How SMEs can bend GDPR to an advantage
Avoiding news about the European Union's General Data Protection Regulation (GDPR) has been impossible in the past two years, unless you've been living under a rock. By now it's probably possible to fill up the space between the Earth and the Moon with everything that's been written about it, so we will try to be brief, practical and clear.
What is GDPR?
The GDPR aims to better protect personal data of citizens living in the European Union. This covers half a billion people, which is 1/16 of the world's population but 1/5 of the world's economy. The Regulation rules the following data to be private: basic identity information, IP address, address, health data, political opinions and sexual orientation. It becomes law in all EU states on May 26, 2018.
Companies may use this data only with explicit consent from the user, and the user can withdraw this consent or ask for the data to be deleted at any time, a.k.a. "the right to be forgotten". Companies that fail to protect sensitive data (e.g. in a hack or leak) or use user data without permission can get a penalty of up to 4% of their yearly sales volume, or €20 million, whichever is the higher amount.
What is GDPR?
The GDPR aims to better protect personal data of citizens living in the European Union. This covers half a billion people, which is 1/16 of the world's population but 1/5 of the world's economy. The Regulation rules the following data to be private: basic identity information, IP address, address, health data, political opinions and sexual orientation. It becomes law in all EU states on May 26, 2018.
Companies may use this data only with explicit consent from the user, and the user can withdraw this consent or ask for the data to be deleted at any time, a.k.a. "the right to be forgotten". Companies that fail to protect sensitive data (e.g. in a hack or leak) or use user data without permission can get a penalty of up to 4% of their yearly sales volume, or €20 million, whichever is the higher amount.
Will permission-based data ruin my marketing plan?
No, of course not. You will still be able to analyze website traffic, user behavior or build a sales funnel based on incoming data. However, for some parts of your analytics and customer engagement, you will have to proceed with more care. Some data you use will have to be anonymized, for example, and analytics engines are already doing a lot of work in this.
This isn't a bad thing per se. For instance, if newsletter subscriptions happen on an opt-in rather than an opt-out basis (as required by the GDPR), you know that those who opt in are definitely interested. In other words, your signal to noise ratio in marketing becomes better.
"A customer wants their data. Now what?"
The first thing you should take care of is that you know where your data is. Smaller companies often have the advantage here, but it pays dividends to centralize your data storage that you use for your sales, marketing or business intelligence. Second, make it so that the data bundles are secure and transportable.
Why 'transportable' and what does that mean? It means you can hand over the package of data almost immediately and in a format your customer will understand. If you have to spend hours collecting information from 5 different systems and industry-specific file types, you're on the wrong track.
No, of course not. You will still be able to analyze website traffic, user behavior or build a sales funnel based on incoming data. However, for some parts of your analytics and customer engagement, you will have to proceed with more care. Some data you use will have to be anonymized, for example, and analytics engines are already doing a lot of work in this.
This isn't a bad thing per se. For instance, if newsletter subscriptions happen on an opt-in rather than an opt-out basis (as required by the GDPR), you know that those who opt in are definitely interested. In other words, your signal to noise ratio in marketing becomes better.
"A customer wants their data. Now what?"
The first thing you should take care of is that you know where your data is. Smaller companies often have the advantage here, but it pays dividends to centralize your data storage that you use for your sales, marketing or business intelligence. Second, make it so that the data bundles are secure and transportable.
Why 'transportable' and what does that mean? It means you can hand over the package of data almost immediately and in a format your customer will understand. If you have to spend hours collecting information from 5 different systems and industry-specific file types, you're on the wrong track.
The ethical differentiator
The GDPR does mean you will have to work a little harder to get data from prospects and customers, but again, this is not an obstacle that can't be overcome. It means you will have to think about the advantages you can offer people if you keep their data — e.g. tell them they are entitled to tailor-made promotions, local coupon codes or bundles only available to their market segment.
In addition, if you tell prospects upfront what you will be using their data for, this may come as a reassurance. In times where privacy and data abuse scandals run rampant, transparency is a breath of fresh air. Research from Mintel suggests 56% of consumers will not buy from businesses involved in unethical practices.
How is this different from gating?
Gating refers to a marketing practice where people need to enter data to access content, e.g. news websites offering full articles only to readers who pony up personal details. While this seems similar to opting in to get extra content, it is actually the reverse: with opt-in, you offer visitors a chance to stay connected and get relevant information, whereas gating uses personal data as a prerequisite for the user to get the content they came for in the first place.
As a side-note, gating is a hotly contested issue in the field of marketing, but the general rule of thumb is that gating your content is a terrible idea if it comes too early in your sales funnel. Users who already understand the value your products or services bring and have a level of commitment to you are more likely to share their data. Otherwise, you're driving away potential customers.
The GDPR does mean you will have to work a little harder to get data from prospects and customers, but again, this is not an obstacle that can't be overcome. It means you will have to think about the advantages you can offer people if you keep their data — e.g. tell them they are entitled to tailor-made promotions, local coupon codes or bundles only available to their market segment.
