How GDPR Affects Your Marketing Strategy

General Data Protection Regulation, or the GDPR, is the European Union’s new regulation on data and cyber-security that will become law in the EU on May 25, 2018.  It’s designed to legally strengthen data protection for everyone living in the European Union, and create a single data protection regime for businesses and consumers to rely on.
 
The GDPR will apply to anyone doing business in the EU that handles personal data, it doesn’t matter whether you’re based in the EU or not. One area of interest has been GDPR for marketers and a team of GDPR Advisory Board experts took time to provide straightforward advice and help for those with queries about this new EU legislation.
 
The following questions were answered by CIM (Chartered Institute of Marketing) which has worked in association with MeLearning to launch a tailored GDPR online course for marketers, GDPR for the Marketer.
 
Q: How will GDPR affect all different types of marketing for the retail sector, such as email marketing, loyalty schemes, and databases?
CIM: As a retailer, B2B as well as B2C marketing will be affected under GDPR. If you’re selling into the E.U. then, from May 25, 2018, the way you approach contacts need to be in a GDPR compliant way. 
 
Recently we’ve worked with the Chartered Institute of Marketing who worked with us to create tailored training specifically for the marketer. CIM has provided useful insights into GDPR for the retailer.
 
GDPR has an impact on a wide range of marketing activities including how data is used, how customers are contacted, and how data is held, which in turn affects email marketing, loyalty schemes, and general marketing activities. 
 
With potential fines for non-compliance amounting to nearly $25 million (€20 million) or 4 percent of a business’s global annual turnover, GDPR needs to be taken seriously and embraced by all organisations quickly and with diligence.  It’s not all doom and gloom, marketers in particular should see the positive side of the new legislation which provides a once-in-a-generation opportunity to wipe the slate clean and radically overhaul the way customer data is collected and used.
 
Q: When should marketers start to embrace GDPR?
CIM: Now is the ideal time for marketers to persuade their organisation’s financial team to invest in new data analytics tools, perhaps even those with predictive analysis and artificial intelligence (AI).  By populating these tools with only the most important, useful, and legally compliant data, organisations will be able to operate in a far smarter manner, securing higher response rates for email marketing and driving closer relationships with customers in loyalty schemes.
 
Data rationalisation should mean an end to customers getting multiple email mailshots because they appear more than once on a database (or are duplicated across legacy databases). Furthermore, having a single, consolidated view of the customer should also facilitate more informed responses when that customer engages with a call center or other service point.
 
Q: How do I get consent from my customers under GDPR?
CIM: It’s worth remembering when looking to deploy an email marketing campaign that after May businesses will no longer be able to include a pre-ticked box, which the customer must untick in order to opt out of consent. Instead, the customer must actively choose to opt in, giving their consent freely and of their own accord, without coercion, undue incentives or penalties. As such, gaining this GDPR-compliant consent should be among your organisation’s top priorities in the run-up to the legislation’s launch.
 
The following question was answered by Piers Clayden, founder of Clayden Law and member of the GDPR Advisory Board.
 
Q: Do you expect most businesses in retail to be compliant in time for implementation or is there going to be a problem? 
Clayden: Because of the lack of clarity in some of the drafting of the GDPR, and the slow release by the regulators of any useful guidance, it is going to be very difficult for businesses of any great complexity to say they are 100 percent GDPR compliant by May 25, 2018. But it is important they nevertheless try to move towards compliance as quickly as possible, we suggest taking a risk-based approach and prioritising those areas where the business faces the greatest exposure or liability.
 
Q: What are potential pitfalls the retail sector should be aware of?
Clayden: These are the top five things to get right under GDPR:
 
1. Demonstrating they are taking data protection seriously, up-to-date policies, record keeping, and staff training are all important elements of this.
2. Ensuring the public-facing information notice reflects the reality of how the business actually does use and treat personal data behind the scenes.
3. Ensuring the business has proper organisational and technical measures and policies in place to keep personal data safe and secure, having a robust information security policy which is actually adhered to throughout the business is part of this.
4. Making sure that if the business were to suffer a security breach (i.e. in short where personal data was accessed outside of the organisation without authorisation) you would be able report this to the regulator (the information commissioner’s office) within 72 hours of becoming aware of this breach.
5. Making sure that, where personal data is processed on your behalf by an external organisation, you have contracts in place that meet the requirements of the GDPR.
 
