumers and make the most of data through cross-channel segmentation. Rather than panic over the impending date of the coming into force of the RGPD, marketers should focus on these four key points to ensure compliance and build on this new standard.
Also published on Medium.