The General Data Protection Regulation (GDPR) is the MacDaddy of compliance regulations that revolves around businesses protecting personal data AND communicating properly with its European Union (EU) audience.
You certainly didn’t learn about GDPR in marketing class. GDPR is a regulation that is putting fear into marketers worldwide as fines can reach up to the GREATER of €20 million or 4% of global annual turnover in the prior year.
The regulation takes full effect in May 2018, so how do you get ready for it? Here are six questions to ask to get your organization started.
What is GDPR? – Summary
Simply put, GDPR puts regulations in place to protect the privacy of EU residents. There are complex exceptions, but here are a few simple rules of thumb when it comes to how business can comply with the new regulations:
- Only email EU people who have expressly indicated that they want to receive your content.
- Adopt data privacy standards that only collects data on EU folks if they have provided consent. And then manage that data accordingly.
In most cases, US organizations are under the same legal obligations as a company headquartered in the EU. If your organization is conducting business with EU residents or collecting data on those individuals, get ready to comply.
Yes, there is a long road to GDPR compliance, but there are also major benefits when you get there. Streamlined processes and better data will lead to an improved customer journey and brand experience.
A Little Background – Not a Lot of Companies are Ready
Recently, I ran a compliance roundtable series where about 75 marketing practitioners rotated through my table to collaborate on compliance readiness. It wasn’t exactly the “fun” marketing topic, but GDPR is something every marketer needs to be aware of.
Of those folks, only a handful had written email and/or data compliance policies. The vast majority were still trying to grasp what steps to take towards GDPR compliance so if you are in this boat, you are not alone.
According to a PwC survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million.
Those are astounding numbers that go beyond the typical marketing budget.
Getting Started – Six GDPR Questions to Consider
The goal of this post is NOT to educate you on all the intricacies of GDPR—that would take a book. Instead, read all the background on GDPR on CSO Online, ZDNet, EUGDPR.org or other places. Or, if you are ready for some spine-tingling reading, check out the full GDPR regulation in all its glory. For companies with Marketo, go download this great GDPR ebook.
Rather, I’m writing this post to get you thinking about various marketing areas that are affected by GDPR. This post isn’t intended to give you all the answers. It’s intended to help you think through the types of questions you’ll need to address internally to get you on the compliance path.
We go through these questions and many more with our clients to guide them into a policy that meets their compliance needs. Use these six samples questions to start identifying your own GDPR compliance gaps.
The below is asked from the GDPR perspective. Answers for Canada, the United States, and other countries will differ. This is why documenting a worldwide policy is so vital.
My point: You need to start thinking about GDPR compliance TODAY as there isn’t an overnight magic button.
1) Does our organization have a written policy that documents who gets mailed and how that data is managed on a worldwide basis?
Likely Answer: No. The polices are scattered or live within our marketing manager’s heads.
Ideal Answer: Yes, we’ve documented all of our mailing and data governance policies including how people are contacted, how data is deleted, what data is collected and more. Furthermore, our systems are mapped to those processes and our marketing and sales teams have been trained on the updated procedures.
Recommendation: Start meeting internally to nail down answers to the below questions and others to create a worldwide policy. You need to make an effort to get compliant and a written policy will shed light on the areas you need to address.
If you ever go to court, would you rather thump down a 40-page policy or tell the judge that the policy is in the minds of your employees? This following quote hints at that enforcement approach.
It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm.
The ICO’s commitment to guiding, advising and educating organizations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.
Who would you show more leniency towards after an alleged infraction?
- Company A with No Policy. Our company lacks adequate controls and there are some inconsistencies in our processes that led to 5,000 recipients being emailed who hadn’t previously opted in. We are now in the process of developing and documenting those processes.
- Company B with Policy. We have a fully documented, 30-page policy that walks through every data source and puts a plan in place to ensure our audience receives spam-free messaging. Our teams were fully trained on XYZ dates. In the past 90 days, we have sent 2 million emails with proper controls but experienced a one-off issue with the email in question.
