When does your CRM marketing plan morph into a data privacy project?

August 2020

Marketing plan: 10 tips for turning your database into a goldmine

I’ve worked with a lot of organisations who ask me, quite reasonably, whether they can leverage their customer database to deliver more business. I say, “Absolutely let’s do it but if you’re developing a customer data strategy, you need a privacy strategy to go alongside it”.


Sometimes, my clients are sitting on large databases which have grown organically over the years – companies are proud of their databases. A large database, even unused, is like a commercial comfort blanket. ‘Surely, it’s good to have a lot of data even if I’m not sure where it came from?’

And sometimes, my clients have no databases but want to start building one up to help deliver their commercial objectives. In this case their question is often where do I start?

With the introduction of GDPR came a very welcome focus on developing coherent customer focused strategies for leveraging sleeping giants or nurturing a nascent database.

In a nutshell, we should get very excited about new business opportunities, but we also need to tread carefully. We have to ask the tedious questions like;

  • do you have permission to market to these people?
  • when did you last communicate with these people?
  • do you have a retention policy in place?
  • how do you keep track of marketing permissions?

This is followed by a collective groan whilst we start to understand whether we really are sitting on a goldmine.

Here are my top 10 tips for turning your database into a goldmine

1. Where is your customer data?

Perversely as technology becomes a bigger part of our business operations the organisational silos have grown. This means a challenging time for management as they figure out where all the buckets of customer data sit.

Databases can spring up like mushrooms all over the organisation and it’s important to ensure you know where all the customer records are – not least so that the poor customer receives a consistent service from you.

2. What permissions do you have?

Find out what marketing permissions have been given. When were these collected and what opt-in/opt-out statements were used? If the answer is “I don’t know”, you need to do a bit of stripping back until you are confident you have robust data. You may need to carefully communicate with your customers to update those permissions.

3. Is your privacy notice up to date?

In order to market to customers, it’s important to set out in your privacy notice what you intend to do. For some, it can be a novel idea to have a plan but it’s a good discipline to have some visibility, in advance, of what you plan to do with your data. This includes emailing, profiling, social media marketing, data sharing, cookie management and so on.

4. Do you have an email preference centre?

This is immensely useful if you want to avoid a ‘one size fits all’ marketing opt-in/opt-out. Maybe you want to subscribe to products from one part of the organisation but not another.

I used to work at the Guardian: I like sports news but don’t like entertainment news and want to be able to choose one email over the other. A technology solution helps to keep these up to date as well as keeping a record of what was presented.

5. What about your cookie policy?

Is it compliant, is it up to date, are permissions stored somewhere safe? Can they be updated? Do you work with ad tech partners? Again, for larger businesses with complex cookie management, a technical solution will help you keep on top of the detail.

6. Do you have a clear view about consent and legitimate interest?

Be clear about when to use each permission type and what lawful basis you are relying on. We shouldn’t believe consent is superior to legitimate interests, they are equal in law, but sometimes consent is a requirement. It adds complexity to managing your marketing permissions but strategically using legitimate interests has a significant effect on your ability to market to different constituencies through different channels.

7. What about your emails?

Are you familiar with the difference between GDPR and PECR and how they interact with each other? Are you emailing your customers? If so, you may be able to rely on the soft-opt in for marketing permissions rather than consent? Again, it makes a huge difference to the size of your addressable audience.

8. Is your marketing stack up to the job?

Can it maintain a mixture of permissions in one platform and retain its integrity over time? Having rules in place can help you to automate when you need to change the status of individuals’ marketing permissions.

Do you know where your marketing tech providers process the data? With the latest pronouncements from CJEU on Schrems II – where data is processed has become a hot topic.

9. How transparent are you with your customers?

Have you explained to your customers why you are capturing their data and what you’ll do with it? Have you provided a good answer to the customers’ question “What’s In It for Me?”. Channel 4 and The Guardian do this well.

10. How long are you going to keep this data for?

In many cases, not a lot of time was spent worrying about data retention when GDPR was introduced but now, more than 2 years later, any gaps in your retention policies are starting to look like glaring holes.

It’s most definitely time to make sure you know what you’re going to do with the data – Keep it? Re-permission it? Delete it? Anonymise it? Pseudonymise it? So many choices!!! The DPN have produced detailed data retention guidance to help tackle this topic.

And finally, take your marketing team on the journey with you. Explain why we need a strategy for privacy, how this is a branding job as much as any other campaign. It should reflect our company values and re-assure customers that we are good people to do business with.


Do these challenges resonate with you? Our practitioner consultants can provide you with the data protection support to help you get your customer data platform up and running in double quick time. Get in touch