Tag Archives: GDPR

Aardvark Marketing Consultants | SaaS is a raw deal

SaaS is a raw deal

SaaS is a raw deal

Software as a service (SaaS) is here to stay. Suppliers have moved to a new model, the ‘pay as you go’ system. Those of us who remember the old-fashioned way to purchase IT, when you bought a disk with your program for a fixed, upfront price that you downloaded onto your computer, are increasingly seen as out of touch ‘dinosaurs’, whose ‘rose-tinted’ views are frequently dismissed as being hopelessly behind the times.

It’s easy to see why software providers have taken this route. From a service provider point of view the monthly subscription model practically guarantees a regular and more predictable cashflow into the business, with users paying each month rather than when they buy an upgrade. The monthly fees look manageable to a prospective customer, they don’t have to find the whole cost and pay for it upfront. No longer do you have to provide support for customers who don’t want to replace or upgrade their older systems, as upgrades are done for everyone, automatically. Because change is always disruptive, users will be reluctant to move to a competitor once they’ve made the switch to your software. Finally, our legislators sometimes play into their hands by insisting that we switch. Recent GDPR legislation and the UK’s forthcoming ‘Making Tax Digital’ requirements have allowed the industry, with its well-placed and influential lobbyists, insist that every business – no matter how large or small – comply with the same digital rules which are difficult or impossible to do without upgrading your IT software.

But is this a raw deal for the customer? Have we got SaaD (Software as a Disservice)?

It’s possible.

Here’s why

  • Pay as you go means you’re still locked into the product in precisely the same way as before because coming out still means moving data from one system to another. This means management time, effort and hassle to change systems. It’s still risky to switch provider.
  • Monthly fees can easily outstrip what you would have paid over the lifetime use of the product e.g. a £300 one-off price tag is the equivalent of just over a year at £22 per month subscription. Given that most purchased software would last a business more than 2 to 3 years before it needed upgrading, that’s an increased cost of £492 or over 2 ½ times the cost of buying outright.
  • Problems with products are not always dealt with by the supplier and can develop after the initial installation. If a business had a problem installing a new product this would result in a complaint and getting the issue fixed. With pay as you go, glitches are not always detected and resolved at the outset, leaving the customer with a product that doesn’t work and the unappealing prospect of trying to get through to a real person in the software company that has the knowledge to fix it. I personally abhor the practice many suppliers use of hiding their support contact phone number and instead keeping you waiting through their email ‘ticket’ systems. In practice, this means a user with a problem cannot fix it without delay and disruption to their working day, which has a negative effect on productivity. Often their website directs you to videos or ‘How to guides’ that don’t always, in practice, tell you enough detail to fix the problem yourself.
  • Often you are paying for functionality that you’ll never need or use rather than just buying the product that is right for your business. The same phenomenon happened with mobile phones, as the technologists driving the new product development added more and more functionality that wouldn’t, in practice, be used by most of their customers. Once you’ve bought SaaS you are constantly being bombarded with new upgrades, emails telling you about new functionality and getting confused as the dashboard and menus are changed without your prior notice or consent. This is rarely conducive to improving productivity and occasionally the company insists that your monthly fees go up to pay for something you never asked for in the first place! Conversely, larger organisations that may wish to have more customisation of their IT systems are often limited in their ability to do this.
  • Honesty regarding functionality of the software. Occasionally, in my experience, you contact a support line only to find that the software company knew there were issues with connectivity. For example, we use one of the best-known accountancy SaaS packages, but it has intermittent problems connecting to our bank feed. The company in question, when asked to help us deal with this, knew from the outset that there could be issues, but this wasn’t explained on their website before we went ahead and moved our systems over, nor was it picked up during our 2-week free trial period. Talking to the company concerned did not get a sympathetic response or a reduction of the fees we pay to use it, even though we are still unable to get this to work correctly several months later. Our previous system, which just lived on one PC, didn’t integrate with our bank account, but a monthly bank reconciliation was relatively quick and painless to perform.
  • Another reason to be wary of this way of doing business is data security. Your previous business server might have been old, and it may have been a little slower than you’d like, but access to it was restricted. With the new ‘cloud based’ servers a customer no longer controls the physical location or has complete control about whether the data can be accessed by a hacker. Remembering passwords has now become a full-time occupational hazard (here at Aardvark Marketing we even have specialist software that helps us deal with this) and if you forget to bring your mobile phone with you the 2-step security log in becomes not a safety feature but a barrier to legitimate entry. It’s all too easy to click to open a rogue email masquerading as an important upgrade from your banking software, your accountancy software, your email systems, your CRM etc. That means we all need ever more expensive IT back-up systems to take care of us. Our data, and our customers data, has become a little less secure because it’s all interconnected.
  • Finally, control. We’re now in the hands of our software suppliers as never before. If they go out of business because of mis-management or lose out to a more competitive product, we can potentially lose access to our precious data, systems and processes. Just like those customers who bought into Betamax (for better quality sound and vision) rather than VHS video, your software could be obsolete, and you’ll have to invest time, money and effort in replacing it with a different product. Recently, we had access to our cloud-based project management system blocked because of tightened cyber security measures added by our service office internet provider. Like the driver at the steering wheel of  a driverless car, we have no choice about these settings, someone external to our organisations is effectively imposing ‘controls’ on our behalf.

