Forget Bitcoin; Personal Data is the new currency.
Just think about what Facebook, Apple, Amazon, and Google have in common – they all thrive on collecting user data at scale.
Not only that, but their ability to effectively monetize this data with advertising has turned them into multi-billionaires. The more data you give, the richer they get.
Fair trade, right?
Data exchange has gotten out of control. Our name, address, location, work experience, bank details, and more have become the world’s most valuable commodity. Our digital footprint is actively monitored Everywhere we go, whether on our phones, on the streets, or now, in our homes.
After all, even if we refused to give out our personal information, we’d completely isolate ourselves from society – away from our friends, world news, and everything in between.
This is exactly why the European Union (EU) released the General Data Protection Regulation (GDPR), a landmark privacy law which comes into effect on May 25, 2018.
By placing extensive restrictions on how companies collect, store, transfer, or utilize the personal data of EU individuals, the GDPR aims to put the control back in the hands of consumers as they gain greater transparency over their private information.
As long as your company does the following…
- Process personal data of EU individuals (e.g., direct information, location data, online identifiers, etc.)
- Have an establishment in the EU
- Offer goods or services to EU individuals (i.e., language, currency, mentioning EU customers)
… the GDPR applies to you.
In other words, any company doing business in any of the 28 EU member states, physically or remotely, can be caught by GDPR if it doesn’t comply. The thing about “compliance” is that you not only have to be proactive in demonstrating it, but you also have to involve the whole company in the process (not only Legal), namely, sales, marketing, product, and even HR.
From a marketing standpoint, what’s your piece of the puzzle? What can you do individually or in a department to ensure your company complies? Most likely, you’re a ‘Data Controller’ – meaning you decide what’s “personal data” and how it’s to be processed. In this case, you have new legal responsibilities.
Luckily for you, we’ve put together this handy checklist, highlighting the 8 steps B2B marketers need to take in order to meet the standards of the GDPR:
Step 1: Raise awareness
As mentioned earlier, the GDPR isn’t an issue you can tell legal to take care of, and everything will be solved.
Raising awareness across the organization is extremely important for preparing and aligning your marketing strategies with the upcoming changes. In particular, consider decision makers, C-level executives, and anyone who’s responsible for inputting and storing your marketing data.
You may also need to consider training employees, implementing a comprehensive internal communications plan, and bringing in additional resources to ensure data compliance. Make sure there’s at least one marketing delegate who is devoted to GDPR and can represent the marketing team’s objectives to the company.
In most circumstances, organizations that store large volumes of data are advised to designate a DPO (data protection officer) to carry out the data protection strategy within the company.
Step 2: Map existing data
Conduct a thorough check into which personal data is currently held through a “data audit”. You will need to appoint people across the business to facilitate the audit. This is a very significant piece of work, so get started ASAP.
Some questions the GDPR requires you to know include:
- Who are your data subjects? (e.g., customers, employees, partners)
- What personal data is processed (e.g., name, address, email, IP address)
- Where is their personal data stored? (e.g., CRM, marketing automation) Are you able to quickly access and erase it?
- Who in the company has access to this data? Who inputs/erases it?
- Is the data shared with any third-party platforms? (e.g,. digital advertising platform) If so, do these third-party platforms share it with other parties?
- Why is personal data being processed?
- What mechanisms do you have in place to protect this personal data?
- How is data being processed? How long should it be kept for?
- What are the timeframes for keeping and erasing personal data?
Check out this GDPR personal data audit template.
Step 3: Revise privacy policy
Let’s face it: privacy policies are painful!
We never personally read them, nor do we expect our audience to. Hence why, the GDPR expects you to complete a comprehensive review of your current privacy notices and make sure they’re super clear, concise, and easy to read! None of that legalistic language and lengthy text.
