Few federal business laws seem to have triggered as much anxious activity as Canada’s new privacy legislation, the Personal Information Privacy and Electronic Documents Act (PIPEDA).
Avoiding fines of up to $100,000 is an incentive to adopt privacy practices, but more significantly, you can build brand equity by demonstrating concern for your customer base and by gaining your customers’ trust. Organizations that effectively integrate privacy and CRM are building a competitive advantage in their ability to market in this new era of restricted customer information.
With the law now in full force, many marketers are left feeling severely limited in connecting with customers and stakeholders. It’s a Catch-22 – just how do you initiate marketing communications with anyone when you need their permission to have the conversation in the first place?
Good news – there is a difference between the application of the law and best practices in privacy and CRM. Understanding how to create marketing opportunities as you comply with PIPEDA legislation can be a tremendous competitive advantage.
Fast-tracking privacy compliance requires a few steps. You’ll need to plan and implement a process to consolidate your many customer lists, verify that customers have provided consent and, looking forward, build new lists with privacy compliance in mind. Inevitably, marketing, sales and operations personnel will have to think differently; so making the privacy process work also requires a change management plan.
Begin by consolidating all of your organization’s customer lists, understand what you know about your customers and decide what personal information you can keep and what you must destroy.
For a business-to-business database, standard information that would appear on a business card is allowed. Retaining any other personal information requires consent.
When building a database of private citizens, you can collect names, addresses and phone numbers where they have not opted out of a published directory, or if they have allowed their information to be published and made publicly available.
Customer information has a way of getting into a lot of different computer programs and filing cabinets, but how do you track it all?
Start with your CRM application and verify your library of mailing lists, personal contact management programs such as ACT or Maximizer, address books such as Outlook, warranty and guarantee databases and lead databases.
The sources can be pervasive. A recent data inventory of a company with 250 employees revealed dozens of sources: nine different CRM systems across four divisions and another 23 contact management systems, all collecting and containing personal customer information.
Under PIPEDA, your organization must find these databases, itemize the information collected in each and confirm that you have both reason and consent to retain this information. No databases are exempt and no data is grandfathered.
Once you have existing information in compliance, work on creating opportunities to retain the customer information you need and eliminate what you don’t.
There’s a definite upside for marketers related to confirming consent – it’s a solid opportunity to deepen client relationships. One mid-sized financial services firm took smart steps around this: it created a complete marketing package to preemptively answer customers’ questions around privacy. Not only did the package serve a compliance purpose, it also demonstrated commitment to keeping customer information confidential, reiterated branding messages and created another way for the company to touch its customers.
Consider using the need to confirm consent within a marketing campaign, and conduct it as a CRM program. Remember, the point of CRM is to retain profitable customers and find prospects.
Contact existing, dormant and prospective customers, determine their ongoing interest and get their permission to gather personal information so you can market and sell what they need, when they need it.
Gathering consent can be a marketer’s bridge to generating more sales leads and building a truly relevant customer information file. Need more incentive? Consider this: Databases of opted-in customers are almost 10 times more valuable than general direct marketing lists.
Most CRM systems include information on individual preferences that is collected in templates such as the MacKay 66. While the information they contain can minimize a customer’s negative reaction to a sales proposition, it also presents PIPEDA challenges.
This CRM template gathers personal data, including favourite restaurants, religion, education, conversational interests and 62 other particulars. This information can no longer be gathered, stored and disclosed without customer consent. Companies, employing the MacKay 66 or similar customer profiles, have to look at how their CRM strategy may have been compromised.
One of the other best practices in becoming privacy compliant is to document a change management plan for your organization. Learning to live with PIPEDA requires marketers to modify the way they deal with customers, and to restructure sales processes and marketing scripts as well as to process customer data differently. An effective and compliant program needs the buy-in and commitment of staff.
Your change management plan should begin with education. Make sure employees understand what’s involved. The threat of financial penalties is enough to make most people let go of the relaxed ways of dealing with personal information.
Use information and training sessions to move people beyond the disorientation and confusion they will feel in adopting new processes. Demonstrate leadership from management on the importance of the privacy initiative and increase internal corporate communications to reinforce the commitment to privacy compliance.
The goal is to allow employees to learn and live this new reality of marketing to clients.
Marketers can use the process of becoming PIPEDA compliant to create sales opportunities by using their company’s commitment to protecting customer information as a brand-building event. This requires finding all of those company-sanctioned and rogue databases of customer information, determining what information to keep and what to delete and then getting explicit consent to build a high-value database of customers who have opted in to receiving marketing information.
Organizations executing this kind of integrated privacy strategy will have the right customer knowledge available at the right time to out-sell, out-manage, out-motivate and out-negotiate their competition.
Checklist for PIPEDA compliance
* Revisit the information architecture of your CRM system
* Design a privacy compliance change management plan
* Inventory and consolidate your customer lists
* Check for customer information in electronic and paper files
* Decide what information to keep and what to destroy
* Create opportunities to obtain permission for retaining personal information
* Train employees to understand and adopt privacy processes
* Confirm personal information consent within a CRM system
* Build new lists with privacy compliance in mind
* Reinforce the commitment to privacy compliance through corporate communications
Robert Gillelan is the president of CRMA Canada as well as privacy officer and senior practice leader for customer relationship management at Toronto-based krplink, a professional services firm specializing in integrated brand marketing communications. He can be reached at rgillelan@krplink.com.
