14 January 2019

Customer Experience in the GDPR era

We’re almost a year into GDPR and even though the seminars, social media posts, whitepapers and other content pieces about the subject have waned, GDPR is not dead — far from it. As more firms are embarking on a digital transformation journey, we noticed that GDPR still causes many uncertainties. The question almost always boils down to, “How can we remain competitive in a world where tight regulations with legal punishments are imposed for data gathering, regardless of whether it’s marketing data, personnel data, or any other kind of data we have or need about a person?”

customer experience

Marketing teams specifically struggle to rhyme GDPR and digital marketing: “What do we need to do about our website to be GDPR compliant?”, “Can we still send out marketing emails?”, “How can we grow our contact database when only opt-in is allowed?”. These are just a few questions we still receive regularly. We like to point out to our clients that the question is actually much broader, though: “How do GDPR and customer experience relate to each other, and how can you benefit from GDPR to improve your customer experience?”.

GDPR, the regulation

A good starting point is to review first the regulation. GDPR stands for General Data Protection Regulation and came into effect on May 25, 2018. The regulation was instituted by the European Commission to bring the 1995 Data Protection Directive up to date for the digital era.

The purpose of GDPR is to return control to individuals and thereby to create the trust that will allow the digital economy to develop. With GDPR, Europe gives individuals back the control over the personal data that governments, organisations and companies may or may not have. The individual is in the driver seat and is now determining what a company can or cannot know about him, and for how long. It’s important to emphasize that despite it being a European regulation, GDPR applies to any company that processes the data of European citizens or residents. US or Asian companies, for example, need to comply with GDPR as well. That is GDPR in a nutshell.

Clearly, GDPR has an impact on every company as every firm contains data; consider just your personnel data, for example. Every job role in a company that uses an individual’s data needs to understand GDPR—from sales and marketing to administration and HR. The legal actions are just too severe.

CX challenges

“Trust” has become a key word in marketing speak about GDPR. Without trust, it is difficult—if not impossible—to gain an individual’s permission to process their data, thereby improving a company’s competitive position. In the GDPR era, the purpose of customer experience and engagement is to establish that “trust”.

Marketing teams are facing the challenge to create the trust even before the journey with a customer starts. How do you build trust from a customer before he has ever engaged with your brand? Then how can you gain his trust so that he is willing to share, and trust, his personal data with you?

There are several techniques that help marketers and CX teams to gain that trust.

Customer centricity

In the GDPR era, trust is built by offering genuine value. In return for the value, a contact should not mind sharing his data with companies. Developing a customer-centric marketing approach across the different channels—online and offline—is, therefore, of essence. Core to that customer-centric approach is a content marketing strategy along the customer journey: by offering your contacts valuable and desirable content, you will be able to build an audience.

The reasoning behind it is logical. If content is offered free of product or commercial pitches, “without any strings attached”, your contacts will want to consume more of your content. They will start to trust your brand and perceive your company as a reliable and trustworthy source of value. That promise will increase positive responses to the request for personal data.

By thoroughly mapping the “journey” which your contacts take, marketing teams will become more effective and will receive more and more information from the contact, without being intrusive. As the trust between the customer and your company grows, the impact on the business will be favourable. We notice that, once applied, more and more companies understand the value of this practice and adopt more advanced and complex techniques of a customer-centric approach in their multi-channel marketing.

Website, digital heart of a company

Thousands and thousands of euros are spent on corporate websites these days. Rightly so as they are indeed the digital heart of a company. Much more than a virtual showroom, websites that are deployed to its fullest convert contacts into leads and customers.

Since GDPR is around, CX teams know that the website is a unique opportunity to show first-time contacts that you as a company care about them. A GDPR-compliant website will help you gain the trust from your customers at the start of their journey with you.

One of the first visible techniques to make your website GDPR compliant is by having both a privacy and cookie policy in place that is published and easily visible on your site. The policy should tell the visitors what data you are capturing, for which purpose, who gets to view it, for how long you will store the data and more. As GDPR is about putting the citizen in the driver seat, you need to ask his permission to access his data captured via cookies.

While not directly covered by GDPR, cookies create a unique string of characters that can identify a device, which can, in turn, create a profile and activity data that can then further identify an individual; cookies that track individual user activity should, thus, be treated as personally identifiable information and only enabled with explicit consent.

Cookies, at the moment, fall under the Privacy and Electronic Communications Directive of 2002, not GDPR. The draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation [ePR]) published in January 2017 aims to supersede this directive and centralise cookie consent in software such as internet browsers, thereby handing more power to users over their data rather than via website banners that the average user ignores.

However, making a website GDPR proof requires more than just looking into your privacy and cookie policy. Forms, for example, need to be adjusted with the so-called “opt-in” functionality. Visitors should be able to decide whether or not to grant the company the right to have and to use their data.

GDPR is strict about data storage and grants individuals the right for deletion of their contact data, regardless of the way in which it was acquired. As data security is a major element in GDPR, companies need to have a back-up system in place in case of errors or data leaks. In that same vein, an HTTPS connection of your website is required to ensure data captured via forms on your site is safe. An SSL certificate will secure the connection between your website and your visitor through encryption. This investment has advantages outside of GDPR as well; for instance, Google will deem your site unsafe if there is no SSL certificate. Consequently, your company will have unfavourable positions in online searches.

Optimise your CX technology to build trust

A variety of tools are at our disposal these days to collect and use any kind of data from a contact. As stated above, their optimal use will enable companies to create that personal experience with the contact. Nurturing a contact’s data rightfully acquired in a customer-centric approach will enhance the customer experience and will build up the trust during the customer journey.

Technology such as marketing automation tools and CRM systems play a central role in that. Such tools use cookies of a website in the form of tracking scripts to create lead scoring models that influence automated flows and trigger sales responses. That fits the definition of profiling under the GDPR: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”.

The crux of the matter is not that profiling itself is illegal under GDPR, but rather automated decisions based on profiling that create legal effects or can similarly significantly affect an individual. Examples used in the GDPR text itself include automated decisions on credit card requests or HR departments automatically processing CVs and rejecting without human interaction.

However, if a visitor accepts the cookies and his further contact data has been obtained with consent, CX teams can work with it and develop the engagement.

Lead scoring therefore can definitely still be done and is recommended, however, only under the requirement that all contacts are treated equally and involve a human element when any potential legally impacting issues arise. That means an airline company cannot, for example, show higher ticket prices to a website visitor coming from an Apple computer because of their perceived affluence. And if your HR department wants to begin automated applicant screening, there should be at least a cursory manual review of each applicant.

To conclude

GDPR requires a continuous focus of CX teams. When done right, GDPR is beneficial to the business. A customer-centric approach throughout all customer touchpoints—not only digital—will help to build trust with contacts: trust that is becoming more and more essential to grow the business. Technology such as CRM and marketing automation tools are indispensable to guide contacts through their journey in a non-intrusive manner.