As most marketers, if not all, should be aware by now – the GDPR is coming. And as of 25th May next year the way we collect, manage, and utilise data across the world will be updated to deliver 21st century standards of data protection. What is less clear however, is exactly what this means for individual businesses and how their marketing practices will change post-May 2018.
One of the most overlooked areas in particular, having given way to the more sensational talk of fines and organisational overhaul, is the matter of personalisation. Now whilst this is something which every marketer worth their salt has strived for these past few years, as technology and increased ROI on campaigns has driven this trend to the top of the pile, the question remains: will personalisation be an option or a requirement?
The answer which should, hopefully, spring to mind is ‘requirement’. As the pages of any marketing publication will tell you, personalisation is not only a tried and tested method of boosting engagement and sales, but is also increasingly, albeit often subconsciously, expected by consumers as the norm for marketing practice. But consider for a moment that under the new GDPR, personalisation may no longer be an option, even for the smallest business, and this suddenly impacts both marketing operations and compliance with the new legislation.
It’s not enough simply to assume a consumer is happy to be targeted with your marketing activity simply because they’ve shared information with you. From now on, brands will need to think through much more carefully why they are allowed to use consumer information for marketing. Under the GDPR, marketers will need to be able to explain to the world the legal basis on which they are acting. Normally this will be either consent or legitimate interests.
The regulator is in the process of setting a high bar to clear for consent which may well have the effect of marginalising it. The problem is if someone hasn’t consented it may mean they don’t want the marketing, or it could equally mean they simply didn’t realise they needed to consent, and therefore miss out on communications they would have preferred to receive, e.g. hearing about their favourite shops, brands, sports teams or even a better deal for a product or service they already have or use.
Marketers should therefore be looking very carefully at an alternate ground on which to perform marketing, called legitimate interests. This does not require someone to consent but the advertiser itself must ensure its legitimate direct marketing interests (clearly recognised by the GDPR) are not outweighed by any unwarranted prejudice to the rights of the consumer.
As part of this balancing test marketers should be able to demonstrate that the content, offer, or communication to a consumer is actually relevant to them. Then they will be able more easily to explain why brand interests are aligned with and not trumped by those of consumers. After all, someone who is surprised and delighted is unlikely to complain. In other words personalisation can be seen as a tool required to legitimise processing under the GDPR.
Brands will still need to be transparent about what they do with data, not use data to unfairly discriminate, and realise that some channels always require consent – e.g. email. Where the balance of legitimate interest will be a delicate one, extra privacy enhancing measures need to be put in place to tip communications in the favour of the consumer and ensure that personalisation remains front of mind.
By Alex Hazell, Head of UK Legal at Acxiom
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/