How to prepare your marketing organisation
The GDPR imposes new requirements on the collection and processing of personal data. This implies a new way of thinking about data with severe consequences for organisations that do not comply. As a CMO, it is important to drive a change in attitude around data that permeates the entire organisation. The General Data Protection Regulation (GDPR ) comes into force on 25 May 2018. The directive tightens up previous rules in the Personal Data Act, and in many ways also means a whole new way of looking at personal data and its use, and the relationship with former customers, leads and other contacts.As a CMO, it's important to understand what the changes mean and to start adapting your organisation to the new way of thinking now.
Privacy by default
The basic principle of "privacy by default" is about moving away from the casual collection of personal data to collecting and storing only the personal data necessary for the specific processing. This concerns the amount of data collected, how it is processed, who has access to the data and how long it is kept. Any collection, storage and processing must have a purpose. For businesses and organisations, this means moving from thinking of data as something they own, to something they borrow, for a specific purpose and for a limited time.
Broader definition of personal data
The GDPR imposes new and tougher requirements on consent. Pre-checked consent boxes are no longer allowed. Consent must be able to be given for parts of the use. And it must be as easy to withdraw consent in whole or in part as to give it.Consent must be actively given. In other words, the individual must tick a box or otherwise indicate what information they wish to receive. It must also be clear to users what they are consenting to. It must be explicitly stated what kind of information they agree to receive or what kind of use of their personal data they agree to. For example, people should be able to choose to accept cookies for login details but not for targeted advertising. The organisation also needs to document the consent and be able to demonstrate when and where the user has consented and what they have consented to.This is where your Marketing Automation setup becomes important to demonstrate that the point of entry is recorded in sufficient detail.As quick and clear as it is to give consent, it should be to withdraw it. In order not to lose contacts completely, your "Preference Centre" becomes important. Here, individuals can choose which contacts they want and which types of mailings they are open to.
Right to erasure
It must also be possible to request to be completely "forgotten" by an organisation. This means the right to erasure, in which case all personal data relating to the individual must be immediately and permanently deleted. It is therefore important that there are processes in place for the prompt processing of such a request. Also, procedures to ensure that the data is deleted in all parts of the data storage, not just in the Marketing Automation system. On the other hand, it is important to review data flows in the different systems of the company (e.g. between CRM and Marketing Automation)Also, data collected and stored before the GDPR came into force, but which lacks authorised consent, must be permanently erased. However, new consent does not need to be obtained for personal data already in the database. As long as the previously obtained consent and its revision have been documented and comply with the GDPR requirements.