Could GDPR Be the Best Thing That’s Happened to Marketing?
By Ginger Conlon | 5.29.18
“It’s best to apply GDPR-related best practices to all user data, whether or not users are EU data subjects,” asserts Dave Ginsburg, VP of marketing at Cavirin. “One reason: GDPR is just the tip of the iceberg; it’s the first substantiation of the types of privacy controls that we can imagine coming to the United States over time.”
Another significant, revenue-oriented reason: When you look past the General Data Protection Regulation (GDPR) as a regulatory framework and instead see it as a foundational tool for building customer intimacy, suddenly you see opportunity. Consider these findings by Accenture Interactive:
74 percent of 8,000 consumers say they would find “living profiles” valuable if companies used those profiles to curate the experiences, offers, and products they send
91 percent are more likely to shop with brands that recognize and remember them, and then provide relevant offers and recommendations
83 percent are willing to share their data to enable that personalized experience
Consumers would also like companies to use their data responsibly. “Consumers want a great experience, but they don't want it at any cost,” says Patrick Salyer, CEO of SAP Gigya. “An SAP Hybris survey found that the number one reason a potential customer will leave a brand is that their data is used without their permission. On the flip side there’s a survey that asks, ‘How likely are you to share your data?’ and 75 percent said, ‘Very likely, if you give me transparency and control around the data.’”
Giving consumers that transparency and control is what GDPR is all about.
Clearly, GDPR impacts companies’ data practices across the organization. But marketing is where GDPR’s regulations can actually serve as a way to bring company and customer closer together. Marketers who make GDPR-related changes to their operations with customer intimacy and customer experience in mind are the ones who will be able to use its tough rules to their advantage.
“It’s reinforcing what good marketers are already doing: They’re thinking about their customers, about how they’re using customer data, and about the experience that that then delivers for their customers,” says Jena Donlin, director of product marketing at Braze (formerly Appboy). “So, although there’s a cost factor to the compliance burden, all in all GDPR is reinforcing good behavior that keeps the customer and customer-first thinking front and center.”
In fact, 71 percent of 165 marketers polled believe that GDPR will impact customer experience by increasing transparency into how companies are using customer data, and 37 percent see it as an avenue for building customer trust and loyalty, according to a study by SAP Hybris and the CMO Council. But only 39 percent of respondents view GDPR as an opportunity to provide better customer experiences.
It’s time to rethink the opportunity that GDPR actually presents. Start by changing your mind-set around data practices in general and GDPR in particular, eliminate bad practices, modify others to be more customer centric, and use GDPR to help prioritize those changes. Here’s advice on how from nearly a dozen marketing industry experts steeped in GDPR.
Blessing or curse?
As tough as its regulations may be, many marketing industry experts consider GDPR more of a blessing than a curse. “Normally, regulations like GDPR don’t tie at all to consumers’ wants and desires. But in this case, it does,” says SAP Gigya’s Salyer. “Consumers are asking businesses to provide a better customer experience. And customer experience is what’s differentiating brands that are winning today.”
Marissa Aydlett agrees. “As a consumer you expect the same thing as everyone else,” says Aydlett, SVP of global marketing at Braze. “Why forget that when you walk in the door to do your day-to-day job as a marketer?”
Adds Shawn Herring, VP of engagement marketing at Braze: “There’s nothing but benefits to marketers who take responsibility for how they use customers’ data.”
Salyer and others predict that the days of marketers providing personalized experiences by tracking users without their permission and buying data on
them are coming to an end. Consumers often find those experiences creepy and are asking for transparency and control. “Ultimately,” Salyer adds, “they want to trust a brand.”
GDPR is an opportunity for marketers, because it can build that consumer confidence. “The real challenge today, for brands, is to get back to a trusted relationship with their consumers,” says Samir Addamine, founder and chairman of FollowAnalytics. “GDPR is an opportunity for that; for companies, for brands to say, ‘Hey, we’re going to be transparent.’”
Yet, GDPR may also feel like a curse, especially to those marketers who have gone overboard with their data collection and use. “GDPR is a necessary evil based on the lack of data governance. It’s an inevitability,” says Brian Cleary, VP of solutions marketing at RedPoint Global.
