If it feels like talk about GDPR is everywhere these days, that’s because it is.

With the European Union’s new General Data Protection Regulation (GDPR) set to go into effect May 25, people across all lines of business and industries are buzzing about what these new rules mean and what needs to change to ensure compliance.

B2B marketers are no exception. And while you might not be a stranger to regulations around email marketing, GDPR goes much further than the regulations currently governing marketing activities like CAN-SPAM laws.

So what exactly do you need to know about GDPR? And how can you prepare? You’ve come to the right place.

Getting Up to Speed on GDPR

First and foremost, let’s make sure you’re up to speed on GDPR.

GDPR puts in place data privacy measures for all citizens of the European Union by creating rules for how companies can collect and process personal data. For example, it requires organizations to have a lawful basis for processing personal data and grants EU citizens the right to request that companies provide access to or delete their personal data. Any company that collects or processes data about EU citizens, regardless of the company’s location, must abide by GDPR.

These regulations will replace the 1995 Data Protection Directive that currently governs data privacy in the EU and are meant to better reflect the data economy in which we now live. Consider IBM’s finding that 2.7 zettabytes of data exist in the digital world, with 5 exabytes of new data generated every two days. It sounds like a lot because it is. In 2016, IBM reported that 90% of the world’s data was created in the past two years alone.

Having that much data in play creates serious privacy challenges, especially when it comes to earning and maintaining trust with customers, vendors and employees. It’s exactly those challenges that GDPR aims to resolve.

What GDPR Means for Marketers

You know GDPR is coming and you know the reason behind it, but what do these new regulations really mean for you as a marketer?

The most important thing that B2B marketers (or any marketers for that matter) need to know about GDPR is that you must have a legal basis for processing (which includes storing) personal data about EU citizens.

Under GDPR, personal data covers any information that can be used to directly or indirectly identify someone. That list covers, but is not limited to: Name, address, location, online identifiers (e.g. IP address, mobile device ID), health information, income, cultural profile, religious beliefs, political party affiliation and trade union membership.

GDPR outlines six legal bases for processing personal data. The option that will apply to most marketers is consent. GDPR defines the grounds for consent as follows:

GDPR also outlines rules for obtaining consent. For example, organizations must:

While consent will be the legal basis for processing data that applies to most marketers, there is another option that might crop up known as “legitimate interest.” However, this option is one that you should approach with caution.

Legitimate interest allows organizations to process personal data if a clear interest for that processing exists and if individuals can reasonably expect data processing to take place. It’s easy to assume that the legitimate interest option means you don’t need consent, but that is a very risky position to take. In fact, GDPR clearly states: “Where personal data are processed for the purpose of direct marketing, the data subject should have the right to object to such processing… That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.” The bottom line? Marketers should not rely on legitimate interest alone — consent is always the safest route to go.

How to Prepare Your Marketing Team for GDPR Compliance

Once you understand what GDPR compliance means for your team, what should you do to prepare? We recommend starting with the following seven steps:

1) Get to Know the Law

If you’ve read this far, then you’re off to a good start. In general, it’s critical that your marketing team understands GDPR at a high level so that everyone knows what they need to watch out for and what they can and cannot do. Along the way, be sure to establish protocols for accountability within your team and your organization at large.

2) Establish a Consent Game Plan

Given that you will most likely need consent (as opposed to another legal basis) to process personal data for EU citizens, it’s important to establish a plan for obtaining that consent. To do so:

3) Cover Your Tracks with Double Opt-Ins

Double opt-in is a method to ensure that someone who fills out a form and checks a box to give consent is who they say they are. It does so by triggering off an email from consent forms that asks recipients to confirm their opt-in preferences.

Without double opt-ins, anyone can fill out a consent form with someone else’s information. As a result, double opt-ins are helpful to confirm the identity of those who give consent. This method also creates an audit trail, as you can track email clicks on the double opt-in triggers to record the time and location from which individuals gave consent.

To set up a double opt-in campaign, use Sugar Market, previously Salesfusion, or other marketing automation platform to build a consent form and add a trigger that emails anyone who fills out the form. That email should ask recipients to click a link to confirm they want to opt-in and take them to a landing page that provides the opportunity to confirm or deny the opt-in.

4) Hold Your Vendors Accountable

You shouldn’t carry the weight of GDPR alone. It’s important to hold your vendors accountable too. To do so, make sure you understand the role your vendors play in processing your data.

Additionally, ask your vendors about the security measures they take to ensure the privacy of your company’s (and your customers’) data and what controls they provide your team for managing that data. You should ask any vendors that act as data processors for a Data Processing Addendum that outlines the controls around data entry, data transmission and data access.

5) Think Beyond Email

It’s easy to think about email as the only marketing activity that requires consent (after all, email is where marketers are most accustomed to regulations), but there are other marketing activities that also fall under the data processing regulations outlined by GDPR. For example, you need to be careful about tracking cookies and pixels online and even sending direct mail.

6) Prepare for Data Deletion Requests Under the Right to be Forgotten

GDPR provides EU citizens with the right to be forgotten, meaning they can ask organizations to delete their personal data. As a result, you need protocols for deleting data from your systems should any such requests come in.

As you do so, remember to think about how you pass data through systems. In particular, check in with your CRM provider to see how the system will handle right to be forgotten requests and data syncs with other platforms, such as your marketing automation platform.

7) Establish Protocols for Data Access and Modification Requests

GDPR also grants EU citizens the right to request access to their data so they know what data gets collected and how it’s being used. This requirement means you must be able to export personal information to your contacts within one month of the request at no charge.

Use GDPR to Your Advantage

Yes, everything about GDPR can sound intimidating, and there’s a lot you need to do to ensure compliance. However, you can — and should — use GDPR to your advantage to strengthen your relationships with customers and prospects.

Think about it this way: We all value responsibility and transparency, especially when it comes to how others handle our personal (and often) sensitive data, and GDPR can help your business meet even the highest of expectations on that front.

As a result, although the regulations might seem like a lot of work now, don’t underestimate their ability to help you establish a more open and trusting relationship with your customers and prospects — exactly the type of relationship that will pay dividends in the long run.

See how Sugar Market assists with GDPR compliance.