No business will be left unchanged by GDPR. Publishers and events businesses that rely on large data sets are particularly vulnerable if they lack a solid strategy to deal with the emerging opportunities and threats.
Digital brands very reliant on advertising revenue will be particularly hard hit if Google gets away with its GDPR-instigated plan to force publishers to work with a limited number of ad-tech vendors.
For B2B, legitimate interest has been seen as the ‘get out of jail’ card and provided great relief. However, this still comes with a tranche of GDPR compliance requirements and tasks.
But those companies that are focused only on ticking the boxes in their compliance checklist are making a gross misjudgement. There is a lot to be gained, in terms of sustainable growth and competitive advantage, from aligning your whole business strategy with GDPR.
Three critical insights
As the MPG team has worked through a number of GDPR projects over the past few months, we’ve identified three essential things business leaders need to acknowledge about GDPR and its impact:
- The individual elements of GDPR are not difficult to understand or execute. But, even for small businesses, once they are combined as comprehensive GDPR compliance project there is a lot to do, and a range of interdependencies and decisions to be made. Getting your tech, data flows and processes fully lined up to become and remain compliant takes time and money, and if done well, should reap great rewards.
- Every organisation has a different starting point and end goal. A good GDPR compliance strategy will take these in to account, while balancing commercial risk with legal risk. So, it’s not a simple ‘box ticking’ exercise to be swiftly delegated down the line. Those who treat it as such are missing a golden opportunity to get their platforms and data in to good shape for future success.
- The winners in B2B media will be those who already have a brand-led gated ‘content and community’ model or can relatively quickly put one in place. But this is only possible if your audience prizes your brand’s content and community and trusts you to use their data to consistently serve up timely, unique and valuable information and connections.
As 25th May is nearly upon us, most business leaders will want to first ensure the following most urgent compliance tasks have been completed:
- Decisions made on which of the six lawful bases for processing personal data will be applied to customers and prospects. Usually, current customers who have signed up for a paid for service can be dealt with on a ‘contract’ basis, whereas others can generally be processed under ‘consent’, or if B2B ‘legitimate interests’ is also an option. If you have chosen legitimate interest, make sure you do a legitimate interest assessment.
- Ensure you have a privacy notice on your website that explains, in plain language, what you do with personal data of customers and prospects. See the ICO’s guidance on how to do this. Link the cookies message on your website and a message below all data capture forms on your website to this privacy notice.
- Under the ‘right to be informed’ requirement, send an email to all customers/prospects data (not under contract) you wish to continue processing after 25 May:
- If you’ve chosen legitimate interest: informing them you intend to process their data and why, letting them know why you have their data in the first place, what you intend to do with it and giving them the opportunity to ‘opt out’ of the relationship
- If you’ve chosen consent: asking them to consent (or re-consent) based on information you have included in your new privacy notice.
Getting these three things done by 25 May will not make you GDPR compliant but will certainly help mitigate the risk around non-compliance.
GDPR’s strategic opportunity
The most successful organisations are looking beyond GDPR compliance requirements to the strategic opportunity: to build stronger, more engaged audiences that become valuable communities. To achieve this, it is essential to get your strategy right around gated content and networking opportunities for a curated audience. In other words, using a combination of free and paid for content with subscriptions products and events to attract a defined group of business people with common challenges and who get value from intelligence and connections you can provide via a ‘community-led platform’ or membership model.
The holy grail is being able to directly monetise such a membership model via intelligence-led subscription products and ‘must attend’ events, with further revenue possibilities from limited number of premium packages for carefully selected vendors to access the community.
Organisations that have, or plan to religiously pursue this holy grail will understand the value of the new regulations. GDPR rewards companies that build strong customer relationships and trusted brands, and who also put the tech and processes in place to look after these relationships.
In order to take advantage of the rewards GDPR can offer, a commitment to full compliance is essential.
A practical and comprehensive approach
Under the new laws, every organisation that handles customer/prospect data needs to comply fully with GDPR. There are no short cuts and no exceptions.
Even companies not compliant by 25 May should commit to working towards comprehensive GDPR compliance – to operate lawfully and to take advantage of the opportunity to put in place and execute a winning strategy.
So that you can understand the ‘shape and size’ of a GDPR compliance project, here is an outline of four of the main compliance project elements:
- A data protection plan: MPG’s template contains 48 tasks in 5 categories: accountability, external visibility, suppliers, relationships with other companies, international data transfers and staff training.
- A map of customer/prospect data you collect, process and store
- A database of suppliers, as well as a supplier questionnaire completed by and data processing agreement signed by all suppliers that process data on your behalf
To get things done you need to take the following steps:
STEP 1: Appoint a senior executive to take ongoing responsibility for data protection.
STEP 2: Set up a formal and dedicated GDPR compliance project, sponsored by senior management and supported from the whole organisation.
STEP 3: Determine the skills and resource levels you will need to plan and implement your GDPR compliance project.
STEP 4: Allocate a dedicated budget for your GDPR compliance project.
STEP 5: Start!
There are no loopholes, quick fixes or short cuts. GDPR will arrive on 25th May and will be here to stay. Those who tackle GDPR head on – strategically and comprehensively – will be rewarded.