In addition, if you tell prospects upfront what you will be using their data for, this may come as a reassurance. In times where privacy and data abuse scandals run rampant, transparency is a breath of fresh air. Research from Mintel suggests 56% of consumers will not buy from businesses involved in unethical practices.
How is this different from gating?
Gating refers to a marketing practice where people need to enter data to access content, e.g. news websites offering full articles only to readers who pony up personal details. While this seems similar to opting in to get extra content, it is actually the reverse: with opt-in, you offer visitors a chance to stay connected and get relevant information, whereas gating uses personal data as a prerequisite for the user to get the content they came for in the first place.
As a side-note, gating is a hotly contested issue in the field of marketing, but the general rule of thumb is that gating your content is a terrible idea if it comes too early in your sales funnel. Users who already understand the value your products or services bring and have a level of commitment to you are more likely to share their data. Otherwise, you're driving away potential customers.
The final case for transparency
Many companies struggle with transparency. How to do it? Should we write our own privacy policy? Aren't we giving information to competitors? These are all natural concerns, but they matter way less than businesses fear. What does matter is projecting an image of trust. Customers realize their data is valuable, so if you can explain to them in layman's terms what you're going to do with that data, that's a win.
Another component in building trust is simply asking for permission. That goes beyond an opt-in process to get newsletters. You can link it to value, e.g. saying you'll be able to give customers more products and services that fit their profile, or be clear and say you'll send them five e-mails that will talk about your secret to success.
Respecting privacy is a must, showing value is better
The days of overly commercial marketing are numbered. People know that game. To stand out, you need to demonstrate the value you can bring to your customers. Smaller businesses (defined as companies with less than 250 employees) are not as restricted by the GDPR as bigger businesses are. They must still have internal records of data processing and protect data that, when exposed, would violate an individual's privacy rights (e.g. your customers' sexual orientation, religious beliefs, health records, genetic data or criminal records).
An ironic problem of the information age is that businesses, organizations and other entities tend to keep entirely too much data, flooding their systems with information that they will never use or are useless to their business. If you can cut these data mining sources that are of no value to your business as a first step, that's a first win.
Many companies struggle with transparency. How to do it? Should we write our own privacy policy? Aren't we giving information to competitors? These are all natural concerns, but they matter way less than businesses fear. What does matter is projecting an image of trust. Customers realize their data is valuable, so if you can explain to them in layman's terms what you're going to do with that data, that's a win.
Another component in building trust is simply asking for permission. That goes beyond an opt-in process to get newsletters. You can link it to value, e.g. saying you'll be able to give customers more products and services that fit their profile, or be clear and say you'll send them five e-mails that will talk about your secret to success.
Respecting privacy is a must, showing value is better
The days of overly commercial marketing are numbered. People know that game. To stand out, you need to demonstrate the value you can bring to your customers. Smaller businesses (defined as companies with less than 250 employees) are not as restricted by the GDPR as bigger businesses are. They must still have internal records of data processing and protect data that, when exposed, would violate an individual's privacy rights (e.g. your customers' sexual orientation, religious beliefs, health records, genetic data or criminal records).
An ironic problem of the information age is that businesses, organizations and other entities tend to keep entirely too much data, flooding their systems with information that they will never use or are useless to their business. If you can cut these data mining sources that are of no value to your business as a first step, that's a first win.
Data Protection Officers: do I need one?
It's a common misconception that small businesses don't need a data protection (or compliance) officer, because whether you need one depends on the data you collect, not the size of your business. For the average online reseller of commodities such as toys, furniture, food or clothing, this isn't going to be much of an issue.
For small companies that do deal with very personal data, e.g. labs that offer DNA analysis or notary offices, this will be necessary. As to companies that process other businesses' data, "this is for you, too," the European Union states on its website. The good news is that organizations may share the same data protection officer, as long as that person is reasonably available to their employers.
Online shops and privacy
All e-commerce platforms collect some manner of data. Our Sayl Retail platform stays well within bounds of the GDPR, as do widely used data analytics solutions like Google Analytics, but it could be worthwhile to check if your other systems (e.g. your CRM, marketing automation, other interactive systems) do, too.
After all, it's all well and good of your online pop-up shop isn't creeping up on its clients, but if some other part of your website lowers your consumers' trust, they will become hesitant to shop with you. This may include retargeting ads, which Sayl Retail does offer in its more expansive subscription models — this will require consent from your visitor, as well as transparency about you're going to do with their data.
What happens when people enter their address in a Sayl Retail shop?
This counts as personal information, so you have to inform your customer what you'll do with this data other than use it for delivery purposes, e.g. with a link to your privacy policy in a thank you e-mail. You can also include it in the footer of your mail, or even include an opt-in checkbox that lets your customer give you consent to use their data for marketing purposes.
As said in the first part of this blog, it's a good idea to expand on what these purposes are. You can entice your customer with coupon codes, promotional actions only aimed at them, and so on. In fact, Sayl Retail can help you with this — you can set up a separate pop-up shop specifically for this 'opt-in' segment and make them feel like VIPs.
It's a common misconception that small businesses don't need a data protection (or compliance) officer, because whether you need one depends on the data you collect, not the size of your business. For the average online reseller of commodities such as toys, furniture, food or clothing, this isn't going to be much of an issue.
