Almost everything we do has been affected by Covid-19 – the way we use customer data is no exception. In adjusting your communication to reflect the sudden change in consumer habits, it’s key to adhere to data guidelines, including GDPR.

You can only use data for the purpose for which it was collected and only retain it for a reasonable amount of time before either erasing or reviewing it. GDPR doesn’t specify how long companies can hold information, but brands are advised to introduce their own guidelines to protect themselves and respect their customers’ rights.

If someone opted in but has stopped interacting, you should consider removing them from your database after a year. However, online purchasing habits are likely to have shifted recently; in-store ones definitely have.

You don’t want to run the risk of inadvertently making a customer appear inactive when circumstances simply prevent them from engaging as they otherwise would. The solution? Keep talking to your customers and find appealing ways to stay in touch with them.

Review your segmentation strategies

Many business rules for customer segmentation and targeting are based on purchase data and may need to be temporarily altered to reflect any customer behavior changes and purchasing patterns.

This could involve temporarily suspending the use of incentives to lapsed customers. Putting a pause into your segment criteria will enable you to accommodate this period of enforced inactivity.

Alongside reviewing segmentation strategies, you should also review any auto-triggered communications to ensure inappropriate offers don’t slip out under the radar.

Make customer relationship management a priority

Good CRM is impactful because it enables your brand to resonate directly and personally with people. With internet use purportedly doubling in the first two weeks of this crisis, email and online have really come to the fore.

Keep craft at the heart of your emails. There is no excuse for not sending out thoughtful and engaging comms. That means creating personalized and relevant messages.

As for content, the key is to identify what the customer wants from your brand during the crisis and what they’re looking forward to when the lockdown is lifted. 

Looking ahead to life after coronavirus

Consider your warm-up strategy carefully when business begins to return to normal. Customers are going to be bombarded. How will your brand stand out from the crowd?

In some cases, a re-permission approach will be a good idea. If customers were close to being defined as inactive before the slowdown in trading, it would be better to invite them to stay in the loop rather than presume they want to. You may also be able to use legitimate interest and servicing principles to let a broader group of customers know your company is back up and running. The Information Commissioner’s Office provides some useful advice here.

Brands will have an important role to play as we gradually emerge from this crisis. Using your customer data wisely and considerately during this crisis will help you make the most of the positive times ahead.

In politics decision making takes time, especially when there is a lot at stake. In Brussels, home of the European Union, this has been the case for the new EU data protection package.

Last June, the EU Civil Liberties and Justice Committee (aka LIBE) entered “trilogue” negotiations between the EU Parliament (representing us, the citizens), the EU Commission (the government of the EU) and the EU Council (all 28 heads of EU member states’ governments) on the proposed changes in Data Protection regulations. On the 17th of December 2015 LIBE announced that all parties have finally reached agreement consensus.

The major points of the package are:

• Explicit consent: Companies that want to use personal data for purposes other than delivering the service for which their clients provide the data, must seek formal, written permission from the client for such use. No more “general data processing” tick boxes. Instead, companies will need “explicit consent.”
• Right to be forgotten: In some instances, like when the data has been collected during a time when the data subject was a minor and in need of parental consent, data subjects have a “right to be forgotten.” Their personal data must be removed from IT systems, including those in test environments.
• Privacy by design: All IT systems must be “privacy ready.” Data protection must be by design, not as an afterthought.
• Onerous fines: Failure to comply will be met with massive fines, up to 4 percent of the offender’s global turnover. For large global companies, this could amount to billions.
• Timeframe: Upon enactment, companies will have two years to adopt.

As the LIBE rapporteur, Jan Albrecht put it, “The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data.”

How easy is it to ‘forget’?

The new rules coming into force with the arrival of the EU Data Regulations pose a major challenge for all companies that collect and store personal data. Take for example the “Right to be forgotten.” To be able to execute on this law it requires companies to be in control of where any personally identifiable information (PII) resides within their systems. This might sound pretty simple, but it’s far from it; organisations not only need to consider their own back-end databases and backups, but they also need to consider any data being used by outsourcers, partners or cloud service providers they’re working with. In many cases, data could even be in use outside of the EU—in the systems of an outsourcer developing mainframe applications for the business, for example. This would instantly create a breach of the new EU regulations unless the proper controls were in place.

we consent to having our data used for system testing?

Explicit consent seems simple. We all know the tick boxes that we already see when doing business online. But do we ever read and understand what our data is collected and used for? What data do these online services need to deliver the service request and what kind of data is collected that has ‘purposes other than delivering the service for which the clients provide the data”? Do we consent to the latter?

Translating this issue from legal into IT lingo, we can take testing as an example: testing applications with real personal data will require an explicit consent of the end customer. If customers were to reject to the usage of their data in testing it could severely impact application testing. Complex applications, such as those developed for the mainframe, are often tested using live customer data in order to create an impression of how they’ll perform in the real world. However, this practice is already unlawful when businesses have not treated the data as personal and put stringent controls in place, not to mention informing people what their data will be used for beyond “normal business.” This is even more significant when the data is being used by third-parties, such as outsourcers. Unless the business has explicit consent from the customer for their data to be handed to an outsourcer and used in controlled testing environments, they’ll be in direct breach of the new EU legislations and face a painful fine.

Impact on testing/development

Alarmingly, research by Compuware indicates that many businesses lack a clear understanding of how their testing practices will be impacted by the new data protection legislation. A fifth of firms do not mask or protect customer data before sharing it with outsourcers, with the vast majority of them relying on non-disclosure agreements that in essence do not satisfy even current data privacy regulation. It is therefore extremely important for all businesses to start looking at their testing practices to ensure that they can comply with the “privacy by design” demand of the EU laws.

If any real personal data is used for testing, it’s high time to start protecting it with a test data privacy project to ensure compliance with the existing as well as new EU regulations. There is absolutely no excuse for continuing to use unmasked customer data in testing projects, and those that continue to do so will have nowhere left to hide when the EU legislators come calling.

Like this article? Subscribe to our weekly newsletter to never miss out!

Follow @DataconomyMedia