By Scott Logie, MD, Insight at REaD Group
Many have likened the impending GDPR to a data apocalypse and the end of marketing as we know it. Certainly, if you have been brazen enough to ignore the new regulation altogether and failed to prepare then it is most likely a ‘data hell’ that beckons. However, your actions in the final days before the changing of the guard from DPA to GDPR (and beyond for that matter) will determine whether it’s an apocalypse that awaits, or a nirvana.
There have been countless examples over the years of companies committing data blunders and ‘bad data’ seriously affecting consumer’s perception of a brand’s image. Indeed, research carried out in 2016 found that two thirds (66%) of consumers said that they would boycott organisations that continued to send mailings to a loved one that was deceased .
Given recent events surrounding misuse of data and growing unease and distrust from consumers around how their data is used, it seems likely that this figure will only have grown.
In 2014 a woman in California received a credit card offer from Bank of America addressed to ‘Lisa is a…(well, let’s just say a rather offensive word that rhymes with mutt…) McIntyre ‘. A photograph of the offending letter was shared on Twitter and subsequently went viral. While this is perhaps a fairly amusing example of inaccurate data backfiring – and luckily for the bank in this case Lisa saw the funny side – it certainly highlights the importance of ensuring that your database is clean before running a campaign.
Similarly, there is the infamous ‘Dear Rich b**tard’ incident, which has now passed into marketing urban legend. After doing my own research into the origins and validity of this story I discovered that this particular gem of a blunder was carried out by a small UK based company in the early 1990s. After a programmer classed poorly formatted data under the placeholder phrase ‘Rich B**tard’ this was never updated, resulting in mailings being sent out addressed ‘Dear Rich B**tard’. A small mistake to make, but one that could have been far more serious, and costly. Interestingly the company was later contacted by a prospective customer who was indignant that he had not been contacted in this manner as he felt that he qualified for such a title!
I remember a bank a few years ago who mistakenly mailed all of their suppressed records (including deceased and goneaway contacts) instead of suppressing them. As you can imagine they were inundated with complaints from angry consumers…but at the same time received an amazing response rate!? Rather than advocating this mistake, this merely promotes the argument for keeping track of relocated consumers and looking at new occupiers.
Perhaps one of the most distressing and horrific mistakes related to inaccurate data happened in 2014 to a recently widowed woman from Cardiff. After her husband passed away she was bombarded with mailings from her husband’s mobile provider demanding overdue payments and offering new tariffs and deals. Despite attempts to inform the company that her husband had passed away, the mailings continued and became less friendly in tone. Following three visits to a branch, on one occasion bringing her husband’s ashes and death certificate with her, the matter was finally resolved after a huge amount of unnecessary distress and anguish to her and her family had been caused.
This is an extreme example, but the brand damage and bad publicity such an error could cause is enormous – the coverage of the story was incredibly widespread at the time. But it could all have been so easily avoided.
With data cleaning solutions readily available, and with the advent of DaaS (Data as a Service) allowing data to be cleaned in real time, there really is no excuse for having data that is not accurate and up to date.
Article 5 (d) of the new Regulation states that data must be kept accurate and up to date or deleted. This is not something that is up for debate or a nice-to-have, but something that will be enforced in law. Failure to comply with this aspect of GDPR will result in potentially hefty fines from the ICO.
 Wilmington Millennium, The True Cost of Mailing the Dead: Brand Damage, 2016
We are now less than two months away from the day that has been striking fear into businesses across Europe (and beyond) for the best part of a year – 25th May 2018. However, there is a particular aspect of the new regulation that many have overlooked, assigned a low priority to or simply ignored. The regulation is a comprehensive document containing 99 articles in total, but Article 5 (Principles relating to processing of personal data) appears to have slipped under the radars of many.
GDPR Article 5 (1) (d) requires that data be accurate and kept up to date or DELETED. Once the implementation phase of GDPR ends on May 25th and the regulation is enforceable, this will be law – no ifs, ands or buts.
‘‘(…) personal data shall be:
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;’’
There is no doubt that data has become an integral part of how many businesses function today, but it is crucial to ensure that this data is the RIGHT data.
