Customer Permissions (the GDPR way)
What’s the state of your email junk folder? Mine is pretty active with various promotions for IT related products and services. Occasionally, I’ve given out my contact information in order to download a white paper or view a demonstration, and although I haven’t been asked if it was okay to forward my email address to other parties for their use, that certainly happened.
Such permissions---and lack of them---are addressed by the European Union’s General Data Protection Regulation. GDPR goes into effect in May 2018, and if you have any European customers, it does involve your operation.
One of GDPR’s main principles is that even though you maintain personal information for your customers, they retain ownership of it. Since the data isn’t yours, you can only use it for purposes the customer has expressly permitted.
We’re all familiar with those forms where the permission to send you additional email is automatically checked for you, as well as permission statements that are difficult to read or understand. GDPR does not allow permissions to be defaulted and requires that the language be clear. When I provide contact info to get a whitepaper, for example, GDPR says I should see something like: “I’d like to receive information about other IT products and services” and then I have to check a box to indicate my permission.
In Advantage, permissions settings can be recorded by channel. You can set up your own values for those settings---yes, no, internal only, etc. Those settings can be logged at the customer, list and product levels. This allows you to log that a customer is willing to be contacted by email, but perhaps just related to a specific publication.
Advantage also offers a more sophisticated feature that, in addition to allowing you to set up permission questions and define the valid responses, has the capability to derive from the customer’s responses what channel(s) and what level(s) they have given you permission to use. This retains a history of the responses along with the actual wording of the permission statement. (See the article “Customer Permission Settings” in Advantage online help for more information.)
Okay, so you can maintain permission information and, through Advantage’s various system integration features, it can be transferred to whatever marketing database you are using. Then, you need to use it, excluding customers each time who haven’t authorized that particular use of their personal information.
GDPR has the power to assess some very hefty fines, so you want to play nice. What exactly do you need to do to avoid fines in this area? Here’s a quote from Article 7 of the regulation.
Conditions for Consent
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
There are lots of interpretations out there on this statement. Does “demonstrate” mean “prove”? Do you need to be able to produce the actual permission statement the customer agreed to? In that case, there are Advantage features that can be used to do that. However, we suggest that if you have systems and procedures in place to maintain and utilize customer permissions, that should be enough to satisfy the “demonstration” requirement. But you may want to download a whitepaper or two on that. Just watch out for those permission statements!