Car dealers are being warned of the impact of forthcoming EU law on their freedoms to contact consumers – and the massive financial risk of ignoring them.
The General Data Protection Regulation (GDPR) will come into effect before the end of 2017, and the new required compliance standards contain several key points that apply to dealers’ marketing campaigns.
In the case of personalised communication, consumers must give permission for their personal behavioural and preference data to be used.
This does not apply to anonymised data.
Permission will need to be obtained when adding consumers to a database, or sending marketing communication. Businesses need to prove they have consent from all subscribers and consumers will have the right to have their data removed.
Failure to comply could result in every database used being erased and a fine of up to €100 million.
Anthony Hawkins, chief executive of data compliance specialist Verso Group, said proving consent, even if it was correctly obtained and meets the forthcoming data compliance standard, may be impossible for some companies.
Having a copy of opt in text used when gaining permission, plus the accompanying data file marked ‘opt in’ will not to be considered as having met the required level of proof. A completed consent form will be the only way to demonstrate the required ‘unambiguous’ permission has been given.
Also, the permission text previously used in gaining opt in consent may not be specific enough for future use.
In the past opt in text was often wrong, or too generic to stand up to the forthcoming compliance standards. Therefore, all opt in data should be reviewed for compliance, and where necessary refreshed.
“’The automotive sector is not alone in having to tackle EU compliance”, Hawkins said.
“More than 360,000 companies will have to audit billions of customer and prospect files to ensure they meet the new standard that will be overseen by the Data Commissioners Office. The new data law may seem distant, but for all manufacturers and dealers there is not much time in reality.”
Every customer file used for marketing will have to be audited for opt in permission because the chances are it will not meet the required new compliance standards.
After that there are two options: righting off non complaint data as unusable, or refresh consumer permission to the new standard, which in some cases will involve large scale activity, including the adoption of new software or appointing third party companies that can adequately store individual consumer consent forms.
“The sanctions will be too high to have choice in any of this.”
“The key is to find out the level of the task ahead, and create a plan. The smart move is to use data compliance as an opportunity to find out more about customers and prospects, and sell more by improving communication. If you have to contact consumers use it as a constructive process to discover more about what they need, what they want and what potential they have as customers. The benefit of creating more value from data should offset the cost of the compliance process,” said Hawkins.
Verso’s advice on preparing for the new data regulations
1. Appoint a compliance manager or third party with authority
Every company that uses consumer data should appoint an individual responsible for overseeing compliance practice. To be able to manage effectively, they will have to have the necessary seniority to work with heads of department. This means the appointment must have the appropriate authority.
There is a benefit to appointing a specialist data company to the role of overseeing compliance practice. It will provide objective auditing, and like any specialist agency, they will be able to give objective high level communications support, but in this instance within compliance regulation.
Data protocol should be clearly set out and made known to all marketing personnel with guidelines on what they can do in terms of data. Within those boundaries they will be free to plan and be creative. If they are constantly checking activity for compliance everything they do will be handicapped - it will not be possible for a marketer to undertake their role effectively if they have to continually research compliance limitations.
2. Do not leave compliance to the last minute
The likelihood of strict compliance enforcement and accompanying heavy penalties will combine with a possibility of a consumer right to obtain redress for misuse of their data. This could create a compensation trend similar to that of PPI. The risks for those that do not comply are likely to be significant just based on the sanctions available to the Information Commissioners Office.
The forthcoming law will mean change for every company that uses consumer data. In administrative terms, months of work may be involved, often involving changes to data software. Although the new EU law may not come into effect until 2017, it will take some marketing departments a full two years to prepare.
In this situation leaving compliance and associated marketing planning to the last minute, or even a six months period, is far too short for most companies to prepare. Preparation should start now.
3. Keeping what data you have
It is understood, but it has not been confirmed, that consumer opt in data collected in the three years prior to the introduction of GDPR can be kept and used even if it is not compliant with the new regulations. This measure is aimed primarily at smaller companies that do not rely heavily on data for marketing. Outside of the three year window data that does not conform to the new standard will have to be erased, or cannot be used.
Marketers should start auditing data for permission status. The most effective way to do this is to outsource it to companies with direct experience in generating permission based data capture. They will be able to plan strategy if permission needs to be refreshed.
4. Seek advice
Until now there have been limited amounts of leaked information about the forthcoming EU regulation along with general guidelines issued on what the likely changes are going to mean for marketers.
Now we can see the degree to which change will be required, and currently there are very few marketing departments that are equipped to manage what is to come. It is therefore important to take as much advice as possible, but only from established reliable sources. Inevitably an industry of compliance consultants of various types will emerge, but only those with an existing background in handling compliance involving high volumes of data and associated planning should be considered.
They will have a heritage in compliance preparation based on existing law, plus they will understand the current technical situation most companies find themselves in, and how change should be applied.
5. Obey the regulations
There will be a temptation to cut corners, or simply ignore some elements of compliance. This will be a false economy.
It is inevitable that all companies will come under scrutiny at some time. If a precedent is set of a consumer claiming a significant amount of money for damages in the misuse of data the floodgates will open. The risks of not becoming compliant are too high.
Just as important, not complying with the new regulation in full will leave marketing departments in a halfway house of uncertainty that is necessarily distracting. It is better to be compliant, brief all relevant personal, and work within guidelines. Uncertainty is damaging to work practice and moral, plus word will spread about poor practice.
6. Constantly review
It will be easy for companies to let slip data practice after achieving the compliance standard. It is human nature that not everyone will follow guidelines 100 per cent of the time. It means flaws will creep in.
Rather than undertaking major reviews every few years it will be more effective to have regular check-ups to constantly monitor data protocol. The use of qualified third parties that can objectively assess processes will be a good way of ensuring major compliance updates are not needed, plus they will also be able to provide advice on improving practices.
Finally, it is understood that there is likely to be a ruling that allows companies to keep and use data collected in the three years prior to the new regulation being introduced even if it does not meet the new terms required. All other data collected before then that does not meet GDPR criteria will have to be erased.
The actual law behind GDPR has yet to be passed, and the EU Parliament, Council and Commission each have different agendas, and have to agree on the final wording.
“Nevertheless, the core elements of the regulation as described above are accepted as the baseline on which new data compliance will be based,” Hawkins said.