Customers are waking up to the fact that they now have more rights around their privacy and data. With the advent of the GDPR allied with the Privacy and Electronic Communications Regulation (PECR), which will morph into the e-Privacy Regulation, this means that organisations will have to be much more careful about electronic marketing and communications if they don’t want to fall foul of these regulations post May 2018. Therefore, planning your marketing communications throughout the customer journey is going to be vital.
The Customer Journey
When thinking about your customer journey there are four key stages you must think carefully about to ensure you comply with the upcoming regulations: how you find customers, how you bring them on board, how you keep them, and when they do leave, how you decide what to do with their personal data. Designing thoughtful communications sits squarely within the principle of Data Protection by Design and Default.
The rules about finding customers are going to be much tighter in future. If you are considering buying marketing lists, then you need to have confirmation that the individuals on that list have given unambiguous consent for their name to be forwarded to your organisation. If you cannot get definitive proof of this then you cannot use this list. Using social media providers to find people with similar profiles is also going to be more difficult, unless you have the consent of your current customers that you can share their details with social media companies to find similar people.
Your organisation’s opening statement to potential customers is absolutely vital as this will set up what you can send them in future. Naturally you have to be transparent with the legal basis you are using to process their personal data, you have to tell them the purposes of processing their personal data, who you will send their data to, how you will store their data, how you will secure their data and for how long you expect to hold their data. This should be displayed both in the Data Privacy Notice, normally displayed on your organisation’s website, and on any form that you ask the data subject to complete.
It should be remembered that you can only use their personal data for the purpose you are collecting it for, unless you gain unambiguous consent from the customer to send information not related to that initial process. This is best achieved by creating a granular consent form that details all the other products or services, or types of products and services, you offer as well as the types of media you want to use to inform customers about them, i.e. telephone, post, SMS or email. This then gives you not only the permission to market to them, but also tells you about their preferred means of communication. For compliance purposes you must record when the customer gave consent and also what they consented to, i.e. the message they saw.
It should also be noted that if you intend to use third-parties to process the data then you must tell customers this up-front. Therefore if you intend to use a social media provider, such as Facebook, to find similar customers, this must be stated at the very beginning.
Naturally the best way of keeping customers is to provide them with fantastic products and services. Every organisation wants to increase the value of each customer by selling more and different products to them. This is why initial communications are so vital. If you have not gained consent to tell them about your range of products and services, then it makes it much more difficult to sell anything other than the product they first bought.
Apart from gaining their initial consent you must make sure that you have accurate details of your customers; after all there is no point in sending marketing messages to the wrong address – email or postal. The best way of achieving this is to give customers a portal or account where not only can they make sure that their personal data is up to date and therefore accurate, a key principle of the GDPR, but also so that they can change their permissions and methods of communications; in other words having the same granular consent form that you initially presented.
The GDPR states that customers must be able to withdraw consent as easily as they gave consent and at any time. Therefore organisations should still include an ‘unsubscribe’ facility to all marketing messages, in addition to having a customer account portal where they can change their permissions.
Neither the European Data Protection Board nor the ICO have given definitive guidance about how long consent is valid for, therefore we shall have to wait for this. However organisations cannot assume that consent lasts forever and so will need to plan how they will get current customers to give consent again.
Unfortunately we cannot assume that we can keep our customers forever, therefore we have to plan for what happens when they leave. The GDPR states that we must retain personal data for no longer than is necessary for the purpose for which the personal data are processed. This means that as long as there are no other legal or statutory reasons for retaining this data, then it must be deleted. And deleted means destroyed, not archived or suppressed – the only exception to this would be to keep a customer’s email address on an unsubscribe list so that it isn’t accidentally used in future marketing emails. All organisations must have a personal data retention and deletion schedule that defines how long each data set will be kept for and this will provide the guidance for how long the personal data is retained for once the customer has stopped trading; it is not possible to be definitive here because every organisation, product and service will have different parameters. Therefore having a defined process for when a customer leaves is as important as having a defined process for getting the customer in the first place.
Planning the customer journey, and the marketing messages your organisation is going to send them along their whole journey, is an important and easy way of ensuring that you mitigate your risk of falling foul of the GDPR, PECR and e-Privacy, once it comes into force. It is part of the principle of Data Privacy by Design and Default and will help your organisation to shape your marketing and communications strategy.
If you want help to optimise your marketing communications to comply with the GDPR contact us via firstname.lastname@example.org