There are around 200 days and counting until the GDPR comes into force on 25th May 2018. It’s a hot topic and is currently exercising the minds and resourcing of IT and compliance teams throughout the UK. There’s no doubt the new regulations are creating a lot of work to ensure full compliance is achieved and some nasty looking fines avoided. For some companies, GDPR will be relatively straightforward as their data management practices are already of the highest standards. For other companies, particularly smaller businesses, GDPR is a potential minefield, as it applies to B2B as well as B2C customer data.
There’s plenty of help available, with numerous software vendors promoting GDPR compliance systems, dashboards and related monitoring technology. Many of the law firms have set up GDPR teams to advise on compliance, and one such firm recently sent me a GDPR Action Plan. Their lead proposition was ‘Do you comply with the law now?’ and the scare tactic highlighted the fines of up to 20 million Euros, or 4% of global annual turnover.
Why GDPR is much more than a compliance exercise
The Chartered Institute of Marketing’s consumer survey in 2016 showed 57% of respondents do not trust an organisation to use their data responsibly. More recent research from SAS suggests that 33% of consumers plan to delete their data from retailers and a similar number plan to remove consent for ongoing marketing. So, is focussing on just the compliance issues of GDPR potentially missing the opportunity to address this more fundamental challenge; why should a customer give consent to your brand for their data to be processed for other than the purpose of their interaction? Much of this will come down to trust and transparency. GDPR compliance will help to build trust and this will need to be communicated through words and actions. Greater trust will also be engendered through the interplay of wider features of the brand including;
• the current brand perception
• the brand proposition
• the customer journey
• the customer experience
The pull of the broader offering will also play a crucial part. Its probably easier to get a user to sign up for ongoing marketing to receive attractive discounted holidays, than say receive a newsletter on insurance related matters? The consideration of these other factors should be reviewed as part of getting ready for GDPR, and the outcome should give brands an opportunity to iron out imperfections which might engender a lack of trust and transparency, as well as create improved consumer interest in the proposition. Within this analysis there is a need to discover the best way to ask for all the customer data usage consents the business requires. How should that be positioned in the customer journey? How does that differ for prospects vs existing customers? How does this dovetail into the GDPR compliance processes which need to be built?
New privacy notices to improve communication
A lot more store will be placed on the new Privacy Notice, unlike current data privacy notices [who reads them?], the new ones will need to be read in a more granular fashion and as such must;
• be displayed clearly and prominently;
• ask individuals to positively opt-in;
• give them sufficient information to make a choice;
• explain the different ways you will use their information, if you have more than one purpose;
• provide a clear and simple way for them to indicate they agree to different types of processing; and
• include a separate unticked opt-in box for direct marketing.
One of the decisions brands will need to consider is just how granular will their Privacy Notices be? Having recently reviewed some best practice examples, its interesting to see that some brands are going for individual consent as to method of contact, with a catch all opt in for consent to contact for a variety of purposes. Whilst other brands are breaking down the reasons for contact in a way that customers can pick and choose. The risk of not asking for specific purpose consent may mean some customers do not give consent in total, because of one particular area of data use they are not happy with. Apart from the content of your Privacy Notice, there is a lot to think about in terms of the UI and UX to make the whole process user-friendly.
Taking a customer perspective of GDPR
For brands that consider the broader view of GDPR, our starting point is a customer experience audit, which maps all the key touchpoints throughout the customer relationship. Our analysis covers a lot of ground, including ways to use technology to improve the experience, reduce costs and create more differentiation. With GDPR in scope, we also consider all the data processing points, their purpose and the resulting customer benefits. Its only by considering this from the customer’s perspective can we begin to define pertinent reasons why a customer should give consent for processing their data.
Open banking – another data driven opportunity or threat?
The banking sector is also undergoing significant developments in 2018 with the advent of open banking. This will allow customers to give permission for their banks to share their data with a third party. Its envisaged that third party data aggregators will provide ‘super banking’ services by facilitating a customer being able to access all their banking relationships one place. Some of the bigger players, such as HSBC, RBS and Nationwide have just started to show their hands with the announcement of aggregation services. We’ll have to wait to see how the others respond.
The rise of consolidation services in banking is similar to the situation which arose for example in the fund management market. As fund supermarkets, wraps and platforms developed, they have effectively disintermediated the fund groups and now control most of the flows in the retail space. With power comes the ability to squeeze the margins of the suppliers [price comparison websites are another obvious example] and just as importantly, the ability to control the customer relationship.
So, a key part of the marketing challenge surrounding GDPR is to grab the opportunity to refine and improve the core proposition. This is to make it more meaningful, relevant and compelling to customers and encourage them to see the benefits of giving consent for wider data processing and deeper engagement in your brand. There’s a commercial threat, that If consent is withdrawn, the ongoing value of the customer will inevitably be diminished. The proposition audit we carry out is designed to identify the opportunities to strengthen the brand purpose, better understand key customer needs and create more powerful way to meet them. Its not too late for businesses to extend the scope of their GDPR projects to embrace this thinking. Let’s see who does.