Intro to GDPR and Why It Matters to MarketersApril 18, 2018
What is GDPR
GDPR is a set of data privacy and security laws aimed at protecting the personal data of EU citizens. Marketing companies and other businesses targeting EU citizens will, therefore, be bound to GDPR rules even if they reside outside the EU. There are no extensions or creative loopholes to legally avoid compliance. The following action items should be taken by every company to jumpstart the GDPR compliance process.
Start from the Top
Starting the path towards GDPR compliance is overwhelming for most companies. UK-based commercial lawyer Vanessa Barnett aptly summarizes the process by noting that handling the GDPR compliance process is a bit like handling the six stages of grief. “You start with shock,” she notes, “which makes you realize you actually have a lot to do. Then your business goes into denial, where everyone tries to make it somebody else’s problem.” Eventually, Barnett argues, you arrive at the acceptance phase, and the enormity of the task finally sinks in.
To make the process more manageable, we recommend starting with these three critical steps.
- Audit your databases. Data mapping will help you identify what information your company stores and how it is transferred. This blueprint must identify your data items (names, contact info), how each person entered your database, transfer methods used for the data (phone, mail, email, etc.), and where the data is stored. The map should also include a note about who has access to the data at any given time and who is responsible for the security of the database. If needed, purchase software or hire an audit team to assist in the mapping and audit.
- Appoint a Data Protection Officer. This key staffer should be intimately familiar with GDPR requirements. This person will need to create checklists for all departments, set up meetings for your department heads, and be responsible for all documentation.
Once you’ve handled these tasks, you’ll be ready to focus on all marketing-related tasks.
GDPR Impacts on Marketing
All data relating to your leads including MQLs and SQLs will fall under GDPR regulation. Profiling and online behavior tracking will be restricted, as will the way you use your leads’ data. If you comply with other data protection laws such as CAN-SPAM and CASL, you should be on your way to GDPR compliance.
If you’re using HubSpot as part of your inbound marketing campaign, you should understand how they are working on GDPR and how it’ll impact you. According to John Kelleher, HubSpot General Counsel, HubSpot will be making GDPR as easy as possible by creating a “GDPR toggle” that will allow marketing managers to easily apply all GDPR requirements to their running campaigns. You will also be able to toggle off any individual aspects you don’t wish to implement. Below is an outline of the most important points that your marketing team must address in order to be fully GDPR compliant, as well as a guide to how HubSpot will help.
Lawful basis of processing – One of the most important requirements for GDPR is making sure that you have a lawful reason to collect someone’s data. HubSpot is in the process of adding a way to track how data was lawfully acquired. HubSpot will be focusing on helping its clients generate leads legally based upon three lawful bases: performance of a contract, consent, and legitimate interest.
Companies will be required to keep a record of how the lead was acquired (as well as any changes to consent given), and it will soon be possible to update this field automatically or manually in your HubSpot portal. It should be noted that list purchasing will be banned under GDPR. This should be fine if you’re following HubSpot’s recommendations, as list purchasing is already prohibited by HubSpot’s Acceptable Use Policy. If you have been purchasing lists you may want to adjust your marketing strategy to compensate for this loss of leads.
Consent – All leads will now be required to provide specific consent for use of their data. Of specific importance is the fact that pre-checked consent boxes will no longer be allowed. Your marketing team should make sure to update these settings if relevant and to ensure that every action you wish to do with the data is specified in the opt-in form. HubSpot is adding additional consent options to all of its lead generation methods and will store all relevant information as required by GDPR statutes. At the end of the day, GDPR is aimed at making a better user experience, and HubSpot is committed to making this happen as well.
Withdrawal of Consent – Under GDPR, all leads must be able to withdraw consent for services they don’t want and to opt-in only to services they do want. This information will need to be updated in your lawful basis records. HubSpot will make this possible by adding withdrawal (unsubscribe) links in all their bulk and 1:1 emails.
Cookies – Cookie consent messages must be shown in a language that the user can understand. HubSpot will display cookie messages in the right language based on location. This will be extremely helpful for companies that don’t offer multi-language support but still need to comply with GDPR. HubSpot will also be offering additional cookie granularity after May 25th that exceeds the basic GDPR requirements and enhances the overall user experience.
Deletion and Modification – All HubSpot users will be able to perform a GDPR-compliant permanent delete in their admin portal. Any user requests for modification (see withdrawal of consent above) can also be made in the admin portal and will remain on record. In this capacity, all data will be completely erased to protect both the lead and the marketing company. If the lead reconverts it will be added as a totally new lead without any reference to past preferences or actions.
Security Measures – HubSpot is increasing its security infrastructure relating to authentication, authorization, and auditing to protect customer data. These efforts should ease the technical demands on your marketing team while ensuring that your campaigns are fully compliant.
Bottom Line - GDPR is a Serious Action Item
There is still time to become GDPR compliant before the deadline, but take our advice and don’t delay any further. You’ll know if you need to consult with an advisor to push this process along. An investment now will save you in penalties and much unneeded aggravation and stress.