As the deadline to become GDPR compliant approaches, forward-thinking marketers are taking steps to identify at-risk areas within their marketing operations and taking an offensive approach to compliance. However, the epicenter of this responsibility seems to be circled around the IT-arm of the business. Recognizing that data is the center of sales and marketing activities means that leadership across the sales and marketing function must play a key role in GDPR compliance policies and process. In the wake of GDPR, this post will help provide details on the new regulation and how it translates into the responsibility of marketers to comply.
What is GDPR (and why Marketing must comply)?
The EU General Data Protection Regulation (GDPR) is around 200 pages of legalese on data governance that regulates how companies can collect, process and use personal data from EU citizens. The new regulations go into effect on May 25, 2018, and companies could face eye-watering penalties for misuse of EU citizen data. If you collect or process the data of EU citizens, then everyone inside your company is impacted by GDPR. As a marketer, just think about all the channels where you collect customer data (website, email, tradeshows, etc) and consider all the platforms in which you store and process that data (CRM, MAP, etc). Even if just one of those records is from the EU, you must be GDPR compliant.
GDPR applies to all marketers – not just those in Europe
How does GDPR impact Marketing?
As a result of all the confusion (and overabundance of dread-coated hype) around GDPR, it’s difficult for marketers to find a single definitive guide that says exactly what they need to do, or not do. The first thing that any marketing leader should do is to align with their legal team (and/or data protection officer) to determine how they interpret GDPR’s impact on the company. Once that definition has been clearly established, there are four compliance areas where marketing can move forward to begin their assessment of GDPR compliance:
The primary push of GDPR is to provide transparency for customers on all the personal data collected about them and how it will be used. This means that marketing (who is the initial collector of data in most organizations) must provide customers with the right to decide whether or not they want to give consent (opt-in) and how the data provided during consent will be used for communications, tracking or any other marketing programs. GDPR does not recognize consent as a default, so pre-checking a consent box or signing up with that basic form isn’t compliant under the new regulations.
Okay, so you’ve collected data with consent, now what? GDPR restricts the usage of that data for anything other than the reason given during consent. If you plan to use that data for another purpose or share it with another party, you must seek additional consent from the contact in order to do so. GDPR does not recognize first consent as full consent, so marketing must be explicit in their purpose during the collection. An example is someone who has opted in for email communication and you now desire to track their activity across your website will now require separate consent for your tracking cookie to be within GDPR compliance.
Providing contacts with the right to access and control their data is an opportunity for marketing to develop a better customer-brand relationship. GDPR requires that contacts are able to control, change, or opt-out of their consent. This presents a huge opportunity for marketing to develop intuitive preference centers that allow customers to choose what content is the most valuable to them – and actually respect those wishes by creating targeted marketing campaigns that cause people to actually engage with your company.
The last, but certainly not one to be forgotten (there’s a bad pun here), is the GDPR governance on “the right to be forgotten” which allows customers to revoke consent to their data (or update inaccurate data) within a 30-day response time. This means that all company data held by that contact is included in that request – marketing data or otherwise. Marketing departments must have a process in place in which to handle these requests in a timely manner in order to show GDPR compliance. If data must be retained for any reason, there must be a way to remove any personal identifiers from that data.
How can Marketing live in harmony with GDPR?
At face-value, GDPR seems intimidating and the potential fines are enough to make marketing leaders rethink their entire strategy. But, in reality, this new set of regulations provide a new lens through which to view the tactics and best practices within the following:
Software Platforms (CRM & MAP)
GDPR is all about data management and no better place to start than within the systems that house it. Ensure that your systems are tracking opt-in criteria, which data fields are considered personal data by GDPR, and that systems that share data are either synced between one another or rules are in place to ensure that as changes are made in preferences, updates or removal that those data adjustment track across any synced platforms.
Similar to the disappointment of biting into a chocolate chip cookie and finding out its oatmeal raisin, under GDPR all those beautiful little website tracking cookies now require consent. Marketing needs to make sure that website visitors have a clear understanding of consent that is clear and includes a way for visitors to withdraw that consent as easily as granting it.
Landing Pages & Forms
As previously stated, GDPR does not recognize implied consent. When building landing pages and forms, marketing should include an unchecked opt-in field with a clear description of how their data will be used if they actively check that opt-in box.
The standard best practice around email marketing has always been providing an opt-out function (well, for all the marketers on Santa’s nice list) but GDPR changes the best practice from merely opt-out and adds a heavier focus around “opt-in.” Marketing must have clear documentation that their email recipients have consented to receive email and that the data they are using is aligned with the consent purpose granted. This is in stark contrast to marketers who buy or scrape email lists. Under the new GDPR regulation, obtaining email addresses without direct consent will be strictly taboo.
Events & Trade Shows
For marketers who attend industry events or trade shows, collecting business cards or scanning badges is critical, but under GDPR’s rules of consent, marketing needs to be extra cautious to ensure they remain compliant. When someone hands you a business card, it’s perfectly reasonable to reach out to them with a follow-up. However, that does not qualify as consent to add them to your database and begin marketing to them. Much like the business card example, a badge scan doesn’t imply consent unless the event organizer has an explicit consent opt-in during the registration process that informs the contact that their information will be shared with third parties and for what purpose and must be abided by to remain under GDPR compliance. Another alternative, but not as simple, is to place your own opt-in consent on display and explicitly reference it and allow the contact to review prior to accepting a business card or scanning a badge.
The Bottom Line: Data Privacy is the New Black
Data privacy is something that every company needs to take seriously, even if they aren’t immediately affected by GDPR. This is just the beginning of a world where privacy-first data is a human right. While the initial impact of regulation like GDPR requires significant changes and investments in order to achieve compliance, it ultimately ensures the greater protection of individual rights while providing marketers with higher value and more relevant data. In turn, making it easier (and less costly) for marketing to reach interested and qualified contacts.
Cut Through the Noise and Simplify your GDPR Compliance
Whether you are just getting started or need a peace-of-mind on your GDPR policies, LeadMD can help. Contact us to learn more about our data privacy services that are specifically focused to help sales and marketing teams reach GDPR compliance.
Meet Justin Gray
Justin is a serial entrepreneur and the CEO and founder of LeadMD, the world’s largest revenue operations agency having implemented over half of the Marketo user base. Justin has made a career of launching successful companies and scaling them, with successful exits of over 200MM+ in the last decade. Justin’s latest endeavor launched in 2016 when he co-founded Six Bricks an online learning startup designed to combat employee and customer churn through experience-based education. Over the past 10 years, Justin has emerged as a strong voice for entrepreneurship, marketing and culture. As a recognized speaker, Justin has been published over 350 times in industry publications and holds his own column, Tribal Knowledge in Inc., while writing for Entrepreneur, Tech Crunch and others. Justin and his wife Jennifer met over marketing and three years later welcomed their son, Grayson, into the world in April of 2017.