The EU’s General Data Protection Regulation (GDPR) came into force on 25 May 2018. In the preceding months, despite assurances from the Information Commissioner’s Office (ICO) of rigorous enforcement and fines for non-compliance of up to 4% of global turnover, research from Dell revealed that a staggering 97% of companies had no plan in place to prepare for the new laws, and only 9% expected to be ready in time. Marketers panicked that they would lose their mailing lists or become unable to send out campaigns to win new customers.
Since May 2018, the month that saw a last-minute deluge of GDPR opt-in emails in every inbox, how is compliance (or non-compliance) affecting businesses, and what are the biggest challenges?
Taking security seriously
Whilst the 2018 shake-up in data collection, data storage and privacy laws undoubtedly represents an ongoing challenge for businesses, delaying the compliance process is likely to cause cost and inconvenience in the long-run.
Avoidance of the changes could lead to scrutiny by the ICO, hefty fines, misuse claims by members of the public, damage to brand image and reputation, and even potential PPI-type compensation claims.
Even before GDPR, in October 2017, Heathrow Airport was fined £120,000 for a data security breach, and in the first 9 months since the law became enforceable, European data protection agencies issued fines totalling €56m for GDPR breaches from over 200,000 cases.
Yet according to a survey by Hiscox, there is still a lack of awareness amongst business owners when it comes to the consequences of non-compliance. 39% don’t yet know whom GDPR affects, and 10% of small to medium-sized businesses don’t think that consumers have any new rights following the introduction of GDPR! (Spoiler alert… They do).
Who does GDPR affect?
GDPR affects anyone controlling or processing personal data pertaining to EU citizens. UK businesses still need to comply, even after the UK has ‘Brexited’.
The law exists to protect people’s data, making sure organisations only store and use data where they have permission to do so.
There are 6 legal premises on which data processing can be applied:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
The new regime has already produced challenges of accountability and transparency. These represent cultural as well as organisational changes.
The law has also had what could be viewed as a negative impact on mailing lists. A recent survey of organisations in the charity sector found that over half have seen the number of supporters they contact by email drop as a result of GDPR. However, the damage was not nearly so bad as many predicted. A study by Litmus showed that of brands who are fully compliant with GDPR, 60% saw their email lists shrink by less than 10%.
What does GDPR mean for airports?
GDPR requires airports of all sizes to make sure that the capture, storage and distribution of passenger data remains secure and protected. The Passenger Name Record (PNR), which was originally used to compare flight passenger data such as identity and destination against information held by security and border agencies around the world, is enhanced by GDPR to protect passenger data.
- PNR can only be used for the ‘fight against terrorism’
- Data cannot contain information about ethnicity, race, or political or religious beliefs
- After six months, the data must be depersonalised by removing names, addresses and other contact information
- After five years, the data must be deleted
As airports move further into the world of ecommerce in order to meet customer expectation, data is used to satisfy consumer demands for parking, travel, shopping and a personalised experience.
DPAS Chief Data Protection Officer Nigel Gooding explains:
“GDPR extends beyond just security and ecommerce. The geographic scope for GDPR is now global. If you are based with the EU, then every piece of customer data you collect regardless of whether they are EU citizens or based within the EU is now is scope. In addition, for airlines, airports and travel operators processing personal data of people within the EU are also required to be GDPR compliant. GDPR will affect every international operator of Airports throughout the World. The determination of scope needs careful review, but this will be a surprise to many operators outside the EU.”
GDPR and Email Marketing: An Opportunity for Growth
In today’s digital ecosystem, GDPR offers airport marketers the potential to up their game. The tighter regulations offer a golden opportunity to explore new ways to use technology and data to contact more passengers more effectively, and campaigns are reaching a more engaged customer base.
Clean data is good data
“Data is the new oil. It’s valuable, but if unrefined it cannot really be used.” Clive Humby, architect of the Tesco Clubcard, 2006
In the past, much as the CEO asserted his importance by the size of his desk, marketing departments measured their success by the extent of the database. However, that old adage, “size matters,” no longer applies. What is important is clean data – up-to-date, accurate and relevant – where personal data and its use should be acceptable to the individual. For data analytics to work anywhere near its full potential, clean data is essential.
In fact, unengaged and inactive subscribers can actually damage your mailing list due to the very real negative impact that bad data can have on machine learning. GDPR has forced many brands to remove these email addresses, which has resulted in:
- Higher quality data
- Better subscriber engagement
- Better deliverability
- More reliable A/B testing since more subscribers are engaged
- Higher open and click-through rates
When databases as they previously existed had to be written off, creating the necessity to refresh opt-in consent by contacting customers and potential customers, marketers were handed the chance to learn more about their client base. Clean data offers the opportunity to discover your customers’ real buying potential and purchasing triggers, and, during that process, to sell or make offers directly to them. Couple this data gathering with Rezcomm’s CRM systems and email marketing support, and you have reliable, timely customer insights to work from.
