A new European Union law called General Data Protection Regulation, GDPR for short, went into effect on May 25, 2018. The law regulates the processing and security of personal data and the rules relating to the free movement of personal data of the citizens and residents of the 28 territories that comprise the European Union (EU). GDPR replaces a previous EU rule known as the 1995 Data Protection Directive with a stronger, more severe and potent legal framework. It was passed a few years back by the European Parliament and the Council of the European Union on April 27, 2016—giving businesses adequate time to comply and reorganize their operational procedures around data protection.
It is more than likely you are already somewhat familiar with GDPR through websites and social networks you frequent on a daily, if not hourly basis. Nearly all global businesses like Amazon, Google, and Facebook, have made modifications to their terms of service and privacy statements to comply with the new responsibilities of GDPR. And almost all use our personal data, like cookies, to monitor and understand our behavior when we visit their websites through a desktop or mobile device. Cookies are only one type of personal data covered under GDPR. A person’s name, email address, location, even dietary restrictions, age, and ethnicity are all impacted by GDPR.
While organizations of all sizes are scrambling to comply with GDPR, others are completely ignoring it all together, particularly those located within the U.S. thinking they are totally excused from responsibility. Statements like, “it probably doesn’t impact your firm” or “unless you’re doing business in the EU” make me want to cringe. This type of myopic thinking can get a firm, especially a fiduciary, financial advisor into serious trouble when in a post-GDPR world, widespread adoption touching 508 million people and beyond will have serious implications on what our clients expect (aka demand) from us.
In an industry that relies on digital technologies to collect various forms of personal data for new client acquisition, my position as a marketing expert is to be proactive rather than reactive when it comes to GDPR. Albeit keeping abreast of all things GDPR is best performed with professional compliance guidance and legal counsel, a visit the official EU website on data protection reform is a helpful first step.
Here too are my 5 Tips for Marketing in a Post-GDPR World.
Schedule an internal meeting with your Chief Compliance Officer, Chief Technology Officer, Chief Operations Officer, and Chief Marketing Officer . GDPR outlines the rights of individuals around their personal data–any piece of data that can be used to identify a person– as well as the collection, transmission, storage, changing, and erasing of that same data. In firms, data aggregation is not relegated to a single unit nor single individual but rather, intersects all functional elements of the business including compliance, technology, operations, and marketing. The effects and implications of GDPR should therefore be evaluated under each lens of the business in order to identify fundamental risks and a priority action plan aimed at reducing those same risks. Include a Privacy Statement on Your Website . A Privacy Statement is one of the most important documents of your firm and is a best practice. Unfortunately, I see many firms, even good ones, lack this information on their website and therefore lose a critical opportunity to be transparent. Under GDPR, a business’s privacy notice is a good first step at proving compliance. Your firm’s Privacy Statement should reflect your site’s data collection practices and spell out the types of information, such as names, email addresses, and phone numbers, you collect from visitors to your website. In addition, an effective privacy statement outlines the means of how personal information is collected, such as a newsletter sign-up form, how it us used, and who has access to it. Buy an SSL Certificate and Switch to HTTPS Protocol. An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the identity of a website and creates a secure link between a website and a visitor’s browser. Nearly all top websites use SSL protocol, indicated by the sign of a padlock next to the word “Secure” and the “https” in the address bar of the browser—clicking on the word Secure allows a website visitor to view a copy of the site’s security certificate, the cookies in use, and the ability to block or remove them. The use of SSL helps organizations of all sizes (including mine) to be GDPR ready and should be used all financial advisory firms as another best practice. Use an Email Marketing Platform that Is Focused on GDPR . Leading firms use email marketing platforms like MailChimp and sophisticated marketing software like HubSpot to create content-rich marketing campaigns, landing pages, and marketing automations. In anticipation of GDPR, these platforms released updates and made modifications in their tools, for example GDPR-friendly forms and pop-ups, to address data collection and compliance. An important feature of email marketing platforms that is good for firms is a double opt-in setting for mailing lists and an export feature proving consent. Upgrade Your Firm’s Technology, Particularly Your CRM . For leading firms, Client Relationship Management (CRM) software technologies aka Software as a Service (SaaS) like Redtail, Junxure Cloud, and Saleforce are deemed indispensable at helping firms to manage large amounts of customer data. These same organizations continually implement technical upgrades and tools related to GDPR such as internal processes, security and data transfers an email platform alone, like Microsoft Outlook, can’t match. As compliance requirements for firms become more complex and technical in nature, financial advisory firms must continue to upgrade their technology stack as a best practice and to continually guard a client’s fundamental right to the protection of personal data concerning him or her.
As a final note about marketing in a post-GDPR environment, I think article 4 on page 2 of the Official Journal of the European Union, dated April 5, 2016 sums it all up: The processing of personal data should be designed to serve mankind .
Related: How Google Analytics Will Help Your Digital Marketing
Whatever you do, don’t make the mistake of thinking this doesn’t apply to you, your firm, and especially your clients.