A Practical B2B View of GDPR Preparation

A Practical B2B View of GDPR Preparation


As the date for European Union’s GDPR approaches (fifty two days and counting), anti-SPAM is evolving from management of “how a company communicates via email” to “how a company ensures the rights of their prospects and their data”. In other words, it’s not just about emailing people, it’s about whether or not a company has the right to collect data on those people.

I’ve been listening to viewpoints on GDPR from clients, legal experts, and the media, and while it is too early to call, it seems like B2B companies are focusing on the following:

  • A company’s Privacy Policy is a key part of compliance.
  • Steps to ensure an individual’s privacy should be a cornerstone of any business activity.
  • Consent must be given by EU data owners to those organizations that hold it, and that consent must be recorded.
  • B2B companies seem to rely on GDPR’s “Legitimate Interests” definition as the primary reason to have and use a person’s data for marketing purposes.

Privacy Policies

We’ve all seen privacy policies that pop up on websites and online services, and while they are not new, they are becoming a key part of an organization’s privacy compliance. Many organizations block our navigation to other parts of their website until we agree to their privacy policy. The fact that we click to “continue” is being used by some B2B companies as the opt-in or consent.

GDPR says that privacy policies must:

  • Be concise and easily understood.
  • Describe the Legitimate Interests of the controller.
  • Detail the information collected, what it will be used for, and any augmentation of that might be applied to it.
  • Contain a data retention policy.
  • Describe safeguards against data leaks.
  • Provide the rights of the individual with regards to the data usage.
  • List email, phone and name for a company representative that an individual might contact, should they wish to do so.

First, Do No Harm

While it is usually associated with the healthcare industry, “first, do no harm,” can be applied quite nicely to privacy preparations. Above all else we should protect a person’s data, as the impact on them could be severe. Consider the high-profile data breaches that we’ve heard about from companies like Equifax, Home Depot, and Staples, where thieves stole credit card information, SSNs, and other financial data.

While it is true that the data collected by B2B companies may not be as sensitive and damaging to individuals were it to become publically known, shouldn’t our primary jobs as marketers be to earn the trust of those people we hope to do business with?

To prepare, think about the data that you need to conduct business with people, and then ask yourself how much of that is really needed. Only keep what you can use, and protect what you have.

Assent to Consent

The GDPR regulations require that all information from EU residents must be collected with consent, regardless of where the data is collected from. Consider all the routes that information makes its way into systems, including forms, lists, partner processes, CRM systems, and email referrals.

This means that consent must be obtained and recorded from each source. For example, if a list collected from a trade show organizer is given to company ABC Corp, then the people on the list must give consent for ABC Corp to use their data, and ABC Corp should record that consent on the person’s data record.

Legitimate Interests

Interestingly enough, legitimate interests include both the interests of the subject of the data, and the interests of the company that would sell products or services to them. Here are some possible examples that might constitute “legitimate interests”:

  • Tracking web activity to determine what products a person might be interested in, so that a company might be in a better position to propose an optimal solution to a problem.
  • Tracking communication preferences, so that all communications are aligned with the person’s wishes, including when the person requests not to be contacted.
  • Product development survey information collected.

Bottom Line

Gold Standard Preference Center

GDPR is not the first privacy regulation, and it will not be the last. Privacy is important and companies should not wait to react to it, but get out in front of it now. View GDPR as an opportunity to get your “privacy” house in order.

Marketers can start to configure their marketing automation, websites, CRM, and other systems now, so that GDPR infractions do not become an issue later. Digital Pi has undertaken the task of designing and building the technology and processes required by its client companies, so that they can comply with data and communications regulations in all the countries that they transact business in.

bob@digitalpi.com

Over the last 20 years, Bob has built, managed, and advised marketing teams of technology companies, including Arbortext (PTC), Brocade, CA Technologies, LLamasoft, GXS, HAHT Commerce, Intuit, QAD, Sybase, and WorkForce Software. Bob thrives on solving business problems with marketing technologies and will not quit until a suitable solution is found.

LEAVE A COMMENT