What do marketers need to know about GDPR? Well the simple answer is quite a lot.
The EU’s General Data Protection Regulation comes into effect on May 25 2018, bringing with it some important changes to the ways in which we collect and control information about our customers.
The fact of the matter is that data forms the foundation of the online world.
Web users use personal data like currency. Think about your own experience as a regular web consumer – sharing your personal information and contact details gives you access to numerous services and content.
For us marketing folk, data is crucial for running successful online campaigns. It helps us to track website visitors, understand our audience, target them with the right content to turn them into customers and a whole lot more.
Data is extremely valuable to us as marketers and in return, we need to handle it responsibly. The GDPR hikes up the privacy rights of the individual and enforces more stringent data protection policies on companies.
This guide will get you up to speed on GDPR, what the impact of GDPR is for marketers, and – best of all – practical steps to help you get your company GDPR compliant.
GDPR – What You Need To Know
What Is GDPR?
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It replaces the 1995 EU Data Protection Directive (DPD) for data privacy and security in order to reflect the ways in which businesses use and collect data today. The GDPR builds on the 8 data protection principles of the DPD and includes several new provisions to:
- Strengthen the personal data protection rights of EU citizens
- Simplify the regulatory environment for data protection in the EU (by requiring that the same laws regarding the collection, storage and usage of personal information apply across all member states.)
- GDPR also adds far harsher penalties for violations.
Read the full text of the GDPR here
Get a glossary of all the legal terms you’ll need to know here.
What Data Will Be Affected By GDPR?
The EU defines ‘personal data’ as any information that can be used to directly or indirectly identify an individual (or ‘data subject’). This means everything from an email address, to a name, IP address, photo and more.
Does GDPR Affect Non-EU Marketers?
Yep! GDPR is not just for EU companies. It will also apply to non-EU businesses who market products and services to people in the EU, or who monitor the behaviour of people in the EU. That is to say: Regardless of where your company is based if you hold and control data relating to EU citizens you’re bound by the GDPR.
What Are The Penalties For Non-compliance With The GDPR?
You don’t want to know.. But you need to!
The maximum sanction for non-compliance with GDPR is a fine of €20,000,000 or 4% of gross worldwide annual turnover, whichever is the greater. Scary stuff!
What Does GDPR Legislation Cover?
In order to understand how GDPR impacts your marketing activities, it’s necessary to take stock of the key areas that GDPR covers. Here’s an overview.
GDPR Privacy Rights of the Individual
Right to Access
Under GDPR, Individuals are entitled to find out what personal data of theirs is being processed by companies, where it is held and why. Companies that hold personal data (data controllers) must be able to provide a copy of an individual’s data if requested. This has to be done for free, by the way!
Right to Erasure
Essentially the GDPR’s ‘Right to Erasure’ is the right to be forgotten. It allows individuals to request data controllers to delete their personal data, thereby preventing them and related third parties from accessing or processing their information.
Under the GDPR, individuals are able to request access to their personal data ‘in an electronic format’, which they can then transfer to another data controller – for example, when switching their health insurance or telephone service provider.
GDPR Compliance for Company Processes
In addition to facilitating the above data protection and privacy rights of the individual, companies must adhere to the following to be GDPR compliant.
Data Breach Notification
Companies must notify customers and data controllers of data breaches within 72 hours. This relates to leaks, hacks, or lost data – such as information on a lost USB key).
Privacy by Design
Data compliance and data protection must be considered from the start when it comes to designing new systems. Organisational and technical processes must ensure that personal data is secure. Only data deemed ‘absolutely necessary for the completion of duties’ should be held.
Data Protection Officers
Public companies or companies whose main activities involve data processing and monitoring need to appoint a Data Protection Officer. This is in place of notifying local Data Protection Authorities of their activities.
What Should Marketers Be Thinking About When It Comes To GDPR?
Now that you grasp the key areas of GDPR we can look at how they impact on your companies sales and marketing activities.
One of the most impactful areas to note for marketers is that ‘implied consent’ or ‘soft opt-in’ will no longer be an option.
What does that mean?
Prior to GDPR ‘implied consent’ meant that companies can email a person, so long as that person had the option to opt-out of receiving emails at the time of purchase or contact. This could take place, for example, when filling out an online form.
