- Data privacy regulations are being enacted around the globe.These will significantly impact Marketing’s current data management practices.
- The Marketing Operations leader must accept a pivotal role and represent Marketing to the wider company as it prepares for data privacy compliance.
- Marketing Operations must take action across the marketing data life cycle of intake, storage, usage, maintenance and deletion to drive compliance.
By May 25th 2018 all companies, irrespective of headquarters location, that control or process the personal data of European Union (EU) citizens must comply with the strict personal data privacy regulations of the European General Data Protection Regulation (GDPR) or risk facing fines of up to €20 million or 4% of worldwide revenues (whichever is the greater). This law requires that companies – even in the B2B arena – place emphasis on data subject consent or legitimate interest when processing personal data; the definition of which itself is far wider in scope in the EU than current PII definitions in the US.
It is common that company legal and IT teams will conduct vital tasks such as safeguarding the security and integrity of company data, ensuring data breach processes are full proof and that external reporting processes meet the required standards. However, insufficient consideration to the impact of GDPR on marketing activities may lead marketing scrambling too late to find the time, resource and investment to be compliant.
Marketing Operations (MO) must now show leadership and secure senior executive support for the implementation of company-wide policies that drive the adoption of permission based marketing data management.
The severity, reach and importance of GDPR offers the MO leader an opportunity to be a catalyst for compliance and, importantly, business improvement, across the 5 key areas of data lifecycle management, namely data intake, storage, usage, maintenance and disposal.
To help B-to-B marketers on the journey to compliance, SiriusDecisions introduced the Data Compliance Model (see diagram) to allow marketing leaders to grasp the key elements that must be considered to drive a compliant marketing engine. At a tactical level, the company will look to marketing operations leaders to be ready to deliver detailed action plans. The company must audit existing current data intake and storage policies and oversee the ongoing maintenance (including data disposal) practices to ensure continued cross-organizational data compliance.
1: Data Intake
To achieve or maintain data compliance companies must, with a high degree of certainty, ensure that all data that enters its systems is captured with the necessary compliance checks in place.
Define which personal data will be collected and for what purposes it will be used, for example, marketing campaigns, contract fulfillment, delivery to 3rd party channel etc. Provide a comprehensive list of all “ports of entry” for data such as web-forms (across all domains / micro-sites etc.), chat, event lists, data append routines, manual entry etc. Per contact record, ensure that the chosen basis for future processing of the personal data is clear.
2: Data Storage
Organizations must have complete visibility of all the personal data they hold on a prospect or customer.
For those applications that the marketing function is directly responsible and accountable to the company, full data storage, transfer and breach protocols must be implemented. The more common scenario, however, is that ultimate responsibility for marketing systems is handled by a centralized IT function and includes the use of cloud based solutions. In this case the MO leader must coordinate process activity with IT teams to ensure compliant
3: Data Usage
Provided at least one of the conditions for lawful data processing has been met, a company can market to contacts until such time that the chosen method is no longer valid.
The MO leader must oversee the creation of internal data usage guidelines, including escalation procedures. Externally, communicate the company’s privacy position and practices to the market in general, for example, communicate via email footers the selected reason for communication to a contact in particular, link to a preference center and display ‘Trust Marks’ prominently.
4: Data Maintenance
As part of standard marketing data management responsibility, the MO team will continually undertake data curation duties, including data quality, unification and distribution activities.
Provide quantifiable goals of how data management activities enhance the compliance quality of the data records and note the auditing and validation steps being taken to avoid any reduction of the current compliance quality via data import or system synchronization. Similarly, document process steps designed to ensure compliance of any anonymous data that is transformed via appending actions to become personal data under GDPR. In addition, monitor the ongoing applicability of the selected contact communication method (including consent renewal, change of lawful basis etc) and offer process steps to be followed by the marketing team to ensure this is recorded correctly.
5: Data Disposal
Marketing functions, having grown up with the attitude that any data it collects, it owns forever, must change to the new reality that a) consent can come with an expiry date and b) the company may now be required to prove that all copies of a person’s data has been deleted.
Work with the IT team, legal counsel and the appointed data privacy office to draw up guidelines and processes for the archiving, lawful encryption and permanent deletion of marketing data and under which circumstance each must be applied. Introduce “marked for deletion” processes for marketing contact data. Together with the company data privacy officer create the process by which the marketing function can respond (execute and report) to all external data deletion requests.
Although failure to comply with the legal mandate could expose a company to severe fines, embracing compliance and building a permission based approach can bring substantial benefits. For reputation efforts, having a contact’s permission offers a greater ability to personalize communication and instill contact confidence and trust in the company. Missing the target with irrelevant or unwanted communication risks costly damage to the brand and frustration among recipients. Contacts who have provided permission are also more willing to engage and share further information, such as content preferences. This enables marketers to tailor messages, identify a contact’s position in the buyer’s journey, and target marketing investments more effectively. Working with a high proportion of actively opted-in contacts means that outbound tactics will enjoy lower bounce rates, avoid spam traps and see an increase in sender metrics and open rates. By weeding out poor data, a move to permission marketing can also reduce MAP fees charged by the record.
During the early 1970’s governments across the globe gradually introduced seat belt laws for both car drivers and passengers. Despite protests at the time about the restriction to personal liberty and the necessity of strict regulation, the use of seat belts is now seen so clearly beneficial that any journey without wearing one is practically unthinkable. I suspect we will think of privacy regulations in a similar light in 5 year’s time.
Julian is a Senior Research Director within the Marketing Operations Strategies service within SiriusDecisions. Julian left his native U.K. in 1989 to live on the European mainland and now has 30 years of international b-to-b demand creation and measurement experience within corporate and pan-European field functions.
Prior to joining SiriusDecisions, Julian was a global industry marketing director for business application provider Lawson Software (and Infor after it acquired Lawson Software). He was part of the leadership team for a key manufacturing and distribution segment and managed the trans-Atlantic team responsible for go-to-market demand strategy and execution.