Failure to comply with the GDPR could expose the business to fines, claims for damages from individuals, and perhaps more damagingly, loss of reputation.
 
The following question was answered GDPR Advisory Board member Nick Richards, CEO of training provider Me Learning.
 
Q: Do all sizes of retail business need to have a Data Protection Officer? What about a single-site operation? A small coffee shop? 
Richards: Not all organisations require a data protection officer. Under the GDPR, you’re obliged to appoint a DPO if you are a public authority (unless you are a court acting in a judicial capacity), if you carry out large-scale systematic monitoring of individuals or the processing of special categories of data, or you use data which relates directly to criminal convictions and offences.
 
The DPO’s job is to (independently) oversee GDPR compliance and advise staff who deal with personal data. They should have expert knowledge of data protection law and practices. It is crucial your data protection officer has no conflict of interests; so the DPO should not also be a controller of processing activities (for example, your head of HR). 
 
They should also not be on a short- or fixed-term contract and should not report to a direct superior or line manager (i.e. they should be senior enough to report to top-tier management). If you’re a small coffee shop you will need to comply with GDPR but you won’t need a DPO.
 
About Me Learning
Me Learning has worked in partnership with legal experts at Clayden Law to develop a comprehensive suite of GDPR e-learning courses which help to clarify exactly what organisations need to do in order to be GDPR compliant. To find our more visit www.melearning.co.uk/gdpr
 
To contact the GDPR Advisory Board please visit www.gdpr-board.co.uk 
 
Retail Insights
 
You Might Also Read: 
 
GDPR For Dummies:
 
The GDPR Deadline Is Near & Business Is Not Ready:
 
« Nation State Hacking Is On Trend In 2018
Cyber Attackers Will Soon Kill Somebody »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Cyber Senate

Cyber Senate

Cyber Senate is dedicated to bringing Operators of Essential Services together with global subject matter experts to address the challenges of evolving cyber threats to critical infrastructure.

Datacom Systems

Datacom Systems

Datacom Systems is a leading manufacturer of network visibility solutions.

Norton

Norton

NortonLifeLock is dedicated to helping secure the devices, identities, online privacy, and home and family needs of approximately 50 million consumers.

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

Sikur

Sikur

Sikur have developed a communication platform that sets new boundaries for corporate privacy and security.

Endian

Endian

Endian’s mission is to provide a secure platform that connects distributed people and things, simplifying the digitalization of businesses.

NSHC

NSHC

NSHC is a provider of mobile security solutions, cyber security consulting and training, and offensive research.

Secure Soft

Secure Soft

Secure Soft are experts in Computer and Information Security with a presence in Peru, Colombia and Ecuador.

RUSCADASEC

RUSCADASEC

RUSCADASEC is an independent non-profit initiative on developing the open Russian-speaking international community of industrial cyber security/ICS/SCADA cyber security professionals.

MalwareFox

MalwareFox

MalwareFox is an advanced, yet simple-to-use anti-malware solution for Windows computers. We provide aggressive detection capabilities and an effective malware removal tool to keep your systems safe.

Tide Foundation

Tide Foundation

Tide's breakthrough multi-party-cryptography enables TRUE-zero-trust technology that unlocks cyber-herd immunity.

Davinsi Labs

Davinsi Labs

Davinsi Labs helps companies achieve Digital Service Excellence with specialized Security Intelligence and Service Intelligence solutions.

Zama

Zama

Zama - pioneering homomorphic encryption. We believe people shouldn't care about privacy. Not because it doesn't matter, but because it shouldn't be an issue!

OneZero Solutions

OneZero Solutions

OneZero specialize in cybersecurity operations, information assurance, computer network operations, solutions engineering, and project management.

We Hack Purple

We Hack Purple

We Hack Purple is a Canadian company dedicated to helping anyone and everyone create secure software.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.