    Here at Aardvark Marketing we’re not luddites, we were early adopters of many of these new and exciting systems. We’ve won numerous awards for innovation and some of our own customers are building their business on the SaaS model. If I could wave a magic wand I’d like more thought from our software providers (large and small). Yes, the world is your oyster as far as breaking modern technology boundaries is concerned, but good marketing starts with really getting under the skin of your customers. There is a difference between customers who are huge fans of your software and those who merely bought it because it is the market leader or even because they were misled into believing it the latest silver bullet.

    If you’d like all your customers to be raving fans, why not talk to us on 0121 222 5743 or contact us here.

Please follow and like us:
Aardvark Marketing Consultants Ltd, | GDPR Marketing basics for SME’s

GDPR Marketing basics for SME’s

GDPR Marketing basics for SME’s

There are plenty of myths being circulated about GDPR. For an SME director some of this looks incredibly frightening. Here we try to offer a sensible, reasonable approach to the new legislation by considering 5 basic questions. We are not lawyers, so this blog isn’t intended to be legal advice, but instead is a starting place for a small business owner to get the basic principles right in practice for their future marketing. There are other strands of GDPR around HR and employee data, and there are some steps that could involve tightening up your IT and data security systems. These are not covered in this blog.

Background information

The General Data Protection Regulation comes into effect on 25th May and it applies to any business that deals with customers or prospective customers anywhere in the EU. There are large fines threatened for companies that don’t comply with the new rules. Whatever the outcome of Brexit, this legislation will apply to UK businesses.

It was intended to put an end to marketing abuse of personal data, for example by unscrupulous companies that bombard people with unwanted telephone calls, emails and text messages or those companies that disregard the existing protection offered by, for example, the Telephone Preference Service.

Companies that sell B2B are not outside the scope of the legislation. There is a lot of confusion about what actually constitutes personal data but, at the moment, the legislation defines a business email with an identifiable individual as personal data. For example, info@mycompany.co.uk isn’t personal data but gill@mycompany.co.uk is classed as personal data. Other personal data could include a business that works from an office at their home address or a business owner that uses their mobile phone number as a business contact number.

Some GDPR compliance issues will take time to implement, so if you haven’t already started on this, now is the time to get to work.

Marketing Week magazine* asked two experts in the field for their views on what marketers should be prioritising right now, to stand the best chance of being compliant by the deadline.

Aardvark Marketing Consultants | GDPR security

1.     Have you done a data audit?

First, you need to document all the data your business holds, how it’s obtained and what your business uses it for.

“The first thing that we would recommend would be to examine your data flows,” says John Mitchison, director of policy and compliance at the Direct Marketing Association. “This kind of data audit is often a bit of an eye-opener to organisations because there are always third parties, legacy systems or bits of data whizzing around that not everybody knows about.”

This is also key for Steffan Aquarone, trainer at Marketing Week’s sister brand Econsultancy, who  runs training sessions explaining the fundamentals of the new law. He says: “I would look at all those different touchpoints where you are gathering personally identifiable information and map them out in a flow diagram. Even IP addresses are identifiable data, so it’s basically anywhere a customer is identifiable to you.”

Once this map is drawn out, companies need to decide which data processing activities they intend to carry out, and which legal basis they will use to justify them. For most marketing, there are two relevant legal bases specified by GDPR – consent and legitimate interests – and whichever you choose, you need to document and be able to justify your reasons for processing data on a customer-by-customer basis.

The decision of which legal basis to use is fundamental. Once you have made it, it is highly unlikely it can be changed, and Mitchison even suggests that “if you have been using consent up until now, you are going to have to continue going down that route”.

2. Is consent the right course?

“Everyone thinks about GDPR as being about consent and processing,” says Aquarone, but in his opinion there are two priorities in this area, should you choose it as your basis for using consumers’ data. “The specific places you should be thinking about are the consent on your website upon loading and the consent on any forms, including those paper documents that people fill in in the real world.”

Ensuring these are compliant now – in advance of GDPR coming into force – will mean any new user data acquired in the next three months should be compliant with the regulation.