Why lose customers and prospects altogether or cause your brand reputational damage by failing to comply with Article 5 when there is a simple solution? The truth is that data accuracy is no longer a nice-to-have but a necessity – it is something you MUST do.
The law is changing and GDPR takes a far stricter stance on data accuracy than its predecessor, the Data Protection Act; in addition to potentially incurring the wrath of consumers, failure to comply could result in a substantial fine from the ICO.
In the last 12 months the majority of businesses, and the media, have continued to panic and focus their attention on the consent aspect of GDPR, but the ICO is very clear that all clauses carry the same importance and weight. Hoping for the best and assuming that the term ‘reasonable steps’ justifies taking no action is naïve at best and arrogance at worst. Investing in a solution that ensures that data is kept clean and up to date on a regular basis, or even in real-time with Data as a Service products, is most certainly a reasonable step.
Recent ICO guidance confirms that postal marketing can be conducted using the basis of Legitimate Interest (LI) under GDPR. This will undoubtedly result in many more brands incorporating direct mail into their marketing mix over the coming year. It has therefore never been more important to ensure that postal data is accurate and up to date.
By continuing to market to the previous address of individuals who have relocated, you are not only wasting marketing budget that could be better spent elsewhere, but also losing contact with a customer that may subsequently become lapsed. Furthermore, the current occupants of that property will be far less likely to engage with a brand that is inundating them with a previous-tenant’s post.
In a similar respect, failing to screen for deceased contacts in your database is a similar waste of marketing spend, but more importantly one that has the potential to cause undue distress to the families of those still being contacted. Why risk tarnishing your brand’s reputation? Equally, why risk incurring penalties from the ICO for non-compliance?
It is not too late to take the necessary steps to ensure you are GDPR ready in relation to Article 5. Keeping data accurate by removing and keeping track of gone aways and screening for deceased individuals will not only be complying with GDPR, but also boost the performance of marketing campaigns and save time, money and resources by not marketing to people who will not receive the communication. Where GDPR is concerned, the message is clear – CLEAN it or LOSE it.
By Scott Logie, MD, Insight at REaD Group
At the recent Data IQ event I jointly chaired a table discussion on the GDPR ready Single Customer View (SCV). This turned out to be a very interesting experience. First of all, there was a huge range of requirements, from B2B SCV development to “How do I get started”, “How do I get funding for an SCV” through to “How do I make my SCV real-time” and “How do I connect Google Analytics data into my SCV”.
This obviously created a lot of discussion with different brands, at different levels of development, able to share their experience with those who are just getting started. Hopefully everybody enjoyed the discussion and got a lot out of it.
From a GDPR point of view, there were three main areas of interest that came out:
- How do I keep the data in my SCV current and up to date?
- How do I structure the SCV so that I can hold permissions and consent correctly?
- What do I need to do to ensure that I share the correct information with my customers, as and when this is required?
So, taking each of these in turn:
Keeping the data up to date
What became apparent during the conversations was that there are different levels of understanding of what is required under GDPR in terms of keeping data up to date. This isn’t that surprising as most of the concentration to date has been on consent and ensuring that we have permission to contact the consumers we want to engage with.
However, we have an obligation as well to keep the data we hold current and clean. And to archive or delete what is no longer needed. In some cases this has not been considered, in others it was seen as a lower priority.
From a REaD Group point of view, our advice is very clear; with the GDPR Article 5 requiring that personal data be kept clean and accurate (or be deleted!) choosing a trusted solution to optimise the quality of your data and maximise compliance is now business critical. Whether this is ad hoc but planned updates, real-time access via APIs or licencing of the different industry suppression products there is no choice but to make sure there is a solution that works for your business in place.
Structuring the SCV for holding consent
To be honest, there is no easy way to answer this. We have tackled it by building a consent table that holds each of the key pieces of information – which allows us to manage change over time – that is then referenced on each customer record. This allows us to ensure we keep the most recent permission against a record, by channel, but also enables us to track changes over time. This does result in a very large lookup table but better that than extending customer records.