Resource: Read 6 Reasons Why You Need a Mailing and Data Governance Policy
2) Is a country value collected for every record that enters the system?
Likely Answer: No
Ideal Answer: Yes, we collect country on every form, import, and other collection methods.
Recommendation: This is a simple concept but one that is not often followed. How do you know which regulation a person is subjected to unless you collect the country information?
If there is one thing to get going on today, country collection is it. Collecting accurate country values for EVERY record is one of the most important data management initiatives you should master. Blank data is not good either (We see this all the time). For that data, we partner with companies like Oceanos and Synthio to append country to existing records.
Article 3.1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Once you have country values, you can segment audience members into different compliance segments that contain their own set of rules. For example, if someone is from the US segment, you may put them into a mailable category. If someone is from a UE country, you may block any communications until the person double opts in.
3) Are we collecting data and mailing people who have expressly opted in?
Likely Answer: Sometimes
Ideal Answer: Every EU record coming into the system has agreed to become part of our database.
Article 1.11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Recommendation: Ensure all of your forms have the adequate opt-in language with an opt-in checkbox. Make sure to collect details like opt-in method, date, the form completed, etc, to start your audit trail. And do NOT precheck the consent form as that is considered a GDPR no-no. You’ll need to think through this level of detail for every data input method.
1) Make sure your forms are collecting country 2) Use clear language to inform the person what content is being signed up for.
Likely Answer: We import leads that we scan at the booth and add them to our general email list.
Ideal Answer: We ask each attendee verbally if he or she wants to receive our communications and/or ensure the attendee physically signs a consent form at our trade show booth. To confirm consent, we send an opt-in email confirmation after the event.
Although there’s no black-and-white, companies need to show “provable consent” under GDPR.
Recommendation: Pick a strategy and follow it. Find a risk tolerance that matches your organization. Make sure your systems properly segment non-mailable people.
L 119/8 (42). For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
5) Is a person that a Sales rep added to the system mailable?
Likely Answer: I’m not sure.
Ideal Answer: We have a policy that addresses self-generated leads.
This question is so tricky that I’m not even going to address it here. Is the person a customer? Is the person a personal contact? Is the person part of a marketing mailing or a one-off contact?
Recommendation: Use the rule of thumb. If a person didn’t ask to receive certain content, make sure that person is blocked from receiving marketing messages. There is still a lot of debate around how to contact a person on a one-off basis. Your policy needs to address all of these scenarios.
6) Can we mail bulk lists of leads from list sources like ZoomInfo, D&B and more?
Likely Answer: Yes or No
Ideal Answer: No, mailing anyone from a purchased list is against our mailing policy.
Recommendation: Just don’t do it. These people didn’t give permission to receive your newsletter so mailing them is a violation of GDPR.
The movie Good Will Hunting was popular in 1997 and so wasn’t marketing method of emailing lists. Mailing to lists is just a recipe for a disaster from a compliance perspective. This also includes data that lives in your existing database.
We recommend using GDPR as an opportunity to clean out all those old lists from your system.
You can’t eat a whole pizza in one bite. GDPR can be intimidating but know that there are major benefits when you get there besides the reduction of compliance risk. Your data will be cleaner, your reporting will look better and most of all, your audience will have a better experience with your brand.
If you need help getting on track, reach out to me at firstname.lastname@example.org.
Here are a few resources to keep you busy researching how GDPR affects your business.
- CSO Online – Great overview of GDPR.
- ZDNet – Great overview of GDPR.
- GDPR Site – Resource to educate the public about the main GDPR elements.
- Full GDPR regulation – Put your reading glasses on for this one.
- The GDPR and The Marketer: A Practical Guide for the Marketo Customer (Marketo) – How GDPR applies to companies with Marketo.
- Lead generation after GDPR: Still a mystery for many – Why to switch to more of an Inbound model.
- 6 Reasons Why You Need a Mailing and Data Governance Policy – RevEngine Marketing’s view on why you need to start with a policy.
- What will the GDPR mean for B2B marketing professionals? (PDF)