.png?width=200&height=67&name=RevM%20Digital%20Marketing%20Agency%20Woking%20Surrey%20(1).png)
On 25th May, 2018, The General Data Protection Regulation (GDPR) will come into law. Businesses, whether B2B or B2C, from anywhere in the world, that hold, process, exchange and deal with the data of EU citizens will have to comply with more stringent regulations.
So what does it mean for me and how will it affect our marketing?
Tighter controls over personal data aims to enhance the protection of EU citizens by ensuring that organisations deal with customer data in transparent and secure ways.
A breach of EU customer data will result in a maximum penalty of €20 million, or 4% of your annual global turnover. Whichever happens to be larger.
As an example, Apple announced an annual global turnover of $229 billion last year. If Apple sent a marketing email to a contact without consent in the eyes of GDPR, they could receive a fine of nearly $9.2 billion...
If you’re behind the curve, rest assured, you’re not alone. Many companies are actively working on GDPR throughout May. In fact, we're sure many more will be working on remediation beyond that. That said, there are some key things you ought to prioritise to ensure some basic controls are in place come May 25th when GDPR becomes a legal requirement.
Next time you import a list of contact data from a trade show scanner, buy a rented list from a list broker, or use data supplied by an association or business partner - consider this:
- Can I use this data?
- Can I hold this data in my Marketing, Automation, or CRM Systems?
This new wave of regulation will severely hurt those businesses who rely on this kind of marketing data unless the following are in place…
So, let’s quickly review the legalese associated with the GDPR...
Suppose that Tom is both an EU citizen and a contact of yours. He’s called the “data subject,” and your company (let’s call you OnGo) is called the “controller” of that Data. If you’re a HubSpot customer (or use other systems such as Zoho, Insightly, InfusionSoft, Act-on, Salesforce, and many others), then HubSpot (in this example) acts as the “processor” of Tom’s data on behalf of OnGo. With the introduction of the GDPR, data subjects like Tom are given an enhanced set of rights, and controllers and processors like OnGo and HubSpot, respectively, an enhanced set of regulations.
Lawful basis of processing
Your obligation is to make Tom aware of what kinds of personal information about him you hold and how you use it, with transparency and accountability being your guiding principles.
You must have a legal reason to use Tom’s data. That reason could be:
- Consent he opted in with after you told him what he was opting into.
- Performance of a contract e.g. he’s your customer and you want to send him a bill.
- “Legitimate interest” in the eyes of GDPR e.g. he’s a customer, and you want to send him products related to what he currently has.
Whichever lawful basis you have for using Tom’s data, you need the ability to track that reason for a given contact. This will help you comply with the GDPR accountability principle, which requires organisations to demonstrate that they have effective policies and procedures in place.
Action: You need to be able to track and manage this in your Marketing, Automation and CRM Systems.
Consent
The only data that can be collected, shared or used in any way must be explicitly explained in layman's terms and consented by the contact, whether or not a business customer/contact or a consumer
One type of lawful basis of processing is consent with proper notice.
Tom can only grant consent under the GDPR if:
- He’s been told what he’s opting into. That’s called “notice.”
- His opt-in is affirmative (pre-checked checkboxes aren’t valid). In other words, filling out a form alone cannot implicitly opt him into everything your company sends.
- His consent encompasses the various ways you process and use Tom’s personal data (e.g. marketing email or sales calls). You must log audible evidence of what Tom consented to, what he was told (notice), and when he consented.
Action: You need to be able to track and manage this in your Marketing, Automation and CRM Systems.
Withdrawal of consent (or opt out)
Tom needs the ability (as data subject) to see what he signed up for. He must be able to withdraw his consent (or object to how you’re processing his data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.
Action: You need to be able to provide your contacts with a clear indication of what they have signed up to. Use capabilities such as a preference centre - where the contact can clearly see the information.
Cookies
Tom needs to be given notice that you're using cookies to track him. This must be explained in layman's terms. You cannot use cookies to track Tom until he has given consent to being tracked by cookies. When the new ePrivacy Regulation is introduced it may also have an impact on how cookies are regulated.
Action: You need to ensure that the cookies used on your website to inform your marketing automation systems are clearly documented in your privacy policy, along with other cookies you may use in regards to advertising tracking etc.
Deletion
Tom has the right to request that you delete all the personal data you have about him. The GDPR requires the permanent removal of Tom’s contact from your database, including email tracking history, call records, form submissions and more.
Action: Typically, you’ll need to respond to his request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply. You need to be able to potentially delete his records in your Marketing, Automation and CRM Systems.
Access/Portability
Just as he can request that you delete his data, Tom can request access to the personal data you have about him. Personal data is anything identifiable, like his name and email address.
Tom can also request to see and verify the lawfulness of processing.
Action: If he requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).
Modification
Just as he can request to access or delete his data, Tom can ask your company to modify his personal data if it’s inaccurate or incomplete.
Action: If and when he does, you need to be able to accommodate that modification request across your Marketing, Automation and CRM Systems. If you have shared Tom’s inaccurate personal data with another organisation, you will need to tell the other organisation about the inaccuracy so it can correct its own records, and of course, Tom needs to know if you have shared his data with a 3rd party.
Security Measures
The GDPR also requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization.
Action: It is important to discuss the security processes and policies with your relevant IT and Legal teams to ensure they will meet compliance with the new regulations.
Conclusion
As of 25th May, 2018, privacy will be a way of life for all businesses that handle EU customer data. It’s important to stress, whilst you will be legally required to comply by that date, it is not a static deadline. GDPR will be a recurring item on the agenda. It will require constant monitoring and nurturing. It is not a quick fix that can be resolved with a checklist. Think health and safety, only for the data world.
To that end, don’t focus solely on what you need to do by 25th May. Instead, consider how you can start paving the way for a more transparent and secure future for your customers thereafter. Capitalise on the many benefits that GDPR will bring. A chance to delve deeper into the needs of your prospects and customers, rather than using the traditional “one-size-fits-all” approach to marketing. Reap the benefits of a brighter and more trustworthy relationship between your business and your customers. But above all, remember this. Tomorrow’s privacy, is today’s priority, and that’s business as usual from here on.
DISCLAIMER: The content of this web page is a commentary on the GDPR, as RevM interprets it, as of the date of publication. We’ve been thoughtful about its intent and meaning, but the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. As a result, this content is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation.