The other thing to bear in mind is to hold both what consent was gained, where and when but also what the usage you have agreed for that customer record by channel. For example, you may have gathered consent to contact by Direct Mail but have chosen Legal as the reason for contact and this needs to be held. In addition, note that this needs to be managed by customer, by product, by channel so can become cumbersome if not managed correctly.
Giving consumers access
Finally, from a consumer access point of view, I think there are two key things to consider in terms of contact: managing subject access requests (SARs) and also allowing consumers to see what information is held on them for permission management.
From a SAR point of view, there were two clear messages:
- Be very clear what is going to be shared as part of a SAR. It’s not my place to advise what the content should be but what was interesting was how varied and differently detailed each SAR response format was going to be. I think this is something to be tackled early, agreed with your legal teams and shared as appropriate.
- Having an SCV doesn’t sort out SAR responses but it helps a lot! Having as much data held in one place as is possible makes the tracking of information needed for a SAR substantially easier.
From a permission management point of view, again there were a lot of different views and positions. Some organisations, the more digital email only brands in particular, seem to be using their ESP to manage and share permissions with customers. For others there was a work stream to agree what was to be shared and how. Interestingly, no-one stated that they were fully on top of this.
There are many approaches to be taken here. At REaD Group we have partnered with a business, My Life Digital, who provide a Permission Management solution. We are implementing this for our own use and also recommend it for our clients. Other solutions are available!
Overall, tackling GDPR compliance from an SCV point of view isn’t a luxury but a necessity. Keeping the data current, tracking permissions and consent and ensuring that SARs can be responded to quickly and accurately are all part of the new world of data management. It was very clear that there is a lot of work to be done, by big brands and smaller businesses, to meet the basics never mind the nice to haves. It’s going to be a fun year!
By Scott Logie, MD, Insight at REaD Group
The robots are coming! Well, not quite, but the ever growing trend for implementing AI and automated systems to aid in our everyday lives seems to be showing no signs of slowing.
Recent research conducted by advisor company, Gartner, suggests that by the year 2020 a quarter of all customer service and support will incorporate chatbots or a similar form of virtual customer assistant technology. This seems like an astonishing figure, and one that has both positive and negative connotations.
The last decade has seen a huge jump in the proportion of people engaging on digital channels, and it is therefore hardly surprising that companies are investing more and more in these virtual customer assistants. Purely from a resource point of view such a transition makes a lot of sense; artificial intelligence (at least at this stage!) doesn’t ask for a pay cheque.
There is also a distinct advantage to the consumer – these automated systems are capable of functioning 24/7, without the need for sleep or coffee breaks. Furthermore, the prospect of a future free from hours spent on hold listening to Justin Bieber might not be the worst thing in the world.
However, when it comes to customer service, can human contact ever truly be replaced or replicated? According to research we conducted last year, 62% of consumers rated high quality customer service as the largest factor influencing brand trust and loyalty in the retail sector (Retail Trend Report 2017: New World, New Consumer).
While these virtual customer assistants are undeniably becoming more sophisticated all the time, it is the warmth of human interaction that creates this customer engagement. Some of these systems are capable of detecting frustration and anger in a customer’s voice and will transfer the call to a person in a call centre at a certain point. I find shouting down the phone helps. But by and large there is no doubt that they are still worlds away from being able to react and alter their response or attitude based on things like sarcasm and emotion.
There also comes a stage when we have to ask – where does this end? Do we eventually reach a point where human contact has been phased out entirely and we find ourselves reliant on machine to machine relationships? Say, for example, my bank bot detects that I’m overdrawn and applies for an overdraft on my behalf, and this instigates another chatbot which then decides whether to grant me said overdraft. The possibilities are dizzying, and somewhat terrifying – just one short leap to Skynet!
The question of trust and customer experience is not one to be overlooked lightly. The majority of consumers taking part in Gartner’s survey said that they find it difficult to trust VA’s to assist them with more complex tasks, such as handling their banking, insurance or utility issues (29%, 16% and 35% respectively). Therefore, brands will need to demonstrate to customers that they will still receive the same high levels of customer service once these technologies have been incorporated.