Marketers who are heavy users of third-party data also may feel that GDPR in a curse because the amount of work needed to change to a more first-party approach to data is significant. “You’re talking about a massive business transformation, from a marketing standpoint,” says Steve Durbin, managing director of the Information Security Forum. “Most marketers try to gather as much information as they can about individuals, because, of course, the more you know about them, the better placed you are to try and sell them things. So, for the majority of marketers it’s going to be a real challenge.”
But not one that’s unexpected.
“It’s been like a pile on: We have so many databases, so many ways of contacting customers, and GDPR is like housecleaning—it’s causing us to reevaluate our procedures, how we collect the data, how we store it, how we contact people,” says Cavirin’s Ginsburg.
“This privacy issue has been bubbling up for many years. Business leaders treat privacy as just a security issue, but privacy is also a customer preference and it needs to be treated that way,” says Omer Artun, CEO of AgilOne, adding that when companies meet that expectation they can increase customer lifetime value.
“GDPR and this whole movement going on provides consumers access to their data, so it becomes a kind of joint ownership of that data. It also becomes my preference as a customer, it becomes personal. It might be counterintuitive but it’s actually personalization.”
The challenges of preparing for and adhering to GDPR may feel like a curse right now, but soon enough GDPR and other similar regulations will simply be business as usual. “As with the CAN-SPAM Act and CASL, people were scrambling at first to get their house in order,” says David Fowler, head of privacy for ActOn Software. “But from a marketing perspective it’s certainly opened the kimono for us to all look at ourselves, our practices, and figure it out.”
Data mind-set shift
That self-reflection should lead marketers to thinking differently about customer data—and about how it impacts customer intimacy, engagement, and loyalty, as well as all of the benefits those deliver.
“We need to start moving towards a real relationship with customers and consumers. CRM has been around forever, yet somewhere along the way we lost this idea of a relationship, this two-way exchange,” says SAP Gigya’s Salyer. “GDPR, in its core tenants, requires you to have that two-way exchange, to get consent for how data is being used. It allows users to control their data, delete their data, export their data.”
Instead of doing whatever’s technically possible to drive leads and sales, marketers should shift to activities that will build trust with their customers, Salyer recommends. “If we do that, customers are likely to want to build a relationship and share information, in exchange for value, for better products, better marketing,” he says.
Adapt retention strategies for acquisition
What Salyer recommends amounts to this: It’s time to think more about the long term, about building relationships that build lifetime value, instead of just relying on the quick sale. As ActOn Software’s Fowler says, “Being transparent in terms of what’s actually going to happen when someone hits the ‘submit’ button is like applying retention-based marketing strategies to an acquisition model.”
Rethinking how to build your marketing pipeline given the new requirements is a big mind-set shift, he points out. “We’ve had to rethink pretty much our entire model based on GDPR, “he adds. “And that’s not a bad thing. You have complete disclosure and consent from the beginning of a relationship, which is retention-based marketing 101.”
Simply put, there are business benefits to being more careful about what you’re doing with customers’ data. Consider: In the past when a consumer made a catalog purchase their mailbox was soon filled with all kinds of catalogs. “There was no privacy protection. Your information was sold to everybody,” says Rich Kahn, CEO and cofounder of eZanga. “Of course, with the Internet, information moves a lot faster. So, now there’s a need to protect more and more data. People have a right to have their information private.”
GDPR also affirms that people should have control over their own data, which starts with giving explicit consent for its collection and use. So, marketers now have to ensure that they actually have that permission.
Of course, there will be fewer people who consent to share their data. So, marketers will also have to shift how they approach interactions with users who haven’t consented. For those prospective customers, TripleLift CEO Eric Berry recommends focusing more on higher-funnel actions: What is the derived intent for any given page or context? How do you move away from direct-response type ads towards higher-level branding metrics?
“We’ll see a shift toward experiences that can bring branding dollars effectively into digital properties,” Berry says. “Marketers are going to start thinking more about how to create a direct relationship with customers, and how to act on that relationship. The more it’s clear that those relationships exist, everyone will win.”