For small companies that do deal with very personal data, e.g. labs that offer DNA analysis or notary offices, this will be necessary. As to companies that process other businesses' data, "this is for you, too," the European Union states on its website. The good news is that organizations may share the same data protection officer, as long as that person is reasonably available to their employers.
Online shops and privacy
All e-commerce platforms collect some manner of data. Our Sayl Retail platform stays well within bounds of the GDPR, as do widely used data analytics solutions like Google Analytics, but it could be worthwhile to check if your other systems (e.g. your CRM, marketing automation, other interactive systems) do, too.
After all, it's all well and good of your online pop-up shop isn't creeping up on its clients, but if some other part of your website lowers your consumers' trust, they will become hesitant to shop with you. This may include retargeting ads, which Sayl Retail does offer in its more expansive subscription models — this will require consent from your visitor, as well as transparency about you're going to do with their data.
What happens when people enter their address in a Sayl Retail shop?
This counts as personal information, so you have to inform your customer what you'll do with this data other than use it for delivery purposes, e.g. with a link to your privacy policy in a thank you e-mail. You can also include it in the footer of your mail, or even include an opt-in checkbox that lets your customer give you consent to use their data for marketing purposes.
As said in the first part of this blog, it's a good idea to expand on what these purposes are. You can entice your customer with coupon codes, promotional actions only aimed at them, and so on. In fact, Sayl Retail can help you with this — you can set up a separate pop-up shop specifically for this 'opt-in' segment and make them feel like VIPs.
Risks and rewards of outsourcing
If you have contracts with companies or service providers who are GDPR-compliant themselves, it may become an attractive idea to outsource GDPR compliance wholesale. After all, SMEs sometimes don't have a dedicated CIO or CTO or no one who has the expertise (or time) to be an expert in both legal and data protection matters.
It's a balancing act, though, and here's why: at any time, audits and official check-ups can require you to divulge how you process your data, how you label it, what you do with it, who does it and when, and so on. Going back to an external consultant each time can be exhausting and time consuming. As The Register warns, "GDPR is not a one-time, fire-and-forget project."
The small e-commerce merchant's checklist for GDPR
To see the forest for the trees, ask yourself the following questions:
· Do I capture only the data that is relevant to my business?
· Do I process data that is not sensitive, private or belongs to people under 16?
· Do I tell my customers and visitors what I do with their data?
· Is my privacy policy aligned with the GDPR?
· Is my record keeping of customer and visitor data limited in time?
· Do I have an overview of what my business does with personal data?
· Can I quickly hand over data packages to auditors, or clients who want their data back?
· Are my business partners and programs I use GDPR-compliant?
The more you have answered 'yes' to these questions, the less you have to worry about. But even if you've answered 'no' or 'I don't know' once, you would do well to take a deeper dive into GDPR-related articles. The European Union's official site has a page dedicated to SMEs and GDPR, so that's a good starting point.
Saving Ryan's privacy
If you have lingering questions about privacy in e-commerce, feel free to hit us up at hello@saylretail.com or reach out to us on social media (Medium, LinkedIn or Facebook, it's all good). If you have questions on Sayl Retail's GDPR compliance and in case you have specific GDPR questions that relate to your business using our platform, we will answer you to the best of our abilities.
If you have contracts with companies or service providers who are GDPR-compliant themselves, it may become an attractive idea to outsource GDPR compliance wholesale. After all, SMEs sometimes don't have a dedicated CIO or CTO or no one who has the expertise (or time) to be an expert in both legal and data protection matters.
It's a balancing act, though, and here's why: at any time, audits and official check-ups can require you to divulge how you process your data, how you label it, what you do with it, who does it and when, and so on. Going back to an external consultant each time can be exhausting and time consuming. As The Register warns, "GDPR is not a one-time, fire-and-forget project."
The small e-commerce merchant's checklist for GDPR
To see the forest for the trees, ask yourself the following questions:
· Do I capture only the data that is relevant to my business?
· Do I process data that is not sensitive, private or belongs to people under 16?
· Do I tell my customers and visitors what I do with their data?
· Is my privacy policy aligned with the GDPR?
· Is my record keeping of customer and visitor data limited in time?
· Do I have an overview of what my business does with personal data?
· Can I quickly hand over data packages to auditors, or clients who want their data back?
· Are my business partners and programs I use GDPR-compliant?
The more you have answered 'yes' to these questions, the less you have to worry about. But even if you've answered 'no' or 'I don't know' once, you would do well to take a deeper dive into GDPR-related articles. The European Union's official site has a page dedicated to SMEs and GDPR, so that's a good starting point.
Saving Ryan's privacy
If you have lingering questions about privacy in e-commerce, feel free to hit us up at hello@saylretail.com or reach out to us on social media (Medium, LinkedIn or Facebook, it's all good). If you have questions on Sayl Retail's GDPR compliance and in case you have specific GDPR questions that relate to your business using our platform, we will answer you to the best of our abilities.
Apply what you learned
Ready to try our pop-up shops ?