The good newsabout GDPR

In partnership with

The good news about GDPR

Contents

1. Introduction

2. Reasons to be cheerful about GDPRThere are plenty, we promise

4. Policy, legal and compliance - in a nutshellA quick primer on the rules and what they mean for you

3. Communicating with customers about dataWhat’s required, what can you do, and how to make it happen

5. The rules of re-engagementWhy you should have a re-engagement strategy in place

6. Marketing GDPR and your businessGet the word out and own your GDPR authority

7. How can we helpReady to capitalise on GDPR? the tree and Brandsmiths are at your service

Introduction.We asked 200 marketing professionals how they felt about the GDPR regulations coming in on May 25th 2018. Not all of them were delighted, but we’re pretty optimistic, and after reading this, we hope you will be too.

While for many, GDPR compliance is a hurdle to overcome, others are looking beyond to a sunny future of high-quality data and better relationships with customers.

We saw it with digital, we saw it with social, and we’re about to see it with data, as control over personal information passes from the hands of companies and into the hands of the people who create it in the first place – the consumers. For some businesses it’s going to be disruptive, but for those ready to embrace the change, the sky’s the limit.

If you’re focusing on the upside of GDPR – or even if you’re not, but you’d like to hear about some silver linings – read on to see what you can do to not only stay compliant, but turn an unknown challenge into a brand success story.

When big changes happen, big opportunities arise.

Reasons to be cheerful about GDPR

Page 2 +44 (0) 20 3222 0077 | www.thisisthetree.com

“GDPR is giving EY the opportunity to firstly clean our current data to ensure we’re delivering the right content and marketing to the right people, it’s improving our data and segmentation strategy which will ultimately see marketing performance and ROI improve and supporting our customer experience journey.” Emma Raw, Assistant Director of Digital Marketing- Ernst & Young

60%of businesses don’t feel positive about the arrival of GDPR, but there’s a lot to look forward to. For example…

At its heart, GDPR is about trust and clear communication between individuals and organisations. It’s a power-shift that gives consumers extra rights over what happens to their data. Yes, businesses have less control. But they have more opportunity to hear more clearly what people want, and use that knowledge to improve and excel.

More customer experience insights

Remember the rise of the online restaurant review, or the way social media transformed customer service? Those channels gave consumers a platform to call out poor-quality service or unfair practices, but they also shone a light on those who do things well and who customers trust and recommend to others.

Being great with data is your ticket to customer happiness

GDPR introduces a requirement to delete data you don’t use and don’t need, and that’s got to be a good thing. Why waste money and time marketing to people who have never engaged with you? You’ve also got the imperative to correct inaccuracies, and new ways for customers to alert you to issues with their data (while saving you some legwork). Embrace the opportunity to free up space and cut down clutter with a thorough audit of all the digital information you’re currently storing. Then revel in your sparklingly clean databases ready to be topped up with high-quality data from interested and informed customers.

A really good spring clean

The GDPR changes are pretty seismic, and as a result, data protection is now everybody’s business. OK, there’s been some hype, but it means everyone in your organisation is now aware and on board with good data practices. That means less time working towards stakeholder buy-in and more time doing the work that gets real results.

A pro-data culture shift in business

Communicating with customers about data

First things first, you’ll need to let customers know what data you’ll be collecting and why. For new customers, your current privacy policy will be the starting point. You need to provide information in concise, easy to understand and clear language, and add some new information like your lawful basis for processing the data under GDPR rules and your data retention periods.

The GDPR rules require a lot more specific detail than the outgoing Data Protection Act 1998, so now is the time to get your copywriting team polishing up your policy wording and clarifying any blanket terms like ‘improve customer experience’ or ‘selected third parties’.

Letting customers know what you’ll do with their data

A cookie notification popup just doesn’t cut it anymore. To meet the new rules, organisations need to get a positive opt-in that is ‘freely given, informed and unambiguous’, according to the Information Commissioner’s office: ‘Consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.’