Be a partner
In other words, start being a partner to customers by showing and communicating how you’re using the information that you’re collecting about them. “So, in addition to giving them control,” says Braze’s Donlin, “giving them that transparency that helps them understand the ways that that data is being used to enhance their experience with your brand.”
And the more transparency there is around why marketers are collecting specific information, the more they can build that customer understanding and engagement as they follow the related GDPR regulations. “Whenever marketers ask consumers or customers about personal data, they need to justify why. For example, ‘Why do we need your date of birth? We want to celebrate your birthday. We want to offer you something for that,’” says FollowAnalytics’ Addamine. Consider what data is actually needed, he advises, because not only will the transparency with consumers help build trust and loyalty, but also marketers may have to justify their reasoning to regulators. In this case, for instance, is month/day/year necessary and defendable, or will birth month suffice?
“GDPR pushes transparency into not just what you’re doing with data, but how you’re doing it, and why you’re doing it,” says Braze’s Herrin, adding that being transparent furthers and deepens the relationship with your customers.
“We have to set aside some of those traditional ways of working, even ones that have been effective,” says Information Security Forum’s Durbin. “We have to look at how we can digitally enable smarter marketing that will allow us to get to know our target audience on an opt-in basis. We need to understand that it presents us with a great opportunity, actually, to do much more targeting than we were able to do in the past — because now what have is someone who has clearly committed to receiving things from us, so they must have had a reason to do that. Organizations that are able to adopt that stance are going to come out as winners.”
Tactics to eliminate and replace
Using GDPR as motivation to think more about a customer-first, data-transparent approach to marketing is an important first step. Once you’ve shifted mind-set to see the opportunity GDPR presents toward building customer intimacy, and business growth, you need to turn those positive thoughts into action. That means saying good-bye to some approaches and adopting new GDPR-friendly ones.
Give preferential treatment
“The first step in personalization is giving choice and preference,” says RedPoint Global’s Cleary. So, he recommends that marketers stop using a privacy statement in lieu of an actual consent mechanism and instead:
2. Launch a preference center that allows customers to easily update their preferences over time.
Preference centers can enhance the ways that marketers collect information and permissions. “They can showcase what you’re doing with customers’ information and how you’ll use it to personalize the experience,” says Braze’s Donlin. “You can also use it to get direct guidance from your customers about what they want hear about and how they want hear about it.”
In that preference center, as well as on any form, eliminate prechecked boxes or fields. Period. Prechecked boxes assume consent, which is not the same as an explicit opt in. “Replace it with clear, concise disclosures. It’s going to lead to a better relationship,” says ActOn Software’s Fowler.
It could also lead to less of a reliance on third-party data.
Emphasize first party
“There’s sea change happening right now, moving away from the use of third-party data toward first-party data that’s provided with permission directly from customers and consumers,” says SAP Gigya’s Salyer, adding that GDPR isn’t the only driver of this. Another reason, he says, is that the data from data brokers is often inaccurate. “If you move towards first-party data, you can build a direct relationship, getting access to information with permission to drive a better experience,” he says. “And that’s sustainable.”
The focus on eliminating third-party data as a marketing staple is a common theme. Cavirin’s Ginsburg recommends that marketers stop using purchased lists that didn’t have an explicit opt in. “You’re not going to buy those [ambiguous lists] anymore,” he says. “You shouldn’t do it as it is.”
The other side of that coin is the recommendation to stop selling and sharing customer data. “Halt the processes of abusing your access to customer information by selling it to other companies as part of the marketing process,” eZanga’s Kahn warns. “While some [data sharing] can still exist, much of it has to be eliminated.”
When it comes to selling and sharing data, one gray area to eliminate is using “identifiers” to get around rules that prohibit directly sharing personal information, AgilOne’s Artun recommends. “Somebody says, ‘I want to talk to Josephine Taylor, who actually is JT123.’ And then I say ‘Oh, we know G123, we can tell you everything about her. Where do you want to advertise to her?’” Artun explains. “And then boom, you can go into that pool and you can target Josephine any way you want. You can get third-party data about her, like what type of flights she’s looking at, what type of shoes she’s buying, all of that stuff is available.”
Instead, treat customer data like the uniquely valuable asset it is. And use transparency and personalization to build customer lifetime value — instead of building customer “value” by selling customers’ data without their explicit permission to do so.
