A Practical B2B View of GDPR Preparation
As the date for European Union’s GDPR approaches (fifty two days and counting), anti-SPAM is evolving from management of “how a company communicates via email” to “how a company ensures the rights of their prospects and their data”. In other words, it’s not just about emailing people, it’s about whether or not a company has the right to collect data on those people.
I’ve been listening to viewpoints on GDPR from clients, legal experts, and the media, and while it is too early to call, it seems like B2B companies are focusing on the following:
- Steps to ensure an individual’s privacy should be a cornerstone of any business activity.
- Consent must be given by EU data owners to those organizations that hold it, and that consent must be recorded.
- B2B companies seem to rely on GDPR’s “Legitimate Interests” definition as the primary reason to have and use a person’s data for marketing purposes.
GDPR says that privacy policies must:
- Be concise and easily understood.
- Describe the Legitimate Interests of the controller.
- Detail the information collected, what it will be used for, and any augmentation of that might be applied to it.
- Contain a data retention policy.
- Describe safeguards against data leaks.
- Provide the rights of the individual with regards to the data usage.
- List email, phone and name for a company representative that an individual might contact, should they wish to do so.
First, Do No Harm
While it is usually associated with the healthcare industry, “first, do no harm,” can be applied quite nicely to privacy preparations. Above all else we should protect a person’s data, as the impact on them could be severe. Consider the high-profile data breaches that we’ve heard about from companies like Equifax, Home Depot, and Staples, where thieves stole credit card information, SSNs, and other financial data.
While it is true that the data collected by B2B companies may not be as sensitive and damaging to individuals were it to become publically known, shouldn’t our primary jobs as marketers be to earn the trust of those people we hope to do business with?
To prepare, think about the data that you need to conduct business with people, and then ask yourself how much of that is really needed. Only keep what you can use, and protect what you have.
Assent to Consent
The GDPR regulations require that all information from EU residents must be collected with consent, regardless of where the data is collected from. Consider all the routes that information makes its way into systems, including forms, lists, partner processes, CRM systems, and email referrals.
This means that consent must be obtained and recorded from each source. For example, if a list collected from a trade show organizer is given to company ABC Corp, then the people on the list must give consent for ABC Corp to use their data, and ABC Corp should record that consent on the person’s data record.
Interestingly enough, legitimate interests include both the interests of the subject of the data, and the interests of the company that would sell products or services to them. Here are some possible examples that might constitute “legitimate interests”:
- Tracking web activity to determine what products a person might be interested in, so that a company might be in a better position to propose an optimal solution to a problem.
- Tracking communication preferences, so that all communications are aligned with the person’s wishes, including when the person requests not to be contacted.
- Product development survey information collected.
GDPR is not the first privacy regulation, and it will not be the last. Privacy is important and companies should not wait to react to it, but get out in front of it now. View GDPR as an opportunity to get your “privacy” house in order.
Marketers can start to configure their marketing automation, websites, CRM, and other systems now, so that GDPR infractions do not become an issue later. Digital Pi has undertaken the task of designing and building the technology and processes required by its client companies, so that they can comply with data and communications regulations in all the countries that they transact business in.