Perhaps if this predicted future comes to pass a balance will need to be struck between convenience and functionality. A system whereby technology and human work in tandem may be considered as an initial compromise – HAVA’s (Human Assisted Virtual Assistants). The idea being that when a VA is faced with a situation it cannot handle or a question it cannot answer, a human agent will then take over the conversation. The growing development of machine learning will also theoretically mean that VA’s are able to learn from these instances and adapt to resolve these situations themselves in future.
Essentially, it will remain to be seen how effective these VA’s are in maintaining the high levels of customer service that consumers have come to expect. Advancements in technology such as natural language-processing and machine learning are perhaps bridging the gap between the soulless and robotic automated systems that we’ve come to know, but can they ever truly hope to encourage the same level of engagement and replace human interaction? The next few years will certainly be interesting, but brands must be sure to put customer experience first, or risk dealing with the consequences.
By Scott Logie, MD, Insight at REaD Group
Working as I do in the data marketing sector, I am probably more sensitive to how my data is being used than most. As an industry we very proudly boast about how marketing used to be mass market and big creative idea led but it has evolved over the last 20 years to being content and data led. Indeed, we wear GDPR as a badge of honour that the use of personal data is now so high profile that new laws are needed to ensure that it is not misused or abused.
Also being from the industry I see, and also share, lots of case studies of how data is being used to create personal content, drive individual level communications or build real-time offers based on clicks, views and likes. But in reality, how much of this is smoke and mirrors? How much do consumers feel that they are receiving highly relevant communications and offers? How close are we really getting to one-to-one marketing?
There is a slide in a deck that I use a lot that states that the benefits to brands of getting the right balance on personalisation are very powerful with return on investment 30% higher for companies who use data and analytics to personalise their marketing and customer engagement (source: SAS and Forrester Research).
So there is a compelling business case yet, as a consumer, how often am I impressed by the marketing communications that I get? Honestly, not very often at all. What I get through the post is generally identical for me and my wife, often from the same company on the same day. My inbox is jam packed full of emails which are clearly sent out to everyone on a database but, hey, sometimes they have my name on them so it’s personalised, right? And on-line I’m pretty sure I see the same ads all the time and when I browse youtube or watch All4 I see the same ads as everyone else does.
We are creating a promise to build engaging, tailored, personalised content based on real-time data but we are not living up to that promise.
Other research I have seen has shown that only 25% of companies reckon their marketing could be described as personalised with around a third of marketing using some form of segmentation. Segmentation feels like a dirty word these days. It is often derided by many people. Why would you use segmentation when you can get to real personalised content by analysing clicks and likes? Why use a broad brush approach that classifies people into a number of groups when everyone can feel like an individual?
My response would be this – at least a segmentation can help to bridge the gap between mass marketing and one-to-one engagement. Call it practice. If we can tailor content, emails, adverts to a few segments then over time that can become automated and refined to get towards the personalisation utopia.
In many cases it isn’t even as if the segmentation doesn’t exist. I see a lot of instances, sadly, of segmentation work being done but the next step of tailoring comms and starting to move towards a more personalised customer experience just never happens. As a data analyst this makes me very sad indeed. Maybe we are not being forceful enough in showing the value of implementation, of helping achieve that 30% uplift in ROI.
The longest journey starts with a single step. My feeling is that many organisations are fearful of taking that first step. There is a lot of procrastination – it will take a lot of effort, it should be perfect when we go live, let’s test and see what level of difference it makes. Status Quo is the easy outcome, things are not too bad just now so let’s leave them as they are.
However, by not even trying to make a change we are letting the data down, we are wasting investment, we are letting the hard work by the analysts in creating the segmentation go to waste as well as the marketers who instigated the work.
But much much more importantly, we are letting our end customers down. The next time a decision is made, or more likely, not made, to defer the implementation of a more personalised approach think about this: Would my customers be impressed by the current emails I send them? Or the mail they get through the post from me? Or the ads they see on-line? Would they feel it was delivered just to them because I know them so well? If not then what’s the risk of taking that first step?