Tactics to modify, and how
Although GDPR has its share of ambiguity, it’s best to err on the side of caution, which starts with understanding what you can and cannot do. And once you’ve eliminated practices that are wholly noncompliant, it’s time to modify tactics that can be more customer-centric while being compliant.
Think "less is more"
One of these practices is lead gen. Are prospective customers actually happy for you to take their details at a trade show or when downloading content, for example? “Sometimes you overstep the line when [lead gen] is based around volume, as opposed to quality,” says Information Security Forum’s Durbin. “Understand what GDPR requires you to do and then view it as a fresh opportunity to gather information about your target audiences — because if you’re smarter about how you target audiences legally, not only can you tick the compliance box, but you also can gain a competitive advantage.”
When it comes to lead gen, Cavirin’s Ginsburg recommends that marketers focus more on personalized higher-value intimate events, such as webinars or seminars, instead of the traditional mass database mailings. “You’ll have fewer leads, but much higher quality.”
New approaches to gathering those leads and asking prospects and customers to opt in to your marketing communications are just the tip of the iceberg in terms of processes that need to be updated — but changing them could, and should, lead to customer experiences that build trust and advocacy. Even if a customer chooses to leave, if you’ve made it easy, they’ll share that as an example of a benefit of doing business with you.
“We need to change the work flow to be explicit when we’re collecting the user data, explicit in what we’re going to do with it, explicit in having people opt in to receive any follow-up information,” says Cavirin’s Ginsburg. “It’s best to apply these best practices to all user data, whether or not users are EU data subjects. One reason: GDPR is just the tip of the iceberg; it’s the first substantiation of the types of privacy controls that we can imagine coming to the United States over time.”
AgilOne’s Artun posits that there are business benefits to exposing more data about the customer to the customer, giving them more control over how they want to be contacted and what they want to do with their data, and the like. “Over the long term, work toward providing a way to let customers ‘train’ the recommendations,” he says. “Allow customers to provide input to change the way your company personalizes its marketing to them or uses their data.”
It’s also necessary to update the back-end processes to support these front-end changes. Marketers need to think through their systems and their approach to collecting, storing, and cleansing data, and establish processes to ensure that all of it is handled properly. Siloed data makes this difficult.
“You have to get a handle on what data you have about your customers,” Artun says. “It becomes a complex problem real fast — in part because identity is fungible.” For instance, he notes, say a customer calls in and wants to change his email address. That email address might be stored alone in one system, and stored with a physical address in another system, but that physical address matches to a different email in yet another system. What process will you put in place to handle that update? Or, if a customer has multiple identities and wants her data deleted, you have to erase it for the one identity tied directly to the request, but if she’s linked to another identity do you erase that too? These are the types of issues you need to plan for and ensure are GDPR compliant.
Fortunately, any enterprises are already working to bridge data silos to create a single view of the customer that allows for more relevant, personalized marketing. GDPR makes that goal more pressing.
“Historically, it was OK to have silos because you didn’t need to think about giving consumers control over how their data’s being used,” says SAP Gigya’s Salyer. “With GDPR that’s not the case anymore. You need to respect the consumers’ desire to delete their data, export their data, and update their data, which means these data silos need to be connected in a cohesive way.”
Collaborate across functions
This is one of the many areas where marketing leaders need to collaborate with their peers in other functions, Salyer emphasizes, because, ultimately, efforts to become GDPR compliant require working with the IT team on integration, with the privacy team to implement or build privacy-by-design features and functionality, with legal to ensure that you get consent for the right terms of service, etc.
“Personal data, which is broadly defined in this framework, is something that has profound implications across the organization, so it needs to be dealt with strategically and operationally,” says Omer Tene, VP and chief knowledge officer of IAPP. “You need to do your housekeeping, do data inventory and mapping, figure out your consents, and allow individuals to exercise their rights — and be responsive and accountable to regulators. Marketers are enthusiastic about using data, and rightfully so; it’s a valuable asset. But it comes with costs and with risks and responsibility.”
