How Digital Agencies can Avoid Heavy GDPR Fines

4 Months on from the introduction of the General Data Protection Regulation (GDPR) – has there been a material impact on Marketing and Advertising professionals? What effect is GDPR having on marketing agencies, especially those based in North America? We look at the Marketing industry and how the GDPR has made a permanent mark on the industry.

The new legislation places a number of requirements on how agencies handle EU citizens personal data. The GDPR has enforced rules for processing, collection, and transfer of personal data replacing the outdated European Data Protection Directive from 1995. The stakes are very high for marketing agencies that depend on personal information to run campaigns and engage in various marketing activities. Digital Agencies that do not comply with the GDPR may attract fines amounting to 20 million Euros or up to 4% of a company’s revenues.

Consumers are empowered with choice, for this reason, agencies have turned to new technologies and the use of data for informed decision making, tracking customer purchase behaviour, browsing history, location-based marketing, and social media. GDPR compliance and maintenance efforts depend on the degree to which your brand has been focused on customer privacy and security processes. For those just starting out, GDPR is likely to be an involved undertaking.

A June 2018 Demand Metric study reports, the top challenges of GDPR compliance areas data management (44%) and acquiring consent from users (40%). Another 40% are blocked by technology barriers, 33% by resource constraints and 29% by retaining consent from users.

Online Ads and Consent

Online shoppers are targeted by tailored adverts that are seemingly coincidental on Facebook and Instagram feeds, according to what they have clicked on, these are not permissible under the GDPR unless consent is provided freely. Media buyer, 7stars found first-party retargeting was affected, six weeks into the GDPR, with audiences dropping by up to 50 percent. However, when properly informed, users have shown a willingness to opt-in.

Many eCommerce sites combine terms and conditions with a privacy notice which the average Internet user accepts without reading. However, the GDPR imposes stringent conditions for obtaining valid consent. Personal data can only be processed if a data subject (EU resident) has given active consent to the processing of their personal data for one or more specific purposes. The consent must be unambiguous and involve a clear affirmative action (an opt-in). These new limitations may drive agencies to undertake more traditional and less intrusive forms of targeted advertising for their customers.

Google Analytics

GDPR is set to drastically change the marketing landscape, agencies must address and adapt to the new, more private shopping landscape online. Although agencies and their customers will still be able to see what the online buyer is purchasing, there will be less scope for them to track closely their browsing habits and histories.

If you use Google Analytics, Google is your data processor and since they handle data from people all over the world, they’ve had to take steps to become compliant with GDPR standards. However, you/your customer are considered the data controller in this relationship and you will also need to take steps to make sure your Google Analytics account is set up to meet the new requirements. Audit all the data you collect to make sure it’s all relevant to its intended purpose and that you aren’t accidentally sending any personally identifiable information (PII) to Google Analytics. Sending PII to Google Analytics is against its Terms of Service.

Loyalty Schemes

Agencies often work with Loyalty programs to tackle the volatile retail environment for their customers. GDPR introduces a new definition of “profiling”, which includes where data is collected in an automated form and used to predict or analyze the personal preferences of a customer. Is your agency engaged in profiling customers for your retail brands, such as through the use of loyalty cards or online behavioural advertising? If so, you must establish a legal basis must before forwarding customers’ personal data to a third-party such as a loyalty software partner.

GDPR will also expose your clients if their security systems are not as sophisticated as they should be, they will be required to notify regulators of any data breach within 72 hours and in some cases, they will be legally obliged to notify their customers too.

GDPR is a significant change and trying to grasp the full scope of its changes is daunting. FileOM provides expert GDPR consulting to help organizations meet obligations. Take advantage of a FREE 30 Minute GDPR Assessment for your business. Discuss the state of your compliance with a qualified Practitioner and learn what you need to do to become compliant.