GDPR Compliance: Data Maintenance
- Many marketing functions are choosing “consent” as their preferred lawful basis for processing personal data under General Data Protection Regulation (GDPR)
- Companies must adopt steps that allow data stewards to consistently evaluate the current state of the marketing contact database for compliance
- In preparation for when GDPR is enforced on May 25, activating compliance initiatives to drive consent capture is becoming the norm
Over time, the requirement to capture and maintain consent will be as common in program and campaign thinking as wearing a seat belt in a car is today. In my previous blog post, “GDPR Compliance Client Snapshot: Data Intake,” I discussed what I am witnessing as clients improve their data intake practices. In this blog post, I review how organizations are transforming their existing marketing databases from a collection of data records to a source of compliant and valuable contacts with which to drive better marketing activity. Many companies are electing to run controlled compliance initiatives that have the sole objective of obtaining compliant GDPR consent.
To help ensure that marketing contact database information is compliant and useful, companies must adopt steps that allow data stewards and marketing program managers to consistently evaluate the current state of the marketing contact database for compliance and if the contacts can be included in marketing programs.
Contact Data Readiness: Prioritization
To convince anyone of the value of providing “permission to engage,” a selling company must deliver a high level of relevant and personalized outreach. Focus and relevance of message is key to driving a positive acceptance of a call to action within a compliance initiative. This can only be achieved by understanding the current state of the database, which allows for relevant and targeted tactics to be deployed.
SiriusDecisions recommends analyzing contact engagement history as well as record profile completeness. Engagement relates to the length of time since a contact last interacted with the selling organization (e.g. 12 months, 24 months, 36 months) and profile completeness. Profile completeness refers to the degree to which an individual contact record can be utilized to fulfill marketing activities to the appropriate segments and personas.
Current State Contact “Value” Audit
Clarity as to the relative “value” to the selling organization of each contact record will help avoid a dramatic loss of permissible outreach once GDPR becomes enforceable. Always ensure that contact records with a high level of profile completeness and current engagement are either compliant or are reviewed for compliance initiative inclusion as a priority (top right of chart). Within the confines of budget and staffing resource, determine a feasible compliance initiative cadence that matches the perceived need to use contacts that fall in other portions of the chart. From a regulatory risk, financial saving and good data governance perspective, contacts that fall in the bottom left of the chart should be considered for removal from the marketing database and eventually, complete disposal.
Planning and Executing a Controlled Compliance Initiative
The next steps will vary from organization to organization (and jurisdiction to jurisdiction). For example, one organization’s legal council may determine that if there is no lawful basis for processing data, the contact record must be deleted immediately from the database. Another organization’s legal council may allow a single outbound email to the existing contact because of legitimate interest to drive a request for consent. From my experience, the latter is by far the most common. Please note that all current unsubscribe requests must continue to be honored.
Whenever planning a controlled compliance initiative, reasonable and measurable objectives must be defined. For example, set a goal for the number of opt-ins gathered by persona and industry segment. Understand what is required to make the initiative a success, including the identification of tactical goals, milestones and any obstacles. Data capture channels (e.g. Web forms, physical and electronic event contact capture mechanisms) should be assessed for consistency and approved legal consent wording. Moreover, offer clear guidelines to execution teams for how to legally engage these contacts.
Understanding the personas, regional nuances, behavior and intent will be key to selecting the most appropriate offer and delivery mechanism. Companies may find that owing to the overly personal nature of the outreach, content for this initiative should be translated to local languages. We have seen that companies have experienced the most success with compliance initiatives when deploying a coordinated set of tactics (e.g. compliance requesting emails, retargeting ads, in-person events, teleservices outreach) with the integral use of a preference center. Harness the full extent of the sales, marketing and tele-services teams to drive compliance via the coordination of tactics and the use of the unique delivery channels that each offer.
Personal data privacy legislation is here to stay. Ultimately, it will herald a change in the DNA of an organization’s attitude to data governance and its relationship with the market. At an execution level, without a viable pool of appropriate contacts with permission to engage, a program strategy will flounder and fail to reach its objectives. As contact permission is a necessary prerequisite for compliance and marketing program success, marketing teams should make compliance initiatives a required component of all programs.