What's probably most important to understand about GDPR is that it isn't just a new regulation. It represents a change in our relationship with consumer privacy that's actually been coming down the pipeline for a while now.
GDPR Isn't New
It might feel like GDPR just appeared out of thin air, but that's not quite true.
While a lot of the fledgling privacy regulations' requirements have caught U.S. marketers by surprise, the EU has been at this a long time. Most of the requirements are actually based on the Data Protection Act of 1998 and the even older General Data Protection Directive.
That said, healthcare marketers, (even those who don't live in California) are far from new to the consumer privacy conversation. HIPAA isn't exactly the same, but any organization that has been HIPAA compliant already understands the spirit of GDPR. There are some differences worth nothing though:
- HIPAA is organization-centric while GDPR applies to the individual consumer: Organizations outside America aren't required to abide by HIPAA, even when dealing with U.S. citizens, but a hospital in the U.S. that's treating a citizen of the EU can still be held to the standards of GDPR.
- Consent is a big deal under GDPR: While HIPAA allows healthcare organizations to process pretty much any information as long as it's properly secured during storage and transmission, under GDPR organizations must get consent.
- HIPAA doesn't acknowledge the right to be forgotten. GDPR does: Under GDPR, individuals can request that their history, health habits included, be forgotten. While not an issue in practice, this fact could pose problems for some organizations (think insurance providers).
- Marketing can look a lot different under GDPR: While HIPAA doesn't explicitly prohibit a healthcare organization (controller) from allowing a third party agency (processor) to send out marketing messages without consent, GDPR has set restrictions.
Remember that even in a digital context, just because you're located in the U.S., it doesn't mean that GDPR doesn't apply to you. If you collect emails or any type of digital information, even just from EU website visitors, you're subject to GDPR requirements and penalties.
Dumping Behavioral Data
GDPR doesn't have a massive impact on healthcare marketers right this second, but it does represent a shift in how we use data. That's something any marketer should be paying attention to.
GDPR potentially puts a big damper on marketers who collect and track behavioral data. What used to be allowed carte blanche (think of techniques like targeted advertising and cookies) is now in jeopardy of being checked if the U.S. ever decides to take a similar path. That might hamstring a lot of marketers, but smart professionals will start paying attention to an alternative — contextual advertising.
Contextual advertising and communication leaves behind behavioral tracking and focuses on what consumers are looking at in real time. For example, instead of simply tracking newly pregnant women across the internet to advertise recent investment in upgrading your maternity services, you'd place a contextual ad on an article about the benefits of birthing suites. While not as common as advertising based on behavioral data today, many advertisers are already using contextual advertising, and we can expect to see more options emerging in the future.
What It All Means for Healthcare
Remember that your patients live most of their lives as consumers. In a borderless economy where they will be running into a world shaped by GDPR standards, it's best to consider getting ahead of their shifting demands.
Listen to Consumers
Keep in mind that while healthcare consumers do have a love-hate relationship with behavioral targeting, their attitudes are largely dependent on trust.
Research continues to support the idea that consumers feel very differently about adverting that is tailored to their interests than advertising that isn't. They're also more open to ads from someone they've done business with before they are to solicitation from their less relevant counterparts. For hospitals, this will mean targeted, permission-based marketing will become even more important as other forms of advertising bump up against regulations, or simply no longer fit with consumer trends. It will also mean that personalized marketing efforts will carry even more weight in the future. Your CMS is going to be a powerful tool as we move toward a world that continues to double down on permission-based marketing.
Consider Changing a Few Policies Today
GDPR has put an end to the pre-checked opt-in box, and it might be worth getting ahead of U.S. regulations today. If you have any newsletter or email lists that aren't built on a subscriber positively opting in, it should probably be revamped. Do you have to make the change? Not yet. But getting ahead of what is most likely inevitable never hurt, either.
Connect With People Who Know
If your organization is bringing on a data protection officer (DPO) as a result of GDPR, it's time to have conversations with them to get familiar with what your organization is doing — not only to navigate GDPR but also to get ahead of customer demands in the future. If you don't have access to a DPO, start conversations with your CISO or any high-level security officer who would have similar understanding of governance and end-to-end processes.
The most important thing any healthcare marketer can do in the wake of GDPR is accept that we're looking at much more than new regulations. Healthcare marketing and marketing overall is going through a mindset shift that centers around the consumer's privacy. Any marketing team who prioritizes the consumer experience will be well prepared for any changes GDPR happens to bring with it.
Want to learn more about how GDPR applies to healthcare? Read our recent post.