Want to know more about how to effectively engage with your customers? Contact us today
Direct Mail can be used under the basis of Legitimate Interest under GDPR (or put another way, does not require Consent).
Yes you can! We’ve had it from the only authority that counts in the UK – The Information Commissioners Office (ICO) – who recently provided some much needed clarity on the use of Legitimate Interest for marketing, confirming on their website that states “you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.” Great to have some clear guidance and a green light for responsible, consumer centric direct mailing.
Using Legitimate Interest in practice requires the application of a good dose of…common sense!
OK so the ICO call it a Legitimate Interest Assessment (LIA) – but essentially what they are looking for is the application of the main principles of the GDPR – openness, honesty and transparency – supported by evidence that you have carefully considered the impact on an individual and made an informed and fair judgement that your interests and the interests of the individual are balanced.
Executed well, Direct mail is proven to be an incredibly effective channel for response rates and engagement.
Put simply – it works! Great Direct Mail will deliver great results. It can grab more attention, engage and help to create closer relationships and generate more responses.
Recent research by Brand Science confirmed “when mail was included in the marketing mix, campaigns had 12% bigger ROI than those without mail.” Impressive!
Anecdotally, one of our clients recently reported a consistently high ROI and an average of 1000+ new customers/month from Direct Mail.
AND consumers like it! And we’ve got some stats to prove it….
Respondents to MarketReach research confirmed that mail is more believable (87%), makes them feel more valued (70%) and creates a better impression of a company (70%).
Choosing the right partner will make all the difference!
Choose a partner you can trust. At REaD Group we have been helping businesses of all shapes and sizes get great results from Direct Mail for more years than we care to remember – and with the advent of GDPR our services have become even more important and relevant to our clients (from optimising data selections and data quality to campaign reporting and analysis). We’re a safe pair of hands.
Sounds good, right? So what to do next?
Contact our knowledgeable and friendly team who can talk you through how we can best support your marketing strategy and help you thrive through GDPR and beyond.
By Andy Bridges, Data Quality and Governance Manager at REaD Group
The Gemalto Breach Level Index (BLI) recently published some rather concerning findings – more data records were leaked or stolen in the first half of 2017 than in the whole of 2016. An even greater cause for concern, and perhaps somewhat surprising, the report also revealed that the most common cause for data breaches was accidental loss and data being inadvertently left exposed.
While attacks by cyber criminals make for more compelling reading, more attention needs to be brought to internal threats such as accidental loss and other acts of negligence. If nothing else, the BSI report highlights that UK data security culture is in serious need of an overhaul. So how exactly can businesses better protect themselves?
However much we like to believe that information breaches are largely the result of strategically orchestrated attacks by criminal masterminds, the truth is generally far less dramatic. They are frequently the result of human error, such as misplacing hard drives, bad password management, careless file sharing or lack of vigilance to the increasingly prevalent phishing emails. All can be easily prevented.
More than anything, businesses must incorporate information security into office culture – protecting information is no longer the sole responsibility of IT and compliance departments; data security is a companywide responsibility.
As a first step, staff should be trained on a regular basis to ensure that everyone understands best practice in the workplace. The HR policy should also be altered to reflect the fact that responsibility doesn’t lie solely with IT to instigate better behaviour.
Additionally, employees should be on the lookout for potential threats to information security, such as leaving computer screens unlocked and leaving confidential paperwork unattended, and should be encouraged to self-police. Implementing a clean desk policy is a good first step towards safeguarding confidential information.
In order to better protect an information estate, companies need to understand what information they have. As well as ensuring that data is clean, viable and that all relevant permissions and consent are held for the data, companies must also ensure that the appropriate data protection and information security practices are in place. It states in Recital (100) of the GDPR that:
‘In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.’
It is not currently compulsory to report a data breach, but once GDPR comes into force next year, all companies must report a data breach to the Information Commissioner’s office within 72 hours. In addition to risking a hefty fine, companies will also stand to incur the longer-standing loss to their reputation.