The situation under GDPR is that consent has to be explicit. This means that the individual must opt-in as opposed to opting-out. Furthermore, companies must be able to provide evidence that a person has elected to opt-in to communications and didn’t just fall onto a contact list by default.
It’s a GDPR best practice to require individuals to check a (previously unchecked) box to opt-in. And, while it’s not mandatory ‘double opt-in’ would also be best practice. This is where choosing to opt-in on a form is followed up with a ‘click to confirm’ email. This prevents an individual ending up on a marketing list if someone fraudulently used their email address without consent to sign them up.
A final note on opt-in relates to events.
In person opt-in needs to be evidenced. So, it’s no longer possible to simply add an attendee guest list to a marketing campaign list, because you have to prove that individuals have opted-in.
Resolve this with an opt-in form at your stand, perhaps on iPad, or a follow-up opt-in email after the event.
2. Marketing With ‘Legitimate Interest’
This is where GDPR gets kind of confusing.
As we’ve just discussed ‘opt-in’ is compulsory. However, and this is a big HOWEVER, there are two perspectives on GDPR opt-in.
The first – as above – is consent, where you must gather opt-ins from every contact. This protocol guarantees GDPR compliance.
The second perspective is termed ‘legitimate interest’ – and the term itself is the explanation. Companies may use the reasoning of legitimate interest as a precedent for direct marketing on an unsubscribe/opt-out basis.
Be warned, however – this is not quite the loophole in GDPR that it sounds like because all other aspects of GDPR must be followed. Furthermore, proofing ‘legitimate interest’ (i.e. relevant and appropriate) may be legally difficult if challenged.
Choosing whether to go down the legitimate interest path can really only be determined on a case by case decision.
3. Third Party Compliance
Most of us marketers engage with third party tools and marketing technology such as marketing automation platforms and CRMs. Think about Mailchimp or Hubspot or Salesforce, for instance. Third parties that hold data on behalf of your company must be GDPR compliant. They need measures in place to store and process personal data and to integrate data appropriately.
To prepare for GDPR you should:
- Ask third party suppliers to detail how they ensure GDPR compliance.
- Ensure there is a point of contact from each side.
- Ensure there’s an adequate process in place on both sides to manage any data breaches.
- Only collect data that’s necessary.
- Be sure that it’s possible to delete data should you stop using a third party service provider.
- And, confirm that you can download your own data from the third party when requested.
No means No!
The ‘right to be forgotten’ under GDPR impacts the way your CRM is managed. If an individual requests to be forgotten then it’s not good enough to mark them as do not contact on your CRM as may have happened in the past. They must be deleted. And this goes across the board. It’s important to ensure that their data is expunged from all ancillary databases.
Remember: Data is a liability to you. Unless you need to keep it, delete it.
5. Data Governance
In situations like new contact data record creation, or where contacts provided by a third party are being added or integrated into a database, opt-in compliance is once again imperative. This relates, for instance, to the importing of contacts from a spreadsheet, adding a contact from a business card or integrating Sales Navigator contacts with your CRM. Managing this across multiple areas is probably the most complex part of GDPR compliance. For that reason, it’s well worth consulting with a data protection expert to GDPR-proof your processes.
The Future Of Marketing Under GDPR
It’s simple – Go Inbound.
Inbound marketing is all about attracting customers to your company, rather than pushing your sales message upon them.
In a nutshell, web users find their way to your website via the magnetic pull of good content – helped of course by good SEO and online promotion. If they like what they see then they’ll want more great content and will gladly opt-in to receive it from your company.
Happy days! Not only do you get evidence of their opt-in which makes you GDPR compliant, you also get a pouring in of qualified leads -people who are genuinely interested in what your company is all about. That’s far more valuable than the ‘spray & pray’ tactics of mass direct mail campaigns.
So it’s a kill two birds with one stone scenario. Inbound = GDPR compliance + Quality Lead Generation.
Want to learn more about Inbound marketing? Check out this article.
Disclaimer: This blog post should not be used as a complete guide to EU data privacy nor as legal advice for your company to use in complying with the General Data Protection Regulation (GDPR). This blog post is intended for informative purposes only. You should therefore not rely on it as legal advice or recommendation of any particular legal understanding. In a nutshell, this is information only and not legal advice.