41% of Marketers Admit to Not Understanding What GDPR Entails. Are You One of Them?
Reading time: The most important 10 minutes of your week
Are you ready for GDPR? If the answer to this question is no, but you are marketing to EU citizens, you’ll want to keep on reading. Here is a scary thought: 41% of marketers admit to not fully understanding both the law and best practice around the use of consumers' personal data. If you are one of those, in a few months time you risk being fined up to €20 million.
This much is clear - if you are storing the personal data of EU citizens, you will be affected by the GDPR, irrespective of where you are based. For marketers the implications are immense. The new regulation completely changes the way marketers must manage their prospect's data, email list subscribers and databases that are stored within CRM systems and marketing automation platforms. So what is a marketer to do?
GDPR is not light reading. If you are feeling like combing through the text, here is the link. But luckily, you don’t have to. We created a checklist for marketers to use to ensure that your company isn’t flouting any GDPR guidelines on the marketing front!
*the below applies to all EU citizens on your lists
GDPR compliance- the CMO’s Checklist
1. Get Everyone on Board. Now
The duty of ensuring that your company is fully GDPR-ready falls on your shoulders; Smartpipe’s CMO Chad Wollen puts it best when he states that CMOs need to “scrutinise technologies and adtech partners, to ensure the mitigation of regulatory risk does not come at the expense of marketing capability.”
Make sure all decision makers and stakeholders in your organization are aware that the GDPR comes into force in May 2018 and that some things will need to change. You should speak directly with your CEO, CTO and all the other C-suits to make sure that they understand that the GDPR is not optional.
- Schedule a meeting with the management.
- Discuss GDPR impact on your marketing efforts within the EU.
- Insist that the executives convey all the relevant information to their respective departments.
2. Double Opt-in, Double Opt-in Everywhere!
Double opt-in is in. While in itself it is a pretty simple process, it entails that a form submission is followed by an email that asks the contact to confirm the submission. Getting people to double opt-in is a completely different story.
Under GDPR the consent email needs to be unambiguous. Marketers are required to get a clear and affirmative action from a prospect or customer that indicates their consent to receive your marketing communications.
You’ll need to clearly state to your customer what type of communications you’ll be sending them (email, blog updates, phone call, text message, or more). Also, how this personal information will be used and who it will be shared with needs to be indicated clearly on the page on which your prospects enter their personal details.
While there is some ambiguity in the UK with the E-Privacy Directive that prescribes opt-out position for B2B customers rather than the more strict double opt-in consent position under the EU-wide GDPR, the bottom line is - you need to get as much data double-opted in as possible.
- Set up double-opt for all your communications.If you are using HubSpot, here is a useful guide.
- Draft your opt-in statement and get it approved by your legal team.
- Get explicit double opt-in consent from from your existing customers and engaged contacts.
- Now it is double-opt in for everything - emails, popups, CTAs.
- Make sure that your opt-in message is clear regarding what type of communications you’ll be sending. For example " we will use your information to inform you of news and updates to our product."
- Make sure that how you use personal information and whom you share it with is clear and displayed on the page where your customers enter their personal details.
3. Gather All the Information About Your Databases
Make sure you know everything about your customer and prospect databases. Special caveats to look out for:
- Where the database originated from.
(is it a purchased list, or an opt-in from the website)
- Whether the database has any data of children below the age of 16.
GDPR regulation states that 16 is the minimum age at which a person can join an online service without the consent of their parents.
In addition to this, let your key decision makers know that they’ll need to remove all data obtained by methods which are non-compliant with the GDPR (more on this later). Depending on your situation, you might need to let go of some of your beloved databases that are no longer legal under GDPR. You will have to stop marketing to these lists, unless the contacts have double opted-in to your communications.
- Inspect all your databases.
- Try to get all your existing contacts to double opt-in.
Here is a useful guide to how you can go about it.
- Make sure you do not market to contacts who didn’t double opt-in.
5. Make Sure You Understand the Rights of Individuals Under GDPR
The GDPR provides individuals with the following rights:
- Right to be informed
- Right of access
- Right to rectification
- Right to erase
- Right to restrict processing
- Right to data portability
- Right to object
- Right to be forgotten
- and rights in relation to automated decision making and profiling.
What does this all mean? If you collect data, you need to inform the individual as to where and how this data is going to be used, for what purposes the data will be used, whom the data will be shared with, how long it will be stored for etc. For a full list, check the regulations here.
