How GDPR Affects Your Marketing Strategy

General Data Protection Regulation, or the GDPR, is the European Union’s new regulation on data and cyber-security that will become law in the EU on May 25, 2018.  It’s designed to legally strengthen data protection for everyone living in the European Union, and create a single data protection regime for businesses and consumers to rely on.
 
The GDPR will apply to anyone doing business in the EU that handles personal data, it doesn’t matter whether you’re based in the EU or not. One area of interest has been GDPR for marketers and a team of GDPR Advisory Board experts took time to provide straightforward advice and help for those with queries about this new EU legislation.
 
The following questions were answered by CIM (Chartered Institute of Marketing) which has worked in association with MeLearning to launch a tailored GDPR online course for marketers, GDPR for the Marketer.
 
Q: How will GDPR affect all different types of marketing for the retail sector, such as email marketing, loyalty schemes, and databases?
CIM: As a retailer, B2B as well as B2C marketing will be affected under GDPR. If you’re selling into the E.U. then, from May 25, 2018, the way you approach contacts need to be in a GDPR compliant way. 
 
Recently we’ve worked with the Chartered Institute of Marketing who worked with us to create tailored training specifically for the marketer. CIM has provided useful insights into GDPR for the retailer.
 
GDPR has an impact on a wide range of marketing activities including how data is used, how customers are contacted, and how data is held, which in turn affects email marketing, loyalty schemes, and general marketing activities. 
 
With potential fines for non-compliance amounting to nearly $25 million (€20 million) or 4 percent of a business’s global annual turnover, GDPR needs to be taken seriously and embraced by all organisations quickly and with diligence.  It’s not all doom and gloom, marketers in particular should see the positive side of the new legislation which provides a once-in-a-generation opportunity to wipe the slate clean and radically overhaul the way customer data is collected and used.
 
Q: When should marketers start to embrace GDPR?
CIM: Now is the ideal time for marketers to persuade their organisation’s financial team to invest in new data analytics tools, perhaps even those with predictive analysis and artificial intelligence (AI).  By populating these tools with only the most important, useful, and legally compliant data, organisations will be able to operate in a far smarter manner, securing higher response rates for email marketing and driving closer relationships with customers in loyalty schemes.
 
Data rationalisation should mean an end to customers getting multiple email mailshots because they appear more than once on a database (or are duplicated across legacy databases). Furthermore, having a single, consolidated view of the customer should also facilitate more informed responses when that customer engages with a call center or other service point.
 
Q: How do I get consent from my customers under GDPR?
CIM: It’s worth remembering when looking to deploy an email marketing campaign that after May businesses will no longer be able to include a pre-ticked box, which the customer must untick in order to opt out of consent. Instead, the customer must actively choose to opt in, giving their consent freely and of their own accord, without coercion, undue incentives or penalties. As such, gaining this GDPR-compliant consent should be among your organisation’s top priorities in the run-up to the legislation’s launch.
 
The following question was answered by Piers Clayden, founder of Clayden Law and member of the GDPR Advisory Board.
 
Q: Do you expect most businesses in retail to be compliant in time for implementation or is there going to be a problem? 
Clayden: Because of the lack of clarity in some of the drafting of the GDPR, and the slow release by the regulators of any useful guidance, it is going to be very difficult for businesses of any great complexity to say they are 100 percent GDPR compliant by May 25, 2018. But it is important they nevertheless try to move towards compliance as quickly as possible, we suggest taking a risk-based approach and prioritising those areas where the business faces the greatest exposure or liability.
 
Q: What are potential pitfalls the retail sector should be aware of?
Clayden: These are the top five things to get right under GDPR:
 
1. Demonstrating they are taking data protection seriously, up-to-date policies, record keeping, and staff training are all important elements of this.
2. Ensuring the public-facing information notice reflects the reality of how the business actually does use and treat personal data behind the scenes.
3. Ensuring the business has proper organisational and technical measures and policies in place to keep personal data safe and secure, having a robust information security policy which is actually adhered to throughout the business is part of this.
4. Making sure that if the business were to suffer a security breach (i.e. in short where personal data was accessed outside of the organisation without authorisation) you would be able report this to the regulator (the information commissioner’s office) within 72 hours of becoming aware of this breach.
5. Making sure that, where personal data is processed on your behalf by an external organisation, you have contracts in place that meet the requirements of the GDPR.
 
