No, I’m not referring to Facebook scandals. The DATApocalypse I’m referring to is the upcoming May 25 deadline for General Data Protection Regulation (GDPR) compliance enacted by the countries of the European Union. The GDPR is a global regulation designed to enhance the protection of its citizens’ personal data. Under the regulation, personal data represents any information that is captured or assigned or affiliated with a consumer. This includes the basics – name, email, address and phone number – and the technical: IP address, device ID and cookies; in essence, anything and everything that enables a marketer or marketing service to identify a consumer.
Now for why I consider this the harbinger of a DATApocalypse.
What will come to be in the E.U. has global implications. There is a reason they titled the regulation the way they did. ALL E.U. citizens, no matter where they live, even those with dual citizenship, are protected under this legislation. And, while many companies may say “I only operate in the U.S., so I should be safe,” this is not so. Do you know explicitly WHO within your marketing and media databases holds E.U. citizenship? I’m guessing the answer for most travel marketers is no.
In the U.S., our laws are much less strict. For now. We can get by marketing to individuals who have requested materials from us, opted in to our email newsletter, stayed at our property in the past, visited our website, were shown an ad, clicked on a native placement, browsed our social feed, watched our commercial…the list goes on and on. For now, we can freely take this data and share it broadly among a host of partners, we can use it to model for look-alike prospects, and we can store it for direct marketing purposes. We can also enhance this data or extend the data points we have on individual records. All of the above is well and good and within the law – until a person with dual citizenship residing in the U.S. files a complaint.
To survive the DATApocalypse, some due diligence is required from ALL parties that have handled or will be handling your customer data for marketing purposes.
What to do and do now! (No, don’t stockpile bottled water and freeze-dried food.)
Get to know your data ecosystem!
FYI, your MMGY Global teams are already deep into readiness exercises for web, media, CRM and social channels. If you haven’t heard from us yet, you will very soon.
Consider conducting a data-mapping exercise:
- What data are you collecting?
- How are you collecting it?
- Where is it stored?
- Who can access it, and what usage rights do they have?
- What is the intended use of the data in all scenarios?
Consider reconfirming consent:
- Has the end consumer supplied permission for the data you have captured to be used in the ways you intend?
- If you don’t know, then consider executing a another opt-in campaign.
For instance, we are preparing an email to go out to the “unknowns” in our and our clients’ databases. We will use this email to explain our preparation for GDPR and ask for these contacts to verify consent. This will link to a landing page with opt-in language and an updated privacy policy.
In addition to this communication and updating your website with a new privacy policy and opt-in language, consider adding a cookies disclaimer and a consent to accept cookies form.
See here for an example of the requirements and functionality or developers will be leveraging.
Here is some example cookies consent language from Facebook:
“We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. [See details – link to your privacy policy.]”
Know Their Rights:
- Right to Access
E.U. citizens need to be able to request their data and have it delivered to them. Follow these instructions from Facebook to see how this is set up on their platform.
This does not explicitly require that ALL their data be delivered (cookies, etc.). It just requires that the data controller provide what they have, how they got it, where it will be used and how long it will be used. Most of these details should be integrated into the privacy policy.
- Right to Be Forgotten
E.U. citizens should also be able to request that their data be “forgotten,” i.e., deleted. In most cases, a standard “unsubscribe” or opt-out will start this process. This will also require regular updates of data being used by partners for direct marketing purposes. Our CRM, social and media teams will reach out where appropriate to describe this process.
MMGY Global takes consumer privacy very seriously and always has. We are looking at these regulations as an opportunity to improve data governance across our organization and on behalf of our clients. Please reach out with questions, and stay tuned for updates.
You can stop building your bunker now.