Given that you’ll also need to ask permission before using existing customer data in new ways, it’s fair to say we’re not looking at a single agreement, but a dialogue. A dialogue between your business and its customers means many good things – plenty of reminders that keep you front of mind, and lots and lots of touchpoints, each one a chance to make a positive impression.

Consent as a long-term process

Page 3 +44 (0) 20 3222 0077 | www.thisisthetree.com

One of the biggest shifts we’ll see in the wake of GDPR is the move from one-time consent to ongoing relationships with customers and their data. So how do you make your case, win hearts and keep the love alive?

“By taking this legislation seriously and being fully GDPR compliant, one demonstrates professionalism, confidentiality and ethical behaviour Showing that we're doing all we can to comply helps assure our candidates and partners that we take their careers and personal data seriously. In that sense, GDPR will have a really positive effect on our business, which is built on relationships.”Alice Weightman, Founder & CEO – Hanson Search

Policy, legal and compliance – in a nutshell

The headlines are clear – GDPR compliance is a top priority for anyone with a customer database. Here’s Brandsmiths’ pocket guide to avoiding mishaps.

If your legal basis for processing a data subject’s personal data is consent, then the quality of that consent will need to be higher under the GDPR. To be valid consent under the GDPR, consent needs to be specific, informed and unambiguous. It must also be given freely and in writing or by affirmative action which signifies consent (i.e. not a pre-ticked box).

A data subject has the right to withdraw consent at any time without suffering any detriment.

Due to the increased difficulty in obtaining valid consent going forward, there is likely to be a greater reliance on different legal bases for processing personal data in the future. In particular, the legitimate interests and performance of contract bases are likely to become more and more important.

You should therefore analyse your existing consents, and consider the appropriate legal bases for processing going forward.

Consent

The headline fines under the GDPR are the greater of either €20million or 4% of global turnover. This is obviously much greater than the existing cap of £500,000.

However it is not all bad news as the ICO has already indicated that fines will be used proportionately and judiciously. The ICO will be able to utilise a wide range of sanctions as well as fines, including warnings or corrective orders.

The important thing now is to engage with the process and take your obligations seriously. Provided you can demonstrate that you have thought about, and have taken steps to ensure your compliance then the ICO is unlikely to issue crippling fines.

Fines

The GDPR is a wide-ranging and detailed piece of legislation. It brings in a number of new obligations and strengthens others that are already in place under theexisting regime.

The following are some of the key things you need to be aware of come 25th May.

Page 4 +44 (0) 20 3222 0077 | www.thisisthetree.com

Policy, legal and compliance – in a nutshell

Data subjects will be given greater rights under the GDPR. For example, all personal data must be held in a manner which allows the data subject to have it transferred easily to itself or a third party. This is the so-called ‘data portability’ right.

The ‘right to be forgotten’ is also codified in the GDPR, allowing data subjects to request that their personal data be erased. This is not an absolute right, and only applies in certain circumstances, for example if you no longer need to hold it for the purposes for which you collected it, or if your legitimate interest no longer applies.

There are also rules around automated decision-making. Automated decision-making is allowable, but only if the decision if necessary to perform a contract, if it is authorised by law, or if it is based on the data subject’s consent.

Rights of Data subjects

The GDPR places a greater emphasis on record-keeping. You need to keep records of your data processing activities, for example about processing purposes, data sharing and data retention.

Keeping good records will help greatly if the ICO ever come knocking. Being able to demonstrate that you have identified the data you hold and what you do with it will stand you in good stead in avoiding fines or other penalties.

Documentation

Want more detail on the GDPR compliance requirements?