GDPR requires that the consent given for data processing – including for marketing purposes – be “freely given, specific, informed and unambiguous”. This means many companies will have to be more detailed in their explanations of what they plan to do with personal data and that consent must be signalled by a clear, affirmative action  (rather than simply not opting out or relying on a tick box option). In practice that will mean deleting data that has been bought as a list from another organisation, as proper consent will not have been obtained for your particular company to contact people on these lists.

According to Mitchison: “If your consent is of a good quality and a high standard – if what you have been collecting over time fulfils the requirements of GDPR – then that’s fine. You can pretty much continue doing what you are doing. If it doesn’t, you may have to go through a refresh process to bring that data up to the right standard.”

However, Aquarone believes there is no need to contact everyone in a database and request new consent. “I would not bother doing reconsenting at all – of anything, anywhere. I would bin a certain category of data that you know is a bit iffy,” he says, referring particularly to third-party lists of unknown origin.

Beyond that, if your recent data is compliant, you can then take a view on whether previously collected data has adequate permissions attached. If not, there could be value and justification in recontacting older customers to ask if they are willing for their data still to be used.

Aardvark Marketing Consultants | GDPR website data

3. What are your ‘legitimate interests’?

Consent may not always be the best legal basis for data processing; indeed Mitchison goes so far as to say “legitimate interests should be your first choice, and only if you decide you can’t really use legitimate interests should you move to consent”. Essentially, this is a business’s right to carry out commercial activities such as direct marketing.

The requirements of using this legal basis are that you have a relationship with the consumer, and that they would reasonably expect you to carry out the specific kinds of data processing you are employing. “That doesn’t necessarily mean they’re a customer – they might just have an account on your website or entered into negotiations,” says Mitchison.

If this is the case, you may simply have to inform consumers what processing you plan to carry out when you collect their data – perhaps in your privacy policy – and allow them to opt out if possible.

However, legitimate interests are not a “get out of jail free card”, Mitchison adds. Businesses must perform a balancing test, weighing their rights with those of the consumer, and legitimate interests can be relied upon only if you haven’t already asked consumers for consent. The data processing also has to be necessary – in other words, you can’t achieve the same result in a less intrusive way.

Aquarone warns: “I would be cautious about this because it’s not good for people to think ‘why am I getting this [piece of marketing]?’ That’s always worth avoiding.”

4. How sensitive is your consumer profiling?

For most SME’s customer profiles (or marketing segments) are not very complicated.  “If you’re doing something straightforward like segmenting your file based on the consumer’s age, what they have bought in the past or where they live in the country, that’s fine – you can explain that very simply.” Says Mitchison.

Aquarone’s more specific suggestion is that, “if the number of buckets of customers you’re segmenting is equal to or less than the number of different product permutations you offer, then you don’t need to worry too much” about getting consent.

However, Mitchison warns: “If you were doing something much more intrusive – maybe you’re going out to third parties and getting additional data about the income of the household or the car they drive – while you may have a very good reason for collecting that data, it might be more difficult to pass the balancing test to be able to do that under legitimate interests. If you’re doing particularly sensitive profiling, you might have to ask for consent.”

As a general rule, if you ask consumers for consent to profile them, you have to be specific about what you are going to do and allow them to opt out at any time. Aquarone says: “Now we really need to be able to go into much more detail about each customer and say what they have consented to and what they haven’t, both in terms of data collection and data processing, and then allow them to change it at that level of detail.”

Aardvark Marketing Consultants | GDPR email5. Could your mum understand your privacy policy?

Finally, we need to be much more specific about data when we draft our company privacy policy and use simple, everyday language. This is the information that customers will read when deciding if they consent to you having their data. Companies that continue to use long-winded and difficult to understand language will not be viewed sympathetically.

“It’s almost a paradox,” Mitchison points out. “You have got to tell people everything, and you’ve got to make it really easy.”

This principle of consumer empowerment underlies all of GDPR. Businesses that adapt and offer consumers real choice around their data stand a good chance of being seen favourably – both by consumers and the Information Commissioner’s Office or ICO.


Companies are still uncertain about how the regulator will interpret GDPR, but those that take the proactive steps outlined above and – most importantly – can demonstrate their justifications for doing so, should avoid nasty surprises. Keep a written record of the decisions you make as business and make sure you inform everyone in your company about any new processes that they need to follow around data and any new security measures they should follow when dealing with data in IT systems.

Here at Aardvark Marketing, we’re busy right now helping our customers understand and prepare for GDPR as part of our normal service. If you’d like a confidential discussion about how we could help your business, please contact us


The Information Commissioner’s Office’s guide to GDPR can be found here.


*Article published in Marketing Week, March 2018 by Michael Barnett


Please follow and like us: