GDPR is coming – and it will affect all student marketers, no matter where you are. The General Data Protection Regulation (GDPR) will come into force on May 25, 2018. The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach the subject. More specifically, it sets out stringent rules on the collection, management and processing of personal data.
As a student marketing professional, here are 3 things you need to know about GDPR now:
Privacy by Default
The guiding principle “Privacy by Default” is about going from a perfunctory collection of personal data to only collecting and processing the specific data that is needed. This applies to the amount of data collected, how it’s processed, who has access to it, and how long it’s stored. Every instance of collection, storage and processing must have a specific purpose. Organizations need to change their general attitude towards personal data to view it as something they have borrowed for a specific purpose, and for a limited time, instead of something that they own.
Broader Definition of Personal Data
The GDPR has a broader definition of personal data than we were used to working with before. It’s no longer just names, addresses, email addresses, phone numbers and similar information that is affected. Rather, anything that can be used to identify an individual – including IP addresses and cookie IDs – is now considered to be personal data and must be treated with the same care. So, for example, reverse IP-tracking, frequently used by marketers, is a practice that now requires explicit consent.
The GDPR requires consent for collection of personal data to be active and explicit. Pre-checked opt-in boxes are no longer acceptable and it must be as easy to fully or partly retract consent as it is to give it. Explicit consent means that it must be given actively, i.e., the user must check a box or otherwise agree to the contact they would like. It also has to be clear to the users what they are agreeing to, so the organization must explicitly set out what type of information the user is agreeing to receive, or what type of processing of their personal data they are agreeing to. For example, a user should be able to consent to cookies for the purpose of logging in, but not for targeted ads. The organisation must also document the consent and be able to show when and where the user has given their consent and what that consent covers.
What This Means for You
The GDPR requires a new attitude towards personal data. Gone are the days of collecting data just for the sake of it – in the future, the strength of your database will be in its quality, not quantity. When all your users actually want to receive information from you, your marketing will be more effective and you will achieve better ROI. Done right, the transition to GDPR compliance can actually be a huge advantage – and the schools that get it right from the start will have a competitive edge as other institutions struggle to catch up.
This could be a way to make the transition to GDPR compliance a competitive advantage for your school – what is your next step?