May 5, 2023
Many marketers are still confused when it comes to regulations around data privacy, especially the GDPR. There's a lot to take in, but how does it work in practical terms? The following marketer’s guide should help you get your marketing processes in order when dealing with GDPR regulations.
This guide is for marketers who work in companies that process information about EU citizens. Many companies based outside of the EU may also inadvertently process data relating to EU citizens – so the first step for those companies is to audit their data and discover whether any of it relates to EU citizens.
Pro tip: Don’t make the mistake of assuming that if you’re GDPR-compliant, you’re probably compliant in all markets. Although GDPR is arguably the most robust data regulation in the world, you must also be aware of the nuances of local regulations in any markets that you trade in, such as the California Consumer Privacy Act (CCPA).For full information on who is affected and where, consult the official EU GDPR site.
The majority of GDPR compliance falls under the responsibility of both marketing and IT. In this guide, we’ll discuss the items that fall under marketing, but you will need to work closely with your IT department or provider.
The IT department will need your help to cover highly important elements of GDPR compliance, such as:
Data is often regarded as the ‘new oil’. It makes sense to take steps to ensure you’re using it in a compliant way.
We have seen many high-profile data breaches in recent years, with resulting financial and reputational consequences. British Airways was fined £20 million for failing to protect the personal and financial details of more than 400,000 of its customers. And the Marriott hotel group was fined £80.5 million for failing to keep millions of customers' personal data secure.
Non-compliance can be caused by several factors. It may be a deliberate decision. Many organizations have been found to be less than transparent in how they use personal data, for example. In many cases, however, it is simply the result of human error or organizational carelessness. (This is why ongoing training is so important!)
Did you know? EU Data Protection Authorities issued nearly €1.1 billion in fines in the 12 months up to January 2022!
To ensure GDPR compliance, companies need to:
See our GDPR and Marketing article for more information on marketers’ responsibilities for GDPR compliance.
Here is our eight-step checklist for GDPR compliance:
In addition, provide the following details:
Top Tip: Lead from the top and identify advocates for data protection throughout the organization. GDPR isn’t just a marketing concern!
Begin by determining whether you have explicit consent to use the personal details of your current database, and for which exact purposes they have given consent for their data to be used.
Ensure their consent for each purpose is documented and then divide your database into separate lists based on documented consent by purpose. Next, create a ‘next steps’ plan for each list – reaching out to reconfirm consent or request consent for different purposes. You may need to reconfirm opt-in in the following situations:
Based on the lists you identified in step 1, create engaging campaigns to request contacts to opt-in or re-opt-in for certain purposes for which you wish to use their data.
This is no easy feat as consumer sentiment regarding the privacy of their personal data has never been more fraught with tension. People will be unwilling to share that valuable data with you if they don’t trust that you’ll use it in a reasonable and fair way. By showing your commitment to GDPR, you can help reassure customers and enhance your reputation.
Clearly convey the benefit to the consumer as to why they should provide you with consent to use their data, and assure them that the utmost care will be taken to protect their data.
Note: Verbal consent to a clear question on a recorded call is a valid form of opt-in. Create a script for team members making these calls.
For any new contact details you add to your database following your audit, you want to ensure there is a process in place to gather the required level of opt-in for each new contact, and that their details are added to the appropriate list.
GDPR regulations stipulate that consent must now be gathered by customers actively opting-in, rather than that being the default and them having to opt-out. For example, this means that checkmarks to allow sales and marketing communication at the end of contact forms must be unchecked by default, and users must check the boxes to opt-in.
Here are some examples of ways that people can actively opt-in:
You also need a separate opt-in consent for each way in which you wish to use their data. Once you have decided on your new opt-in process:
Remember: Your business is only as compliant as the least trained person on your team, so ongoing training of existing staff is essential!
If yours is a lead-gen business (as opposed to retail or ecommerce), marketing will likely bring the leads in and pass them on to the sales team for conversion.
In the past, your sales team might have taken databases of leads who provided their email in order to download gated content or subscribe to the newsletter and contacted them with a sales pitch or offer of a free trial or demo. However, under GDPR, unless the leads give explicit consent for the sales team to contact them, this practice is no longer permitted.
Hold GDPR training for the sales team to:
What third parties do you share data with? How do they use it? What are their GDPR policies?
If you’re a digital marketer in an agency (as opposed to in-house), you are likely one of those third parties who handles many companies’ databases. You may, for example, have clients who share with you documents, Excel files, CRM access or website CMS access that shows you their customers’ personal data.
Audit your dealings and levels of access for each client, and where you find you have access to personal data:
Being GDPR-compliant will help ensure you’re able to respond to data access requests in a timely and appropriate manner. Remember, one of the key principles of GDPR is that you make reasonable use of personal data, and customers may query you about this.
Did you know? This is sometimes called The Reasonable Person Test. What would a reasonable person consider practice to be legal and fair? Colloquially, this person is often referred to as the man on the Clapham omnibus!
GDPR rules stipulate that you must be able to provide a full response to a request for information within one month at the latest. A ‘full response’ must include:
Set up a streamlined process for retrieving this data:
While your IT team will take on the lion’s share of the work in preventing, preparing for and handling technical security breaches, often marketing and customer service are on the front line to field customer complaints and questions when a security breach makes the headlines.
Prepare boilerplate crisis communication documents that deal with the eventuality of a security breach, including:
On our Data Protection 101 podcast, Steven Roberts suggested the following five takeaways.
GDPR compliance helps you check that you have robust data protection processes in place and you can respond efficiently to any data breaches.
Being compliant with GDPR is not some ‘nice to have’. Organizations could face hefty financial fines and reputational damage if they fail to protect personal data. Being compliant makes business sense, and to stay compliant, you must keep up to date with the latest data trends and threats.
If you follow the guidelines above and document your process, you can show you are doing the utmost to comply with the regulations.
Note: Do not take this checklist as legal advice - you should work with your IT team and legal team to ensure there are no loose ends regarding compliance.
Data protection is now central to any digital strategy. Our digital marketing strategy course will not only cover the fundamentals of strategy but explore automation, analytics, budget, digital channels, leadership, and much more. Enroll today to get started!