Has GDPR Killed Email Marketing?

This article originally appeared here.

Must admit I missed this article, it was only after Alex Low, who runs my Social Selling practice pointed it out, that I read it.

Wetherspoons just deleted its entire customer email database – on purpose

To save you reading it, Wetherspoons had previously been fined for sharing customer data. With the new GDPR regulations in place they carried out a risk assessment and decided to delete their email database.

That’s right they have deleted the entire email database.

Why?

With GDPR, companies now need a fool-proof system to show that a customer has given consent to hold that data. As a sales guy, I’ve held customer data and tended to work on the basis that we would “print and be damned”. Not anymore.

In the past, if you registered your address or telephone number to stop cold callers or mail shots the fines were around ￡2,000 ($2,600), which is no more than a “slap on the wrist”. A recent study by NCC Group found that fines from the ICO in 2016 would have shot up from ￡880,500 to ￡69m if GDPR had been in force.

You cannot bluff your way out of it anymore.

A spokesperson told WIRED: “Following the data breach in December 2015, Wetherspoons has been reviewing all the data it holds and looking to minimise.

“We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.”

So how on earth, will Wetherspoons have a conversation with customers? Simple.

Where are your customers pretty much all the time nowadays? On social media of course.

This is the email that Wetherspoons sent out. As you can see, they still will connect to customers on social. [Graphic below]

So what is GDPR?

The GDPR is a set of rules designed to provide clarity, transparency and protection for the personal information of all European Union (EU) citizens. It focuses on protecting this information from unauthorised access and ensuring customers understand and can control how their personal information is being collected, used and shared. Think of it as the IT world “growing up” and the recognition that it’s not fair that we are interrupted by companies. 

GDPR comes into effect on May 25, 2018 and will apply to any company world-wide that stores personal information of EU citizens. Any company that fails to comply faces the penalties detailed above. There is no room for “going rogue” from sales or marketing.

But that’s a year away

Maybe, but as Wetherspoons has found out, making sure that every (and I mean that spreadsheet on each sales person’s laptop) is compliant isn’t an overnight job.

Brexit – But we are leaving Europe

For those of us based in the UK, while we may be leaving Europe, if you want to do business in Europe we still have to meet European legislation. No different with cheese, cars or data.

This is all about good data practice

Several components of the GDPR revolve around ensuring companies have robust IT and security practices. The regulation offers specific time frames for reporting security breaches. Systems must be designed to ensure that personal information has high quality and accuracy, is consistent across databases, has adequate security and privacy protections, and provides clear data lineage. Processes must enable consumers to see, receive and correct (if necessary) all personal information stored in company databases. And direct accountability for oversight of all GDPR mandates must exist within the company in the form of a qualified Data Protection Officer.

This is about organisations having “best in class” processes around data and escalation points as well as the ability for employees to “whistle blow” on companies that are not compliant.

Can marketing still “wing it”?

Marketing can no longer rely on soft opt-in processes, lack of opt-out or simple blanket opt-in check box for all communication and analysis activities. At best communications, campaigns, web and mobile applications must ask for and store consent on a more individualized, action-oriented basis. Like Wetherspoons, for some companies it might be better to start again, or maybe rethink the way they have a conversation with their customers. For example, move from broadcast to conversation. 

And these consent forms must be captured, stored and auditable, so the company can prove when consent was given and for what. At worst, companies may need to review all customer databases to understand whether the consent they have obtained meets the GDPR requirements. This isn’t a five-minute job and as I say above, it includes checking that there are no rogue spreadsheets on sales laptops. Like health and safety, and confidentiality of documents and diversity, data impacts all employees.

In addition, ensuring clear communication to customers on how personal data is collected and used presents challenges, particularly when the use involves big data, artificial intelligence (AI) or machine learning (ML). These challenges are significant enough that the Information Commissioner’s Office has produced a 114 page guidance document on the subject.

Does all this sound like hard work?

Well it does to me. As Digital Leadership Associates (DLA) we connect with all of our customers and talk with them on social. We don’t have an email list. Because nobody reads emails anymore anyway!

If you would like help and advice around GDPR or help and advice on Social then give me a call – +44 (0)7823-534557.

Digital Leadership Associates: We are a Social Media Agency. We do three things: Social Media Strategy, Social Selling and Social Media Management. Drop us an email and let’s talk about how we can make an impact on your organisation.