Also, if a customer contacts you asking if you hold any information about them, you’ll have to respond immediately and without delay. Should this customer request that the information be updated or deleted, you’ll also have to honor these requests. No exceptions (apart from the exceptions listed below.)
Data might not have to be erased if any of the following apply:
- The “right of freedom and expression”.
- The need to adhere to legal compliance, e.g. a bank keeping data for 7 years.
- Reasons of public interest in the area of public health.
- Scientific, historical research or public interest archiving purposes.
- For supporting legal claims, e.g. PPI offerings.
To sum up:
- Set up a process for erasing contacts or rectifying information for contacts who requested it.
- Set up a process for updating and augmenting customer data.
- Make sure you have an audit trail in place to prove double-opt in when needed.
6. Analyze How You Process Individual’s Data
One of the GDPR’s key principles is “privacy by design”. What this means is that privacy and data protection concerns need to be at the forefront of an organisation’s strategies when it comes to managing data. Databases should be anonymized, and data should be encrypted.
When it comes to processing personal data, the GDPR dictates that you keep these criteria in mind:
- Lawfulness, fairness and transparency towards individuals
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
To comply with the above, make sure you’re collecting data for specified, explicit and legitimate purposes, and that you’re only collecting what you must have. So no longer sending your blog updates to a customer who got on your list through clicking on a PPC ad, unless the user explicitly agreed to such communications. Alas.
You’ll also need to make sure that all data is accurate at the time of collection, and kept up to date in a secure location. Make sure you’ve appointed a specific controller who takes accountability for the information; if the information is no longer required, you must erase.
What does it mean though?
Make sure you analyze your data processes, in particular:
- How you collect data (do you have the double opt-in process in place?)
- How you record data (can you prove the above?)
- Where you store data ( are you compliant with safety and privacy requirements?)
- How you retrieve data ( will you be able to provide data upon request?)
- How you disclose data? (are you clear on who you're sharing your data with? )
- Do you have a deletion process in place? (Can you respect the right to be forgotten?)
7. Audit Your Purchased Data Lists
The way we handle purchased data lists will need to change. In post-GDPR era, data lists will be much smaller and most probably expensive. Purchased lists need to be double opted-in, and the user needs to be aware that he opted-in for a third party that will monetize his information. So when buying lists make sure that you have a provable audit trail that shows that:
- The data you’re buying is double-opted in.
- A user was aware that his data will be forwarded to third-parties and consented to that.
- You have received the provable audit trail for the above.
8. Get Ready for Data Breaches
You can no longer pull an UBER under GDPR. Data breaches, as a rule, need to be reported within 72 hours of being detected. Whilst an IT team works to detect and minimize system breaches, the breach should be reported to those affected without delays. In order to comply with this requirement, make sure to:
- Set up an emergency communication kit for an event of a breach.
- Make sure management knows that it must be released within 72 hours after detecting a breach.
9. Appoint a Data Protection Officer
Appoint a Data Protection Officer (DPO) for your company - likely candidates are to be your existing IT or security managers. This person will be responsible for auditing current processes to identify areas where privacy controls need to be strengthened, as well as developing new policies for safekeeping customer personal data. The larger the organization, the more responsibilities will fall under this role.
- Appoint a Data Protection Officer
10. Data Protection by Design and Data protection by Assessment
With the GDPR now in place, Privacy Impact Assessments are crucial in order to identify risks to the privacy rights of individuals when processing their personal data. Have your data protection officers develop a service level agreement (SLA) with their IT colleagues, so that you can start taking a risk-based approach to data protection.
The Bottom Line:
Non-compliant companies may be fined up to an amount of €20 million or 4% of their worldwide turnover, depending on the exact infections. This applies to all companies collecting and storing data of EU citizens, regardless of whether these companies are in the EU or not.
The key things to remember:
- Double opt-in all your lists (existing leads as well as prospects).
- Make sure you hold a record of who has agreed to what communications and when. “Provable consent” is a thing to remember.
- Make sure that every EU citizen on your list has gone through GDPR compliance process.
Should you require help overhauling your data collection methods and getting your marketing ready for the GDPR, schedule a free consultation!
The sole purpose of this guide is to provide basic information about the GDPR, to promote compliance and to help marketers transition. This guide in no way replaces legal advice. Marketing Envy takes no liability for any measures companies take to implement the GDPR. If you have any legal questions or concerns, we encourage you to seek professional legal advice.