CRM, Customer Engagement, GDPR & The Data Protection Officer

General Data Protection Regulation (GDPR) introduces substantial changes coming into effect on 25 May 2018 and establishes new challenges for organizations. Nevertheless, it is important to keep in mind that the new regulation will benefit us all, replacing the old Directive 95/46/EC from a time where information society was only a vision and most of our homes didn′t have a PC. To regulate business activity in this digital transformation age, GDPR defines new principle and concepts such as the ‘right to be forgotten’, data portability, data breach notification, explicit consent or accountability

I am passionate about CRM & Customer Engagement and much interested on how GDPR will impact our lives and our business. This article is not a guide for General Data Protection Regulation adoption and don′t examine special categories such as the sensitive data. The opinions are my own.        

GDPR is arguably one of the most relevant pieces of EU legislation in recent years, but some countries as Germany or Austria already had strict laws compared with the rest of European countries in the past years. Thus, all of us who implemented CRM and digital marketing solutions in these countries, already know the concerns with issues such as the explicit and transparent consent for email marketing, or tell-a-friend campaigns.

From the lessons learned in these countries we also know that GDPR is not an issue that IT departments should manage without legal advisors. In fact, companies might be force to appoint a data protection officer (DPO), either internal our outsourced. Estimations reveal that GDPR will generate 28,000 DPOs in the next two years in Europe and US[1].

Let′s examine then some of the changes and impacts for business process of Customer Engagement.

Territorial scope

GDPR will apply to organizations which have establishment in EU, irrespective of whether the data processing takes place in the EU or not. Non-EU established organizations will be subject to the GDPR as well, since that personal data are processed for the offering of goods and services or the monitorization of customer behavior within the EU. Exceptions and exclusions exist but must be verified carefully with the legal experts. Thus, there is no much room for discussion such as the headquarters location or where the datacenters might be hosted. We should be focus on being compliant.

Transparency and Consent

Under the new regulation, all consent must be explicit. Assumptions and disclaimers are not an option. Opt-out possibilities are not enough. This means that we must be able to prove that the customer agreed by a selection action, to receive a newsletter for instance.

The conditions for obtaining consent are stricter under GDPR as the data subject must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities.

For our organizations, this change a lot of things such as the way we manage the marketing and sales activities. Business process, applications and forms might demand serious changes to be compliant with double opt-in rules. Currently the practice is using inbound marketing and organic lead generation to generate leads and contacts. These might be people interested in products or people who signed up for newsletters, online services, events, downloads, etc. So, the more we get, the better will be, right? Well, maybe not…

It′s true that double opt-in systems score a 20-30%[2] lower subscription rate compared with single opt-in systems. (Organizations should design the process as smooth and transparent as possible to minimize this difference). However, the double opt-in process also has advantages. Requiring a click in an approval email helps to validate email addresses, avoids spam subscribers, keeps marketing lists clean and validate the intention and engagement level from those who complete double opt-in process. This might minimize the data cleansing needs and improve conversion rates. Let′s admit that the Germans understood this before anyone else.

The challenge will not be the same for all organizations. Financial services industry, specially the banks tend to avoid links in their emails to protect themselves from phishing and this is the reason why most of us receive a “mail to” option, instead of a “subscription center” in our bank′s newsletters. So, the banks will have a bigger gap to cross in order to be complaint with GDPR.

On B2B business, Sales teams used to collect and follow-up information from communication with customers, tradeshow meets and business card exchanges. Now they might need to be motivated to use social media instead. A good example is the Linkedin Sales Navegator.

The acquisition of external databases might also need to be reexamined. It is not illegal to purchase marketing lists if we can guarantee the proper consent information. Just be aware that we are still responsible even if the data is collected from a vendor our outsourced partner. This includes database providers and agencies. Does this have the potential to stimulates the marketing and communication initiates across social networks, instead communication thought data from internal databases. Or might this be one more nail in the email′s coffin? I tend to think so.

Pseudonymisation

Pseudonymisation is a privacy enhancing technique where information which allows data to be attributed to a specific person is held separately and subject to technical and organizational measures to ensure non-attribution. CRM systems should be prepared to anonymize the personal data either using manual methods, automated mechanisms or self-serve request requests. 

The right to be forgotten

Data Subjects are given substantial rights on GDPR including the right to be forgotten. Anyone that has experience with CRM systems know that if there is one thing that a CRM was design to is to avoid someone to be forgotten. The nature of a CRM system is the opposite – register and track everything. For instance, in Microsoft Dynamics 365, inactive a record (as an alternative to delete it) is the recommended action to ensuring the integrity of the audit trail associated with that record. In Microsoft Dynamics 365 a contact has a parent-child relationship to the activities (tasks, phone calls, appointments) that are linked to the contact.  When we delete the contact, all those activities are deleted along with the contact.  This may destroy important historical record tracking that we want to preserve and other implications, especially on B2B. Therefore, the right to be forgotten will impact the way as CRM systems are design today. That being said, there are some limits and conditions, being the first the condition of the data no longer be necessary for the purpose for which it was collected.

Portability rights

GDPR gives individuals the right to require their data to be provided in a commonly used electronic form. Besides, data portability goes beyond this and requires the controller to provide information in a structured, commonly used and machine readable form and the controller can be required to transmit the data directly to another controller. This includes personal data which is processed by automated means (no paper records), personal data which the data subject has provided to the controller and data being processed to a contract purpose.

For this request to be actioned across the different platforms and databases that may hold the data, integrations are needs in order for this to be achievable in an effective way. If we think in the personal data collected by a healthcare provider, a bank or even a telecom carrier under the portability rights, we can conclude that there is a lot of work to do to on CRM systems to be compliant in 2018 and avoid heavy penalties that can go up to 4% of global turnover.

Right to object automated decision making

Under this right the marketing automation campaigns can be objected and it is the sender that must prove that consent was given. This means that any data held, must have an audit trail that is time stamped and reporting resources revealing what the contact opted into, and how.

Data protection by design and accountability

Organizations must be able to demonstrate their compliance with the GDPR’s principles, including by adopting certain “data protection by design” measures such as might the pseudonymisation techniques, staff training programs and adopting policies and procedures. Besides the reporting tools, this is one of the areas where the coordination from a DPO might be mandatory.

Conclusion

This article is not a guide for GDPR adoption and it don′t aim to deplete all the complexity under the new regulation. It was my concern to emphasis my perspective of the implication for CRM & Customer Engagement practice. To address the GDPR’s challenges organizations should constitute teams from different areas as IT Managers, DPOs, marketing and sales responsibles to work with their partners in order to redesign business processes and implement the best solutions.

Sources:

GDPR Portal (https://www.euGDPR.org/)

ComputerWeekly, EU data protection: essencial guide 

Information about the photo author can be found here. No changes were made besides resizing.

[1] International Association of Privacy Professionals (IAPP)

[2] Pam Neely, New Research in the Epic Battle Between Double and Single Opt-in