In practice, your privacy notice must indicate:
- Which personal information you’re collecting
- Why it’s being collected
- How will it be used? (e.g., will it be shared with third parties)
- Who is collecting it
- How long the data will be kept for
- Individuals’ rights:
- The right of access, rectification, restriction, and objection
- The right to lodge a complaint
- The right to withdraw consent at any time
Here’s a great example of a ‘bad’ and ‘good’ privacy notice:
Step 4: Manage consent
The driving force behind any B2B marketing campaign is lead generation. But to generate leads in the first place, you need their permission.
Under the GDPR, a data subject must provide explicit and clear consent before you can legally collect his or her personal information. Check if the way you seek consent complies with GDPR.
Consent requires a positive opt-in, with no pre-ticked boxes, for example. That’s why all of your web forms (e.g., for webinar registration, eBooks downloads, blog subscriptions) must clearly outline why personal data is being collected, how it will be stored and used, and what you’ll be sending them in the future.
GDPR also safeguards individuals’ “Right to Be Forgotten.” Therefore, you have to provide a simple way for them to withdraw their consent (to opt-out). For example, have a clear “unsubscribe” button at the top of all marketing emails.
Step 5: Re-engage to gain consent
By May 25, you must prove the consent of every existing contact in your database; otherwise, they must be removed. If you’re worried about losing a significant portion of leads, you better launch a re-engagement campaign.
Email every contact who you would like to approach with relevant information in the future (e.g., newsletters, events, blog posts, webinar details). Remember, the purpose is to demonstrate consent, so reassure individuals that their needs and pain points are top-of-mind for your organization.
Be frank by informing them of the following items:
- How did you get their personal data in the first place?
- Why are you re-engaging with them? (e.g., to provide them with more blog digests)
- What can they expect to receive in the future, given that you have their consent? (e.g., promotions, events)
- How can they control what they receive? (e.g., to freely opt-out)
Step 6: Examine marketing automation platform
Looking at how you gather data and where it’s being stored is critical for reaching GDPR compliance. As a B2B marketer, your personal data is most likely managed with a marketing automation platform, in which case you must ensure it’s also compliant.
Have no fear! You’ll be required to make a few key changes. Firstly, we recommend that you work closely with your customer success/support manager to understand what steps need to be taken to reach compliance.
Secondly, you’ll need to ensure that your existing leads have given you complete consent (as highlighted above), or they will have to be erased completely from your MAP.
Step 7: Ensure smooth data transfers
What happens if a user asks to reveal their data? How would you respond appropriately?
Individuals can request access, transfer, delete, and trace their personal data at any given time. And as a general rule, you only have 30 days to do so.
Ideally, you should implement an automatic mechanism to support such requests in a scalable way. More importantly, ensure that the data you provide is presented in a well-structured format, such as a CSV file, and that it can easily be imported to other data controllers.
Step 8: Think positive!
It may sound a little cliche, but despite the many obstacles presented by GDPR, there are also numerous opportunities.
Firstly, GDPR calls for fewer opt-ins and, therefore, a much leaner database. As a result, your marketing campaigns will be more targeted, and your audiences will be far more engaged.
Additionally, with email no longer being the most effective channel for delivering your message, you’ll have to turn to alternative methods where consent is easier to obtain.
Social media is a perfect example of a channel where audiences initiate the first point of interaction. Their consent is freely and explicitly given as they like, follow, or connect with your brand’s page. Check out this article for more information on how social media can safely overcome your GDPR challenges.
Bottomline
Everyone in the company has a role to play regarding GDPR compliance, including marketing! The sooner you start auditing your marketing data and aligning your web forms, privacy notices, and campaigns with the GDPR obligations, the less likely your company will face harsh penalties.
As always, look for updated information. The ICO (Information Commissioner’s Office) constantly publishes new guides and articles to help your company interpret and comply with the GDPR.
Join me and Adam Dore, Head of Technology Services at Successflow as we turn GDPR from a problem to a potential in just 7 steps! Sign up here for the webinar:
