Strict consumer data privacy and security regulations aren’t new to the financial services sector. However, the EU’s General Data Protection Regulation (GDPR) and ePrivacy regulations add new layers of complexity to existing practices, forcing financial institutions to rethink business as usual when it comes to customer data. These regulations don’t only apply to banks in Europe, but also to U.S. institutions that offer any services to EU residents, and vice versa.
For financial service marketers, GDPR’s tightening of data privacy rules seems at direct odds with a simultaneous mandate to innovate their digital strategy and deliver better customer experiences with data. On one hand, consumers demand highly personalized marketing, yet are rightfully concerned about the security of their personal and financial data across channels, devices, and data owners.
GDPR creates new challenges for marketers that use data to target people. Two things compound this concern. First is the increased power granted to regulators to enforce these new rules and impose significant fines for non-compliance. Second is the expansion of regulations to companies that control data of EU customers — regardless of the company’s location.
However, for financial services brands that prepare today, there are corresponding competitive advantages and opportunities to seize when GDPR goes into effect next year. Better privacy of personal data and better personalized marketing aren’t mutually exclusive. Here are three GDPR challenges and opportunities that financial service brands must tackle today to prepare for GDPR.
1. Required Explicit Consent
Post GDPR, financial service brands will no longer be able to fall back on implied consent or opt ins to collect, use, and share personal data. This is a challenge because behavioral data (e.g. general website browsing) and transaction-related data (e.g. logging into online banking to complete a transaction) are rich sources of information used to build customer profiles and segments.
Marketers can use profiles and segments to target consumers with personalized offers for loans, accounts, credit cards, insurance plans and other products. With GDPR, banks and financial service brands will need to get explicit consent (opt in) from customers before continuing to collect data for this purpose. This challenge is increased by the fact that consumers may also at any time request the financial service brand to permanently delete their data across all systems.
====== OPPORTUNITY ======
While marketers have targeted consumers with data for a long time, most people are unaware how these practices work. GDPR provides an opportunity for financial service brands to increase transparency. The opportunity goes well beyond compliance to avoid fines, and marketers can take a proactive stance with data protection and privacy communication as a true market differentiator.
GDPR mandates that companies redesign and change how they communicate privacy disclosures. Doing so in clear and transparent ways will create more general trust. This will increase the probability consumers opt in to have their data shared. It will also make people more comfortable and trusting when transacting business and sharing data across multiple digital channels and devices, which in turn will provide better data for personalized marketing.
2. Mandates to Minimize Data
“Big data” has circulated the marketing world for years. More recently, “smart data” came to the fore, as companies realize that actionable data is most important. Under GDPR, financial service brands will be required to get even “smarter” about their data. This is because they’ll only be allowed to collect and process the minimum amount of customer data that’s absolutely necessary for a specific purpose.
This is an obvious challenge as it requires financial service brands to adopt a more lean and deliberate approach to all of their customer data. Companies will no longer be able to simply collect and hold data indefinitely to figure out if it’s useful at some point, but will need to specify objectives and uses ahead of time. Financial service brands will need to communicate these uses to customers as part of normal disclosures and also dispose the data after the objective is achieved.
====== OPPORTUNITY ======
While this requires more proactive work, minimizing and disposing data after a project or campaign provides competitive opportunities too. Financial service brands should start now to establish better internal communications between data privacy/compliance officers, data analysts, and the marketers who ultimately use the data, whether for marketing on the brand’s website, or through other digital channels like email or a mobile app.
Needing to define a specific purpose for collecting and using customer data is positive for marketing strategy, both for the brand and the customer. There are a lot of data sources that financial service brands can pull from in order to target customers with specific products. This includes web/app analytics, CRM, and even offline data. This new framework will help make marketing campaigns more relevant and targeted because the brand must start with an objective and define the specific data required for that campaign instead of saying: “we have a massive data set, what can we do with it?”
Minimizing the data that’s used for specific campaigns will increase the probability that the message will provide relevant value to each individual customer. Disposing of data mitigates risks for that data from a security perspective, but also helps ensure that potentially stale or irrelevant data doesn’t make its way into a future marketing message.
3. Privacy by Design
The GDPR mandates the inclusion of data protection at the onset of any project or development of any system across the entire customer relationship. This includes when data is used internally or shared externally with third-parties (e.g. a bank is making internal updates to its mobile app or shares customer data with a marketing automation technology vendor).
This requires financial service brands to have a handle on all of its data and understand who owns it, who can access it, and who uses it for what purpose. The challenge is increased by the fact that marketers use personal data in so many ways such as IP addresses for geo-targeting, cookies for web personalization, and device identifiers for even more granular demographic targeting, all of which GDPR defines as personal data.
====== OPPORTUNITY ======
Again, the benefits of GDPR compliance transcend avoiding fines. It gives marketers confidence to engage with customers across more digital channels. It can also protect against customer churn — a critical point when marketing investment to acquire new customers is much higher than it is to retain and upsell existing ones. According to Capgemini Consulting, security concerns deter nearly half of consumers (47%) from using digital channels. Considering that 74% of consumers would switch their bank or insurer in the event of a data breach, it can also reduce churn and lure customers from competitors.
Regarding technology, financial service brands should start assessing their existing platforms such as cloud platforms, data analytics platforms, data management platforms (DMPs) and the appropriate tools for compliance and general best data practices ahead of and after GDPR. This includes platforms for GRC (governance, risk & compliance) and CRM (customer relationship management). In many cases, financial service brands will need to completely modernize or shift their data infrastructure to ensure GDPR compliance.
Many of these solutions are provided or hosted by large public marketing cloud vendors, and with GDPR, companies need to weigh these solutions against other platforms that they build in house or where customer data is collected, stored, and actioned all on premise or in a private cloud environment — providing greater control and flexible data management. While technology may need to catch up to the law, Aurélie Pols, a former Data Governance and Privacy Engineer has some interesting thoughts about whether GDPR is about the law catching up with technology.
Data is and will continue to be the lifeblood of marketing insights and digital campaigns for financial brands. As GDPR gets closer and eventually goes into effect, these companies will need to find the best way to comply with all new regulations but not sacrifice the best customer experience across all digital marketing channels. And the three examples above only touch on a few of the regulations banks and financial service brands must address to stay compliant.
The good news is that customers continue to show willingness to exchange personal data for more personalization. But the ability to protect that data is important to consumers when deciding what bank, credit card, or insurance company to use. New data regulations like GDPR don’t need to hamper these efforts, and in fact, when planned for correctly, they provide many opportunities to sharpen and enhance those marketing efforts while gaining the long term trust of customers.