If it feels like talk about GDPR is everywhere these days, that’s because it is.
With the European Union’s new General Data Protection Regulation (GDPR) set to go into effect May 25, people across all lines of business and industries are buzzing about what these new rules mean and what needs to change to ensure compliance.
B2B marketers are no exception. And while you might not be a stranger to regulations around email marketing, GDPR goes much further than the regulations currently governing marketing activities like CAN-SPAM laws.
So what exactly do you need to know about GDPR? And how can you prepare? You’ve come to the right place.
Getting Up to Speed on GDPR
First and foremost, let’s make sure you’re up to speed on GDPR.
GDPR puts in place data privacy measures for all citizens of the European Union by creating rules for how companies can collect and process personal data. For example, it requires organizations to have a lawful basis for processing personal data and grants EU citizens the right to request that companies provide access to or delete their personal data. Any company that collects or processes data about EU citizens, regardless of the company’s location, must abide by GDPR.
These regulations will replace the 1995 Data Protection Directive that currently governs data privacy in the EU and are meant to better reflect the data economy in which we now live. Consider IBM’s finding that 2.7 zettabytes of data exist in the digital world, with 5 exabytes of new data generated every two days. It sounds like a lot because it is. In 2016, IBM reported that 90% of the world’s data was created in the past two years alone.
Having that much data in play creates serious privacy challenges, especially when it comes to earning and maintaining trust with customers, vendors and employees. It’s exactly those challenges that GDPR aims to resolve.
What GDPR Means for Marketers
You know GDPR is coming and you know the reason behind it, but what do these new regulations really mean for you as a marketer?
The most important thing that B2B marketers (or any marketers for that matter) need to know about GDPR is that you must have a legal basis for processing (which includes storing) personal data about EU citizens.
Under GDPR, personal data covers any information that can be used to directly or indirectly identify someone. That list covers, but is not limited to: Name, address, location, online identifiers (e.g. IP address, mobile device ID), health information, income, cultural profile, religious beliefs, political party affiliation and trade union membership.
GDPR outlines six legal bases for processing personal data. The option that will apply to most marketers is consent. GDPR defines the grounds for consent as follows:
- People must explicitly opt-in to giving consent. Consent requires clear, affirmative action, meaning marketers can not use pre-checked boxes.
- Consent must be unambiguous, freely given, specific and informed.
GDPR also outlines rules for obtaining consent. For example, organizations must:
- Keep consent requests separate from other terms and conditions, that way individuals can clearly see what they are consenting to when they give permission to process their personal data.
- Make it easy for people to withdraw consent and clearly tell individuals how to do so.
- Keep evidence of consent, including who consented, what they consented to, when they gave consent and where they gave that consent.
While consent will be the legal basis for processing data that applies to most marketers, there is another option that might crop up known as “legitimate interest.” However, this option is one that you should approach with caution.
Legitimate interest allows organizations to process personal data if a clear interest for that processing exists and if individuals can reasonably expect data processing to take place. It’s easy to assume that the legitimate interest option means you don’t need consent, but that is a very risky position to take. In fact, GDPR clearly states: “Where personal data are processed for the purpose of direct marketing, the data subject should have the right to object to such processing… That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.” The bottom line? Marketers should not rely on legitimate interest alone — consent is always the safest route to go.
How to Prepare Your Marketing Team for GDPR Compliance
Once you understand what GDPR compliance means for your team, what should you do to prepare? We recommend starting with the following seven steps:
1) Get to Know the Law
If you’ve read this far, then you’re off to a good start. In general, it’s critical that your marketing team understands GDPR at a high level so that everyone knows what they need to watch out for and what they can and cannot do. Along the way, be sure to establish protocols for accountability within your team and your organization at large.
2) Establish a Consent Game Plan
Given that you will most likely need consent (as opposed to another legal basis) to process personal data for EU citizens, it’s important to establish a plan for obtaining that consent. To do so:
- Identify your data processing activities and determine which of those activities requires consent. You can also look to see if there is another legal basis you can (and want) to use instead.
- Assess the reliability of consent given previously. Consent given prior to May 25 will remain valid so long as it meets the consent requirements outlined by GDPR. If you find that you have personal data on EU citizens and have not met the consent requirements, it is up to you and your legal team what to do (e.g. keep the contacts, delete them or run an opt-in campaign to get the proper consent).
- To run an opt-in campaign for individuals already in your database, you might send an email asking those contacts if they want to continue to receive emails.
- Vet and amend any existing consent forms you have in place to ensure they align with the requirements outlined by GDPR. Specifically, confirm that your consent forms are unambiguous, specific and require affirmative action.
- Put processes in place to honor individuals who want to withdraw consent.
- Tighten up your record keeping to ensure you have an audit trail of consents, including who consented to what as well as when and where they consented.
3) Cover Your Tracks with Double Opt-Ins
Double opt-in is a method to ensure that someone who fills out a form and checks a box to give consent is who they say they are. It does so by triggering off an email from consent forms that asks recipients to confirm their opt-in preferences.
Without double opt-ins, anyone can fill out a consent form with someone else’s information. As a result, double opt-ins are helpful to confirm the identity of those who give consent. This method also creates an audit trail, as you can track email clicks on the double opt-in triggers to record the time and location from which individuals gave consent.
To set up a double opt-in campaign, use Sugar Market, previously Salesfusion, or other marketing automation platform to build a consent form and add a trigger that emails anyone who fills out the form. That email should ask recipients to click a link to confirm they want to opt-in and take them to a landing page that provides the opportunity to confirm or deny the opt-in.
4) Hold Your Vendors Accountable
You shouldn’t carry the weight of GDPR alone. It’s important to hold your vendors accountable too. To do so, make sure you understand the role your vendors play in processing your data.
Additionally, ask your vendors about the security measures they take to ensure the privacy of your company’s (and your customers’) data and what controls they provide your team for managing that data. You should ask any vendors that act as data processors for a Data Processing Addendum that outlines the controls around data entry, data transmission and data access.
5) Think Beyond Email
It’s easy to think about email as the only marketing activity that requires consent (after all, email is where marketers are most accustomed to regulations), but there are other marketing activities that also fall under the data processing regulations outlined by GDPR. For example, you need to be careful about tracking cookies and pixels online and even sending direct mail.
6) Prepare for Data Deletion Requests Under the Right to be Forgotten
GDPR provides EU citizens with the right to be forgotten, meaning they can ask organizations to delete their personal data. As a result, you need protocols for deleting data from your systems should any such requests come in.
As you do so, remember to think about how you pass data through systems. In particular, check in with your CRM provider to see how the system will handle right to be forgotten requests and data syncs with other platforms, such as your marketing automation platform.
7) Establish Protocols for Data Access and Modification Requests
GDPR also grants EU citizens the right to request access to their data so they know what data gets collected and how it’s being used. This requirement means you must be able to export personal information to your contacts within one month of the request at no charge.
Use GDPR to Your Advantage
Yes, everything about GDPR can sound intimidating, and there’s a lot you need to do to ensure compliance. However, you can — and should — use GDPR to your advantage to strengthen your relationships with customers and prospects.
Think about it this way: We all value responsibility and transparency, especially when it comes to how others handle our personal (and often) sensitive data, and GDPR can help your business meet even the highest of expectations on that front.
As a result, although the regulations might seem like a lot of work now, don’t underestimate their ability to help you establish a more open and trusting relationship with your customers and prospects — exactly the type of relationship that will pay dividends in the long run.
See how Sugar Market assists with GDPR compliance.