That responsibility extends outside the marketing organization, of course. Marketers need to make sure their agencies, advertising platforms, marketing software platforms, and other contractors who supply or touch their organization’s customer data are compliant, too. “Marketers need to keep their service providers and vendors on a tighter leash because they’re more accountable for actions by third parties,” Tene warns. “There’s an incredibly complex ecosystem with data exchanges and supply side and demand side. It will evolve to a more responsible, accountable ecosystem.”
Embrace data governance
Consequently, closely managing your customer data supply chain is now a necessity. And another opportunity to improve customer relationships by ensuring data quality and consent all along the chain.
“Many marketers have kept themselves at arm’s length from their data. They can’t do that anymore. If they’re outsourcing their data, they can’t assign the liability to the outsourcers,” says RedPoint Global’s Cleary. “You own the relationship with the data subject. You have the responsibility for the governance. That’s a new process.”
Cleary recommends creating a closed-loop process that starts with giving customers the ability to set preferences and has data living in real time in different systems. This will enable companies to more easily respond to customers’ requests to change or delete data, he says. Marketers need to map their customer data, understand where that data lives, what fields are specifically being captured, and then be able to process a request and have that request validated.
“You may also need to rethink your approach to progressive profiling,” Cleary
adds. “Data subjects can prohibit you from being able to build out a more progressive profile that might reveal such information as political, religious, or sexual orientation.”
Adopt advanced planning
These processes shifts need to extend to such areas as campaign planning, onboarding, and other customer programs. Before starting a campaign or rolling out a new program, think about the data you’ll actually need not only for that campaign, but also for future campaigns — as well as what consent you’ll need to be GDPR compliant. “Because consent is the first thing,” FollowAnalytics’ Addamine says. “GDPR is not saying you're not allowed to collect data, but you need it to be transparent and have consent.”
ActOn Software’s Fowler echoes that advice, emphasizing that gaining consent helps to build customer loyalty. “I would rather have someone engaged in my brand three or four times a year given that I’ve onboarded them correctly into
my program and been transparent with my disclosures and permissions, etc., than try to get a quick conversion for a short period of time,” he says. “It’s a marathon not a sprint.”
But don’t go it alone. Appoint a data protection officer, or hire one on a consulting basis, to make sure that all of your company’s data is compliant with GDPR. “It’s one of the GDPR requirements, actually,” FollowAnalytics’ Addamine says.
There are so many processes and tactics to eliminate or change, it can feel overwhelming. Most important, asserts IAPP’s Tene, is to simply start the process if you haven’t already.
“You have to at least look at the regulation to understand what it means before you say, ‘I don't have to worry about it,’” warns eZanga’s Kahn. “Understand exactly what GDPR is all about.”
Taken as a whole, becoming GDPR-compliant is akin to business transformation. “When I read through the GDPR provisions and all the articles that are associated with it, what I walk away with is this: The "so what" is that you need to start by defining policy, but you have to instantiate with process,” says RedPoint Global’s Cleary. “And then, you have to demonstrate the auditable evidence of compliance, which requires a system of record.”
So, where to begin?
Build in compliance
“It’s time to start from the ground up and create workflows that are more privacy centric, that aren’t about spamming people by sending them information that they don’t want. That will put marketers in a position to better anticipate not only what's happening with GDPR, but also what could happen with other privacy regulations that will come down the pipeline in the next few years,” says Cavirin’s Ginsburg.
And get compliance in the budget. According to a survey of companies with annual revenue of more than $10 million by NAPCO Research and Melissa, only 27 percent of respondents have budgeted for GDPR compliance in 2018, 35 percent haven’t formally budgeted for it, and 38 percent say they don’t know if their organization has budgeted for GDPR compliance.
Share data ownership
In terms of customer-facing processes, be transparent on what data you’re collecting and prepare to allow individuals to exercise their rights with respect to their data. Give customers the ability to transfer their data, even to a competitor, and give them the ability to delete their data. Under GDPR, companies have to allow individuals to access their data and to rectify it if there are mistakes, to port it, delete it, revoke consent, and object to automated processing.
“Some companies are tackling GDPR using what we call privacy-by-design approach, which is a huge opportunity for marketers who want to create a relationship with their consumers that is based on trust and transparency,” says FollowAnalytics’ Addamine.
