GDPR is a hot topic in the news at the moment. Scaremongering is rife because the penalties for non-compliance are huge –with fines of up to €4 million euros or 4% of global annual turnover being potential risks.

Caroline Kimber

GDPR becomes law in May 2018, and given the importance of the legislation and the magnitude of the fines, most large organisations have GDPR task forces in place reviewing information security and data process flows and establishing rules for data governance best practice.

Whilst IT and data management processes are a key element of GDPR compliance, it’s vital that CMOs actively engage in GDPR too. If your organisation’s GDPR initiative is led by IT, rather than Marketing, then the emphasis will be on managing risk and establishing watertight processes, rather than creating a database of engaged, opted-in consumers to fuel CRM activity.

So here are the five core elements of GDPR that CMOs must focus on:

Consent statements

Under GDPR, consumers must now opt-in to receive marketing communications. Pre-ticked boxes are not acceptable; there must be clear affirmative action. So getting the wording right on your consent statement is key to maximising the volume of consumer sign ups. If consumers can’t see the benefit of signing up because the consent statement is full of legalese, or scares them into thinking that their personal data will be shared with all and sundry, then they just won’t opt-in. And if they don’t opt-in, you will lose the opportunity to speak to them and further engage them in your products and services.

Advertising and CRM communications are crafted by experienced copywriters.  Different messages are tested to see what generates the optimum response across different channels. Consent statements need to be approached in the same way. Test, refine and test again until you’re confident that your sign-ups are being maximised.

In the banking and finance sector, it’s also crucial to involve staff who are on the front-line of dealing with customers, for example branch staff, call centre operatives and IFAs. They need to be engaged in the process of obtaining consent and understand the importance of gaining it along with the penalties for not doing so.

Breadth of Data 

One of the principles of GDPR is data minimisation, which means that organisations shouldn’t hold more personal data than is needed. Again, it is critical that the marketing team inputs into this process. IT departments are likely to take a very literal view of data variables, only looking at the minimum amount needed to service a particular product. For example, for a simple savings product with no fixed-term tie in, one might argue that the only variables needed are the customer’s contact details, their balance, and the interest rate of their account. However to a marketer, other variables may be key in helping determine different products or services that could be offered (for example a special rate on a child’s savings account could be offered to customers that are also parents).

Historical data

Another key principle of GDPR is that data shouldn’t be held for “longer than is necessary”. CMOs need to work with their data and IT counterparts to define an acceptable timeline and an archiving and research process that fully supports business forecasting and marketing planning needs.

Profiling 

For marketers, profiling is a crucial tool in the armoury, facilitating more relevant and targeted communications, better market segmentation and a more accurate way of aligning products and services to customer demand. The use of personal data in profiling is a new condition under Article 4 of GDPR. Profiling isn’t banned under GDPR, but there are certain conditions that need to be met to enable it.

Transparency is key is to ensure that consumers are aware of how their data is being used. They need to have the right to object to their data being used for profiling and the process of objection needs to be easy. This information should be clearly set out in the privacy policy.

Any algorithms used for profiling need to be fair and unbiased and finally, it is important that profiling doesn’t “significantly affect” the consumer in a negative way. For financial services organisations, this is a difficult issue as profiling could be used to determine, say, a more favourable interest rate being given to one consumer over another.

This is a complex area. You’ll need to work closely with credit reference agencies, media agencies and internal data science and legal teams to ensure that any profiling undertaken meets GDPR standards.

Database usage by IFAs, branches or other intermediaries 

In the banking and finance sector, personal data is often processed or utilised by organisations with whom the consumer would not necessarily associate with your organisation. This could be an insurance company that underwrites one of your products, a branch with a different brand name or a credit referencing organisation that assesses creditworthiness. Once again, transparency is key here. The consumer needs to know the organisations with whom their personal data will be shared, so this information should be clearly set out in the privacy policy. If data is sold on to third parties, then additional opt-in consent must be obtained and the third party(ies) clearly named.

In summary, GDPR is much more than an IT and data compliance issue. CMOs need to be on the front foot with GDPR; championing the data that is needed to drive successful marketing programmes and ensuring that there is a sustainable customer database for CRM.