Get in touch with Brandsmiths.

info@brandsmiths.co.uk+44 (0) 203 709 8957

Page 5 +44 (0) 20 3222 0077 | www.thisisthetree.com

“By placing customer data front and centre in everything we do as a business, GDPR will enrich our customer-centric approach to meeting needs, particularly in how and why we communicate with people. Cambridge Enterprise is unusual in that our clients are simultaneously our customers and our product. I expect GDPR to help reinforce the importance of these relationships and the opportunities they provide for both us and our customers.” - Christian Pratt, Head of Marketing and Communications - Cambridge Enterprise

Well, apart from the need to be compliant and do things properly, you’re going to want to start your post-GDPR marketing operation with a clean slate and a base of contacts who definitely want to hear from you. It’s also an opportunity to refresh your name in their minds and demonstrate that you’re on the ball and taking data protection seriously. Attractive qualities indeed.

Despite this, almost half of the businesses we surveyed had no re-engagement plan in place for the run-up to GDPR. If you’re in the same boat as them, there’s still time, and you don’t need a super-complex strategy to do a good job.

Why is re-permissioning important?

Not everyone on your list should receive a re-engagement message. Some will be dormant, have moved or changed addresses, and some won’t remember giving consent for you to use their personal data in the first place. Whether you decide to re-permission somebody depends on a few factors, like:

Selecting your re-engagement contacts

1. How old the data is? 3. If they made a one-off purchase or are a regular customer?

2. When they were last in contact with you?

Before you go ahead with re-permissioning, make sure you’ve got proof of consent for everyone on the list. Otherwise you could be in breach of PECR (Privacy and Electronic Communications Regulation) and face fines for spamming. You might not want to go to the extremes of deleting your entire mailing list and starting from scratch a la Wetherspoons, but it’s definitely better to be safe than sorry.

Look out for anti-spam laws

Don’t throw the baby out with the bathwater - update permissions for existing customers who want to stay in touch.Your CRM system is probably full of existing contacts who have given you consent to use their data, but not in a GDPR compliant

way. Maybe they got onto your list through a passive opt-out process or by leaving a tickbox checked. If you want to use their data, or you expect to in the future, you’ll need to get in touch with them to ask their consent.

The rules of re-engagement

Page 5b +44 (0) 20 3222 0077 | www.thisisthetree.com

If you want to be an authority in this space, speed is of the essence. Consumers are in for a barrage of emails and messages about GDPR over the next couple of months, so late-comers risk getting lost in the noise or reaching out to customers who are already burned out on the subject. To capitalise, you’ll need to commit marketing resources quickly and potentially outsource to experts who can work at speed.

Act fast, own the topic

The rush to cover GDPR is likely to trigger a lot of ‘me-too’ content that re-hashes the same campaign, so a fresh creative approach can really help you stand out. Look beyond the obvious digital channels and widen the scope of your communications plan to fresh territories. An influencer-driven social media campaign, press and ATL advertising, and even point of sale are all worthy of consideration.

Creativity and data are a great match

Our survey found that 47% of respondents had made no effort to communicate the benefits of GDPR to their customers, and another 40% had made only some effort through one or two channels. In our book,

that’s a major missed opportunity. Data best-practice is unquestionably a hot topic, so why not use the buzz to go all out on a marketing campaign about how the new rules benefit customers, and what you’re doing to embrace them?

Why not walk the walk and produce some value-add content, such as a whitepaper or infographic, which you can gate on your website? A shiny new opt-in data capture form will demonstrate your commitment to responsible data handling.

Collect data while you’re talking data collection

Marketing GDPRand your business

Page 6 +44 (0) 20 3222 0077 | www.thisisthetree.com

Page 7 +44 (0) 20 3222 0077 | www.thisisthetree.com

We have some out-of-the-box products tailor-made for businesses working towards GDPR, as well as a treeful of experts ready to help and advise.

How we can help

Here are some of the helpful things we can do for you:

Audit your digital and technical communication channels, including CRM and data storage, and provide a compliance risk report

Create and deploy a campaign of re-engagement messages with a pre-defined schedule that’s effective but never intrusive

Audit your website forms to make sure they’re compliant, and set up automatic emails for double opt-in

Provide software and training for best-practice data management

Plan and manage social campaigns to get your message out and field any enquiries

Let’s do something amazing.

info@thisisthetree.com+44 (0) 203 222 007