Data Privacy Regulation: Three Steps to Transforming Your Organization

It is widely accepted that by the end of 2015, the new EU General Data Protection Regulation will become law across all 28 EU countries. This law (not simply a directive) will make no distinction between b-to-b and b-to-c commerce with regard to data restrictions and will affect both the capture and storage of personally identifiable information (PII) data (e.g. full name, job title, work email, phone, IP address) by any organization located anywhere in the world of any citizen of any country within the EU. The storage and use of such personal data will only be legal with the “explicit consent” of the individual, and thus strengthens the move of direct marketing from being an opt-out system to a permission-based practice. This will change the way businesses approach their marketing and sales strategies.

How should organizations develop a company transformation policy to effect the changes required?

The process of transformation will inevitably require high-level executive sponsorship and effective change management expertise and leadership. Pragmatic steps require attention to initial planning, followed by a rollout of policies including feedback loops to optimize and fine-tune processes.

Plan. Segment your markets by jurisdiction, gather the pertinent regulatory facts and invest in appropriate legal counsel. Understand the extent of current internal data governance policies and their geographic scope. Assess current adoption of the policies across the organisation. Assess the current level of permission-capture activities and the technology that is used to store and monitor each record.

With legal counsel guidance, define a data policy aligned with each legal jurisdiction or cluster as appropriate. With continued executive sponsorship in place and the facts at hand, begin implementation planning, which must include the definition of permission-marketing objectives.

Review all new technology deployments and contracts for external marketing services for any detrimental or risk-bearing consequences to your stated privacy policies. Your organization has legal responsibility for emails sent in your company name and for any data your organization owns, even if it is physically stored by a third party.

Execute. The drive to gain permissions is a company-wide responsibility and requires the cooperation and joint efforts of many functions. Data storage procedures, campaign activities and program tactics, must all be designed or adapted to support permission capture. Systematic and measurable metric reporting (e.g. percentage permission marketable contacts) must be implemented.

Optimize. The regulatory landscape is in a state of flux. Company growth and restructuring lead to a constant risk of slackening of practices. To this end, the officers charged with data compliance must remain rigorous in keeping abreast of new laws and in refining and enforcing governance processes throughout the organization. However, a policeman-like role will not help grow the business, and thus new approaches to capture and nurture (e.g. “in product” communication) need to be considered.

The lines that define what constitutes personal privacy are constantly being redrawn. Shifting cultural norms, extended regulations, challenges to existing and proposed legislation, and a high degree of law enforcement mean this is likely to continue. An organization can ensure continued compliance by adopting an approach to market communication built around policies that require the capture of contact-expressed consent. 

Note that SiriusDecisions is not a firm of legal advisors and does not offer legal advice. For the interpretation of data storage, privacy and email legislation and regulations within a specific country or jurisdiction, we recommend consulting legal counsel. No legal liability is implied or accepted by SiriusDecisions in connection with the information provided in this blog.

We will be presenting on the topic of data privacy at our Summit Europe this 19-20 October. Learn more about the session titled "Combatting Data Privacy Issues Through Better Inbound Marketing" and register for this must-attend event.

Editor's Note: Learn more about the event or join us at our next Summit Europe by clicking here.