Viewed in this light, the compliance process is an ongoing way to improve market knowledge, drive sales and recruit new customers – a chance to assess the data you have, the data you need, and the most effective use for that data, revamping your email marketing strategy for the better.
‘Your Insight is Only as Good as the Data You Hold’ explores the issue of good quality data further.
Record Management
One of the biggest changes in GDPR is the requirement to tell customers the purpose for which you will use their data, and even how long you will keep that data. This means data storage now has to be reviewed regularly. This potentially unwelcome task can be viewed as an enormous marketing plus-point when you realise that without this basic aspect of data cleansing, systems quickly become clogged with out-of-date, inaccurate, often completely useless data.
Much like it’s sometimes necessary but never pleasant to clear out the refrigerator, effective record management prevents your email marketing from turning stale, and timely customer interactions actually make your campaigns more effective. Other positive results include reduced storage costs and a lower risk of security breaches or regulatory intervention.
The reality is, GDPR is already having a positive impact on ROI for many businesses. Imagine your ecommerce business has a CRM database of 20 million customers, but when implementing GDPR it turns out that 3 million of those are deceased. Once you have cleaned up the database and taken steps to keep it up-to-date, not only are you compliant with the law, you will also save a huge amount of money and resources in direct marketing costs such as printing, design and communications.
Employee Confidence
The new laws and compliances are complex and have far-reaching implications. Seek help from an established, reliable expert to implement the changes in data collection and email marketing. Rezcomm works to ensure that its ‘world’s first’ combined platform for airport sales, marketing and customer centric analytics complies with the latest regulations, giving our clients the safety they need. Individual employees can do their jobs, safe in the knowledge that they are within the law, and this security is passed on to the customer too.
Consumer Trust
The online world is ambiguous and anonymous. It’s a ‘virtual reality’ that siphons off real-life information at a scary rate. In 2015, research firm Mintel found that only 36% of customers trust large brands, with transparency being one of the biggest factors in winning customer confidence. Taking GDPR seriously within your brand and in your interactions with customers will establish trust. This vital aspect of customer relations is invariably reflected in sales.
Online security is an ever deepening issue. According to Bright Talk, global spend on cybersecurity solutions will grow 33% by 2022, reaching $134 billion annually. The threat of data breaches is more present than ever as attackers become more sophisticated. Compliance is no longer just about staying on the right side of the law; it’s about earning, gaining and keeping your passengers’ trust, and their ongoing custom.
Worldwide Compliance
GDPR represents a unification of the many international data protection laws. It is also one of the strictest data legislations worldwide. In bringing existing data up to the new standards, and complying with GDPR in collecting new data, it is likely that you will be on the right side of other international email regulations too.
How technology can help
Rezcomm’s integrated ecommerce solution features a Data Subject Access Request (DSAR) module that allows airports smooth passage through the GDPR maze. At its core, the DSAR module is a system that lets you search for, assemble and work through data requests in a way that is transparent, both operationally and for the purposes of auditing.
Rezcomm understand the importance of capturing data subject access requests in a way that shows compliance. It is worth noting that since accountability is one of the main principles of data protection, in the event of a security breach, evidence of compliance goes a long way towards resolving any problem with the ICO.
The data captured by the DSAR module pertains to ‘subjects’ (customers, employees and third parties) whose personal data can be used, stored, or processed by your airport. The system allows customers (data subjects) to submit requests directly to your airport – these are made directly via a web form linked in your privacy policy – and keeps a strict record of every action you take to meet their needs. This means you can demonstrate compliance. Record keeping is automated as part of the process of fulfilling the data subject requests.
Airports can also use the system to manage their workflows and help teams in meeting deadlines, making for much greater operational efficiency.
This module is designed purely with the aim of making the GDPR easier to manage: All part of Rezcomm’s goal to take the guesswork out of ecommerce for airports!
Rezcomm has access to data from a quarter of a billion passengers worldwide and is expert in accelerating airport revenue through smart, intuitive tech. If you have any questions about how GDPR could affect your airport, or would like advice on how you can achieve compliance, contact us for a chat.
If you have any further questions regarding data protection and the impact of GDPR, the team at Data Privacy Advisory Service will be happy to help.
As Chief Digital Officer at Rezcomm, Victoria specialises in Digital marketing, CRM, digital design, UI, UX, email marketing, airports, innovation, technology, travel, parking, and ecommerce.