With this in mind, it seems highly probable that we will see an increase in breach reports – most likely not due to an increase in breaches, but because companies will have much more incentive to be transparent and open about such occurrences.
Overall, GDPR presents a great opportunity for UK businesses to step up their data protection strategies and better protect themselves against data breaches. The new regulation stipulates that companies will have to be much more rigorous in their approach to collecting, storing and using customer data – which should correspondingly see a vast reduction in accidental loss. Inevitably, this increased transparency will result in a more trusting and loyal consumer.
It is now less than 6 months until GDPR is introduced, and the more earnest businesses are to prepare and implement the necessary data protection strategies, the sooner we will see a significant reduction in the number of data breaches.
By Scott Logie, MD, Insight at REaD Group
In the ongoing race to maximise compliance and pip GDPR to that ever-encroaching finish line, the whispers and concerns over its implications continue to reach fever-pitch.
Earlier this year, the Information Commissioner’s Office (ICO) made an example of the Exeter-based airline Flybe by enforcing a sizeable £70,000 fine. The airline incurred this by sending millions of marketing emails to customers who did not wish to receive them; the ICO have made it very clear that when it comes to consent infringements – they’re taking no prisoners. ICO head of enforcement, Steve Eckersley stated that Flybe “deliberately contacted people who have already opted out of emails from them” by asking if they wanted to update their preferences, which he stressed is still a form of marketing.
It is therefore hardly surprising that many travel companies have begun to feel apprehensive about their ability to communicate with their customers come the day of GDPR reckoning (May 2018). With fines such as the one sustained by Flybe becoming more prevalent, this only emphasizes the necessity for companies to obtain consent from consumers. Consent essentially entails an individual providing approval for the processing of their personal information. The bottom line is that travel companies, and indeed all businesses alike, will have to be far more transparent if they hope to avoid harsh sanctions from an unforgiving ICO.
Initial guidance provided by the ICO suggests that a pre-ticked opt-in box will no longer constitute legally attaining permission. In lieu of this, unequivocal and unambiguous consent must be attained through active opt-in protocols; the box must be empty to begin with. Moreover, comprehensive details of how this data will be used must be provided. Contrary to the current system, consent requests must under no circumstances be hidden in the Narnia of terms and conditions or be a precondition of subscribing.
Admittedly, marketing strategies may require a bit of adjustment, but in the long run these new regulations should be seen as a positive change for both customers and operators alike. While it may ultimately result in a shrinkage in the size of marketing databases, the overall quality and saturation of amenable and valued customers within them shall undoubtedly increase. Those who have willingly shared their personal information will prove more beneficial to marketers than those who have been duped into giving permission. Consumers are more than happy to part with their details as long as they perceive that they are receiving a tailored and personal service in exchange. With regard to Travel companies, details on a customer’s budget, lifestyle and favourite destination can be used to provide the kind of customer service that consumers have come to expect.
On the other hand, it seems likely that smaller companies and those that have already fallen under the ICO cosh may struggle somewhat more than household names to convince consumers to part with their personal data. Nonetheless, there are certain measures that all travel operators, irrespective of size or reputation, can implement to limit any negative effects of GDPR.
The most effective course of action might be to devise highly targeted marketing campaigns that demonstrate to consumers the benefit of consenting. Personal offers and relevant streams of contact can be instigated once Travel companies have segmented their customer database into smaller groups based on factors such as interests, favourite destination and budget. How soon should you do this? The sooner the better; GDPR waits for no man.
Once the swirling dust and initial shock of GDPR has settled, companies should find that they are left with a more succinct database consisting of receptive customers. Which, truth be told, is an infinitely better prospect than a larger spread of individuals who weren’t aware that they had consented in the first place. By conducting these highly targeted campaigns, travel operators can seize the opportunity to demonstrate the value exchange in sharing information and strengthen relationships with their existing customers before GDPR’s implementation. This may seem like an extreme alteration in approach, but travel companies should find that if they navigate these unchartered waters effectively – treasures and bounty await.