This is a marketer’s guide to GDPR, to ensure you’re completely covered and have your marketing processes in order when dealing with GDPR regulations.
Do you hold and process the personal data of EU citizens?
This guide is for marketers who work in companies in the EU, and who process information about EU citizens. Many companies based outside of the EU may also inadvertently process data relating to EU citizens – so the first step for those companies is to audit their data and discover whether any of it relates to EU citizens. Once that is complete and you have found that you do in fact process EU citizen’s data then you should also follow the rest of this guide.
Get familiar with your IT team
With the rise of digital marketing and martech solutions, like CRM and inbound marketing software, the marketing team and the IT team have never been closer. The majority of GDPR compliance falls under the responsibility of both marketing and IT. In this guide, we’ll discuss the items that fall under marketing, but you will need to work closely with your IT department or provider to ensure the full picture is complete.
The IT department will need your help to cover highly important elements of GDPR compliance, such as where data is stored (in what country, is it on a server on premises or in the cloud for example). If you migrated to the cloud recently, is there an old server backup lying around somewhere? If old versions of data are stored on a legacy machine, you might not use it, but hackers could potentially still access that data.
The IT department must also prepare for a security breach and ensure there are security measures along every step of the process through which data is used and shared, so you should be able to provide them with a step-by-step process through which customer data is accessed and used, including any third-party software used.
Begin by determining whether you have explicit consent to use the personal details of your current database, and for which exact purposes they have given consent for their data to be used. Ensure their consent for each purpose is documented and then divide your database into separate lists based on documented consent by purpose, and create a ‘next steps’ plan for each list – reaching out to reconfirm consent or request consent for different purposes for which you wish to (or have been) using their data, but for which you don’t have explicit consent. You may need to reconfirm opt-in in the following situations:
Based on the lists you identified in step 1, you must now create engaging campaigns to request contacts to opt-in or re-opt-in for certain purposes for which you wish to use their data.
This is no easy feat – particularly with the recent controversy over Cambridge Analytica and Facebook, consumer sentiment regarding the privacy of their personal data has never been more fraught with tension. So you must clearly convey the benefit to the consumer as to why they should provide you with consent to use their data, as well as conveying that the utmost care will be taken to ensure the safety of their data.
For any new contact details, you add to your database following your audit, you want to ensure there is a process in place to gather the required level of opt-in for each new contact, and that their details are added to the appropriate list based on opt-in for specific purposes.
GDPR regulations stipulate that consent must now be gathered by customers actively opting-in, rather than that being the default and them having to opt-out. For example, this means that check marks to allow sales and marketing communication at the end of contact forms must be unchecked by default, and users must check the boxes to opt-in. The below are some examples of ways that people can actively opt-in:
With any new marketing tool, innovation, strategy or idea there will always be a discussion as to how that will impact the bottom line of the business. You now need to get into the habit of also asking how every new project, tool or process will include and impact your collection, processing and storage of personal data.
If yours is a lead-gen business (as opposed to retail or ecommerce), marketing will likely bring the leads in and pass them on to the sales team for conversion.
In the past, your sales team might have taken databases who provided their email in order to download gated content or subscribe to the newsletter and contacted them with a sales pitch or offer of a free trial or demo, but under GDPR, unless they give explicit consent for the sales team to contact them, this practice is no longer permitted.
The sales team may not be as switched on to the upcoming GDPR regulations, thinking that they won’t impact on their daily working lives, but when there is now a significant portion of the company database they are not permitted to contact, their leads numbers will be looking much thinner. And they must understand the consequences of going against these rules and contacting those people anyway.
Hold GDPR training for the sales team to:
What third parties do you share data with? How do they use it? What are their GDPR policies?
This works in reverse too. If you’re a digital marketer in an agency as opposed to in-house, you are likely one of those third parties who handles many companies’ databases.
You may, for example, have clients who share with you documents, excel files, CRM access or website CMS access that shows you the personal data of their customers – email addresses, transaction information, name, address, email, phone number. This could be for reporting purposes, or you may, for example, upload their database email lists to their AdWords remarketing campaigns or RSLA campaigns.
Audit your dealings and levels of access for each client, and where you find you have access to personal data:
GDPR rules stipulate that you must be able to provide a full response to a request for information within one month at the latest. By ‘full response’ this must include:
While your IT team will take on the lion’s share of the work in preventing, preparing for and handling technical security breaches, often marketing and customer service are on the front line to field customer complaints and questions when a security breach makes the headlines.
While there has been a lot of alarming headlines about GDPR, mainly that the fine for non-compliance with GDPR regulations is equal to 4% of annual global revenue or €20 million, remember that this is the maximum fine, and will likely be reserved for repeat offences.
If you follow the guidelines above and document your process, you can show you are doing the utmost to comply with the regulations. We also recommend that you do not take this checklist as legal advice - you should work with your IT team and legal team to ensure there are no loose ends regarding compliance.