Failure to comply with the GDPR could expose the business to fines, claims for damages from individuals, and perhaps more damagingly, loss of reputation.
 
The following question was answered GDPR Advisory Board member Nick Richards, CEO of training provider Me Learning.
 
Q: Do all sizes of retail business need to have a Data Protection Officer? What about a single-site operation? A small coffee shop? 
Richards: Not all organisations require a data protection officer. Under the GDPR, you’re obliged to appoint a DPO if you are a public authority (unless you are a court acting in a judicial capacity), if you carry out large-scale systematic monitoring of individuals or the processing of special categories of data, or you use data which relates directly to criminal convictions and offences.
 
The DPO’s job is to (independently) oversee GDPR compliance and advise staff who deal with personal data. They should have expert knowledge of data protection law and practices. It is crucial your data protection officer has no conflict of interests; so the DPO should not also be a controller of processing activities (for example, your head of HR). 
 
They should also not be on a short- or fixed-term contract and should not report to a direct superior or line manager (i.e. they should be senior enough to report to top-tier management). If you’re a small coffee shop you will need to comply with GDPR but you won’t need a DPO.
 
About Me Learning
Me Learning has worked in partnership with legal experts at Clayden Law to develop a comprehensive suite of GDPR e-learning courses which help to clarify exactly what organisations need to do in order to be GDPR compliant. To find our more visit www.melearning.co.uk/gdpr
 
To contact the GDPR Advisory Board please visit www.gdpr-board.co.uk 
 
Retail Insights
 
You Might Also Read: 
 
GDPR For Dummies:
 
The GDPR Deadline Is Near & Business Is Not Ready:
 
« Nation State Hacking Is On Trend In 2018
Cyber Attackers Will Soon Kill Somebody »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

Outpost24

Outpost24

Outpost24 provides easy to deploy and intuitive solutions to continuously identify, remediate and mitigate vulnerabilities in your network.

Secusmart

Secusmart

Secusmart provide highly secure and encrypted speech and data communication solutions.

International Computer Science Institute (ICSI)

International Computer Science Institute (ICSI)

ICSI is a leading independent, nonprofit center for research in computer science. Research areas include network security and privacy.

HudsonCyber

HudsonCyber

HudsonCyber, part of HudsonAnalytix, provides leading cyber risk management services for the global maritime transportation industry.

Cellopoint

Cellopoint

Cellopoint is a leading manufacturer of information security and email lifecycle management (ELM) products.

T-REX

T-REX

T-REX is a coworking space, technology incubator, and entrepreneur resource center for technology startups.

Curtail

Curtail

Curtail keeps businesses running by using live traffic analysis to identify defects before software goes live, and detect and isolate security threats before they impact systems.

Axio Global

Axio Global

Axio is a leading cyber risk management SaaS company. Our Axio360 platform gives companies visibility to their cyber risk, and enables them to prioritize investments to protect their business.

Cyber Range Solutions (CRS)

Cyber Range Solutions (CRS)

CRS provides cyber security training and improve security team performance by providing a hyper realistic, virtual training environment.

Sunartek Labs

Sunartek Labs

Sunartek are equipped with expert resources and advanced technology to identify cyber threats and prevent any breach, bypassing the security network of your organization.

LGMS - LE Global Services

LGMS - LE Global Services

LGMS is a leading cyber security penetration testing and assessment firm in the Asia Pacific region.

Google Cloud

Google Cloud

Accelerate your digital transformation. Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.

Jericho Security

Jericho Security

Jericho Security is on a mission to defend the world from the new threats of generative AI cyber attacks.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Phone Monitoring Service

Phone Monitoring Service

Phone Monitoring Service provides cyber security services, ethical hacking services, social media hacking services in the USA, Canada, Europe.