Ensuring GDPR marketing compliance across a multi-sales channel organisation
This market leading financial services client had a requirement to be compliant with the new General Data Protection Regulations (GDPR) before they came into effect in May 2018. The organisation had a number of different sales channels (direct to consumer, financial adviser, corporate and tied advice) and each of these channels onboarded and treated their customers differently. Added to this, the customer database, which was in excess of 5m individuals, went back many years and in a significant proportion of cases, the original data protection agreements with customers were either not available or the customer had purchased prior to any data protection legislation being a requirement.
The challenge was to understand this complexity and to ensure as many customers as possible became available for marketing under the new GDPR rules. In addition, there was a requirement to ensure ongoing compliance under the 2003 Privacy and Electronic Communications Regulations (PECR) which covers email, SMS and telephony marketing.
An enterprise wide GDPR project was set up with a specific Consent workstream which covered all marketing communications with customers. Working closely with Marketing, Risk & Compliance, Legal and Information Risk & Security, the starting point was to understand the different sales channels, the marketing they have undertaken in the past and what is planned in the future, the Privacy Notices, if any, that customers have been provided with and the requirements needed to ensure full compliance.
A lot of this initial work was done as the ICO were still making amendments to the regulations so there was also a requirement to keep up to date with any changes which may affect the proposed solution.
It was agreed that there was a group of customers who would require to actively consent to marketing whereas other groups were able to rely on Legitimate Interest as the legal basis for processing data, depending on the type of communications that were being sent. For the group that required specific consent, a series of mailings and emails were planned. The customer was given the opportunity to set their marketing consent either by returning a coupon, going online to a Preference Centre which was built specially for the campaign or by telephone. Different creative was tested and the ‘winner’ was used in the follow up pack.
For the group that were relying on Legitimate Interest, the ICO’s Legitimate Interest Assessment was adapted and put into all campaign briefs, thereby ensuring that there was an audit trail of the decision process should the regulators ever question any communications.
Finally, a bank of Privacy Notices was written which were all compliant with GDPR and these were made available to all customers. Because of the complexity of sales channels and types of interaction, there were around 12 different Notices produced and made available.
The company was compliant with GDPR by the 25thMay 2018 deadline. The mailings to the Consent group achieved a remarkable 35% response rate with a 90% marketing opt-in. GDPR has been fully embedded into all marketing activity and all staff were required to pass a CBT in the subject to increase awareness and knowledge. The exercise to ensure the company was still compliant against PECR was also successful and the marketing team now have a thorough understanding of the consent rules around email, SMS and telephony campaigns.