A GDPR-compliant website sets the scene for the whole brand
As the General Data Protection Regulation approaches, there are some simple lessons that need to be learnt. And the fastest learners should be the web team who define the brand’s first point of contact with customers – and become the first team to need to enact GDPR appropriate procedures.
Considering the relevant parts of the regulation, and what needs to change, the web team will be the brand saviours if they can make the customer experience seamless and compliant from the outset.
Whether a marketer, technologist, or business leader, every role should be well aware of the upcoming regulation that in less than three months will dramatically change the way organisations managing customer data operate. Of course it’s the General Data Protection Regulation (GDPR) which brings this change. But have all of these roles considered how the first point of contact – the brand website – should change?
In an ideal world, organisations are in the very final stages of compliance-readiness. They understand how to, in accordance with the newly enforceable rules (the penalties come into effect from 25th May) collect, manage, govern (and even delete) customer data in a respectful and solicitous way – with the protection of the customers’ existing and new data rights uppermost at all times.
A great many organisational surveys have shown that, over the past few months and years that lots of business decision makers have consistently been unaware, overconfident, or ignorant of what GDPR really means for their organisation.
The brand website is crucial here. It’s the first point of contact for customers visiting the brand digitally – in a way that impacts on their privacy rights. It’s the web team that must ensure that all data collection, processing, and management takes place in accordance with the new regulations – but that the brand continues to get what it needs to keep the leads coming in and exciting prospects and customers to learn more, or to purchase!
There’s no need to go into great detail into those regulations here, as a whole industry has grown up explaining GDPR from every angle, but a quick recap of the major points, and why it’s important to take it seriously by the web team in particular include:
Consumers get new and improved rights – from their first landing
GDPR brings a number of new rights like the right to erasure (‘right to be forgotten’), or enhances others, like the ‘right to be informed’. These will put pressure on the business to deliver accurate and timely data searches and amendments in line with GDPR guidelines. Issues of consent loom large – tracking visitors without permission, or allowing their data to be moved from the site by third party vendors has to stop immediately.
New roles for a new world: The Data Protection Officer (DPO)
Businesses are required to appoint a DPO to assist in compliance with GDPR. The legislation tasks responsibilities to the role, and it’s needed whether the organisation is acting as a ‘processor’ or as a ‘controller’, where processing operations require monitoring of people on a large scale.
Controller or Processor: Newly enhanced obligations on data processors
Under the old UK Data Protection Act (1998), the obligations were only on data controllers. Under GDPR, processors have obligations. They will be accountable for compliance beyond any contract terms, and in keeping data safe and secure. It’s vital that organisations know what their suppliers are doing. Where customer data is analysed and decisions are made really comes to matter as responsibilities are more tightly defined and controlled.
New regulations are backed up with a bite
The regulation allows some hefty fines for non-compliance if a business is at fault and mismanages consumer data, or allows it to leak. These could be up to 4 per cent of the company annual revenue, or €20m – whichever is higher. Clearly, this is not something an organisation wants to contemplate, and the website will provide the first clues as to if GDPR regulations are being followed, as compliance issues of privacy and consent can be spotted immediately depending on the experiences provided to customers from their first visit.
Website managers’ new favourite term: ‘Piggybacking’
From the get-go, or first landing by the customer, everything about data collection changes. Yet there’s still confusion around accountability for GDPR compliance. Businesses have a legal requirement to ensure clear communication of the processes and parameters for data use, across all digital channels regardless of who runs them. Yet despite this, 46 per cent of UK marketers believe their company isn’t responsible for data collection across all digital properties – from Ensighten’s sponsored research, delivered by Sapio.
One of the biggest challenges in this area is getting visibility of which third parties are ‘tag piggybacking’ on web pages. What lies beneath a seemingly simple website is a complex tangle of often unauthorised and even unknown JavaScript tags that piggyback off one another and cause compliance nightmares, each collecting visitor data and sharing it with the technology providers of every digital element of the page.
Given that a major part of the spirit and letter of GDPR is that informed consent must be provided before data may be collected and used, it becomes totally unacceptable that customer privacy is being flouted as a general part of using the web. Right now this is just how that web technologies work. This has to change for the 25th May, or else firms will be in breach of the regulation – even without using that customer data themselves!
Even companies totally committed to compliance need to be extremely careful to avoid collecting any personal consumer data prior to consent, because erasing data after the fact is not a feasible option. Unfortunately, the current marketing technology ecosystem which developed over the past decade was not designed to gain consent first.
Managing the required technology changes sooner will not only get the website ready for the May deadline, but it will go a long way to improving the overall user experience – and ensuring that customers aren’t confused by a sudden new look and consent options in May. The sooner communications begin, changes are signposted and explained, the sooner real trust is created. And whilst this is to a great extent a marketing and customer care department challenge, the technology platform is what everything relies on to function efficiently, effectively – and compliantly.
Piggybacking = data leakage
As well as a blanket ban on the piggybacking of unauthorised tags (likely best controlled through real-time whitelist and blacklist control in the browser), ensuring enforcement of data collection consent over all tags and website functionality is key.
This can only be driven by personalised 1:1 privacy consent for all web visitors. The most elegant solution may be for most organisations to deliver customer consent overlays directly onto web pages. This gives visitors a positive experience with respect to consent communications – and simplified control over data collection by various marketing technologies. Given the global reach of the web, being able to easily customise privacy choices to match all local languages will be a crucial element that may play a big impact in the way customers respond to their new rights.
Enhancing brand trust through the right processes and tech choices
It comes down to the technology platform to create the brand trust consumers will become increasingly aware of in the GDPR world. It falls to the tech team to manage the process of visitor audit trails, which must be made available upon regulatory request.
All sites will require consent management options so that visitors may directly view, change and withdraw consent for various data uses at any time. These will need to be connected to all the different technologies and third party suppliers that manage the various web operations a site requires.
Indeed, connecting these elements of privacy, consent, company and third party data, and sharing them appropriately, will be fundamental to modern business success in 2018.
Ultimately, you are only as good as your data. GDPR will force businesses to reassess their relationship with customers and will create a whole new meaning to the ‘value exchange’, where consumers receive personalised, meaningful content and services, in return for transparent use of personal data.
It’s the web team who now form the front line, with the website the first engagement between the ideals of the GDPR, and the reality of customer interactions. But to pull this off they’ll need to work with the marketing team – because the great majority of tags on the website are there to service the marketing team’s needs. It’s a chance to cross siloes and create a smooth process to get the whole company prepared for the changes ahead – from the site to the sale.