Map your data
Internally, it’s important for marketers conduct a data mapping project, advises IAPP’s Tene. Only 30 percent of respondents to the SAP Hybris/CMO Council Study say they’ve completed a data audit, including a review of the technologies and communication channels they use to collect customer data related to GDPR; 25 percent say they’ve partially completed the audit, and 20 percent haven’t started but plan to.
“Marketers need to understand exactly what data they collect, where, for which purposes, and who has access to it — including service providers,” Tene says.
“It goes a long way toward demonstrating that you’re responsible, accountable,
And, make sure all your vendors are GDPR compliant. “If any vendors collect data for you; if you’re using any third-party vendor that connects you and your clients, make sure they’re GDPR compliant, as well,” says eZanga’s Kahn. “Because that ultimately falls on your shoulders.”
Rethink your relationship status
With all the hype around gaining consent, it’s easy to overlook other communica-tion strategies. For example, planning for how you’ll communicate with prospective buyers before you’ve gained consent. “Focus on how you’re going to obtain consent to communicate with users, of course,” says TripleLift’s Berry, “but also focus on how you’re going to communicate with users in a non-consented context.”
The top priority, says Information Security Forum’s Durbin, is this: Do you really know your audience? “As in, have you been able to successfully segment those who have opted in versus opted out, and have you identified the gray area?” he asks. “Because starting the 25th of May, you do not want to be marketing to the gray area until you’ve validated them. You do not want to be marketing to the people who’ve opted out. You want to be marketing as much as you can to the opt-ins, because they want to talk to you.”
GDPR and beyond
Yes, achieving GDPR compliance is fraught with challenges and complexity. It’s also “just the next step in evolution of marketing on the Internet,” says eZanga’s Kahn. “It’s about being careful with what you’re doing with people’s data; it’s about protecting that data.”
And as a customer-centric marketer, that should be business as usual. “We need to remember that we are consumers ourselves, and we need to put that consumer mind-set and the data foundation at the forefront of everything we do,” says Braze’s Aydlett.
So, start on the road to GDPR compliance with the consumer at the center. If you start by taking a siloed approach to making sure each system is GDPR compliant, you’ll likely have a situation where you’ll have staff having to figure out how to delete customer data in multiple data silos around the organization anytime a customer requests their data be deleted, SAP Gigya’s Salyer points out. “It’s really costly, it’s a terrible experience, and it’s not scalable,” he says.
Instead, he says, think about how to create a great experience for consumers by allowing them to manage their own data. “You have to view this as this is the future of how you build relationships with customers” Salyer says. “This is not a one-time, ‘I’m going to check the boxes and then be done with it’ situation. This is a new way to look at the world and it surrounds trust. How do you build trust with customers? Do the right thing, build trust, and compliance will follow.”
This customer-first thinking is essential not only for building customer intimacy and loyalty, but also because GDPR won’t be the last compliance or regulatory challenge marketers will face, Braze’s Donlin reemphasizes.
Ultimately, GDPR is about relationships. It’s about being able to truly understand what your audience is looking for at each and every stage of the customer journey. “Under GDPR, you have to keep tracking back with customers, making sure that you understand what they’re doing,” says Information Security Forum’s Durbin. “Well, that’s a fantastic opportunity to be communicating with them, isn’t it? Look at it from that point of view, and then adapt the systems accordingly.
“I think where marketers are falling down is by viewing GDPR as a piece of compliance that they have to get done, and then can breathe a sigh of relief,” he adds. “Well, unfortunately, that isn't the case, because GDPR isn’t a piece of compliance, its a business transformation program. The journey began on the 25th of May, it didn’t end on the 25th of May.”
> Ready to get started on GDPR? Read "GDPR Is Looming. Here's Your To-Do List" next.
> Convinced that GDPR is an opportunity to build customer trust and enhance
the customer experience? Read more.
About the Author
Ginger Conlon, chief editor and marketing alchemist at MKTGinsight, catalyzes change in marketing organizations. She is a frequent speaker on marketing and customer experience, and serves in advisory or leadership roles for several industry organizations. Ginger was honored with a Silver Apple lifetime achievement award for her contributions to the marketing industry.