If you look around your fellow business owners or digital marketers, you’ll probably see a lot of them making a big fuss about GDPR.
So what’s the big deal, and why should you care?
We know you work hard to grow your company, build a customer base, and convert leads.
However, some growth-focused strategies and technologies that are popular nowadays may be violating the General Data Protection Regulation (GDPR), which is going into effect on 25 May 2018.
This law will have an impact on many marketing activities, from lead generation to Facebook advertising, which are considered essential by many marketers.
Even though the GDPR is designed to protect the personal information of EU citizens, the line can become blurry if you sell to customers or service clients from all over the world – a common scenario in today’s digital economy.
Given the hefty penalty for violating this new regulation, which can cost a company up to 4% of annual global turnover or €20 Million (whichever is greater), it pays to make sure you whip your online marketing tactics into shape to be compliant with GDPR.
Reading through legalese probably isn’t your thing, so we have done some legwork for you. Here’s what you and your digital agency need to know about this new regulation:
Two Main Concepts You Need to Know About GDPR
For marketers who collect, process, store, and utilize the personally identifiable information (PII) of prospects and customers who are EU citizens, there are two main concepts to keep in mind:
In order to use PII for marketing purposes, you need to obtain explicit consent by asking users to opt in or opt out with a clear affirmative action.
That means you can no longer use pre-checked boxes or inactivity as implicit consent to track activities and send marketing communications.
In addition, you need to clearly communicate how you plan to use the personal data while keeping in mind the updated data subject rights in GDPR, which include breach notifications, right to access, right to be forgotten, data portability, privacy by design, and the appointment of a data protection officer.
B. Legitimate Interest
“Legitimate interest” can be used as grounds for collecting and utilizing users’ personal data without explicit consent, but not when the rights of the users override the company’s legitimate interest.
For example, an online seller doesn’t need to obtain consent to collect information required to complete a transaction from a shopper who is making a purchase.
However, “legitimate interest” can be open to interpretation, so it’s best to check with a legal professional on a case-by-case basis.
What You Need to Do to Stay GDPR Compliant
Keeping in mind GDPR’s key changes to data subject rights, here’s what marketers need to do ensure compliance and stay out of trouble:
1. Provide Proper Notice and Obtain Consent
Once users have submitted their information, store a copy of the notice and the consent along with the timestamp of the interaction for future reference.
Many email service providers offer GDPR compliant opt-in forms and allow you to segment your list by the level of permission given. Make sure you inquire about those features and update your webforms as necessary.
2. Provide the Ability to Withdraw Consent
Under GDPR, withdrawing consent needs to be as easy as giving it.
Provide a link for users to manage their subscription preferences or withdraw their consent on a subscription preference page, which can be created through your email service provider or CRM platform.
The page will reflect users’ affirmative opt-in for the communications they will be getting from you.
Users can also send a withdrawal of consent directly to your company, and you’d modify the preferences within your system.
3. Communicate the Use of Cookie
If you use cookie on your website to track users’ activities, you need to obtain their consent to do so.
Add a notification on your website for such affirmative opt-in and make sure the cookie-consent message is written in a language appropriate for each user’s location.
4. Offer the Ability to Permanently Delete Information
Users can request to have all their personal information deleted from your database. Such information could include email tracking history, call records, form submissions, and more.
Ensure that your email and contact system has the ability to perform a GDPR-compliant permanent delete. You should have a process in place to perform such deletion within 30 days of receiving a request.
5. Enable the Access and Portability of User Information
You should be able to grant access and portability of users’ personal data by exporting all contact records into a machine-readable format.
Personal data is defined as anything that can be used to identify a user, including name, email address, ID number, location information, IP address, or online identifier (e.g., a cookie).
6. Provide the Ability to Modify Data
Users should be able to modify the information in their contact record any time if they find it incomplete or inaccurate.
For example, you can add a link in your marketing emails to allow users to modify their profiles, or your sales reps can update the information when they interact with your customers.
7. Set Up a Process for Breach Notification
Under the GDPR, users need to be notified within 72 hours of any data breach that is likely to “result in a risk for the rights and freedoms of individuals.”
The tight 72-hour window for notifying users, customers, and controllers “without undue delay” after first becoming aware of a data breach means you need to have a well-designed process in place to detect breaches and notify users in a timely manner.
GDPR Is About Building Trust with Your Customers
When you look pass the legalese, GDPR is actually not that scary.
Many industry best practices designed to build trust and relationships with prospects and customers already address many of the rights mentioned in the new regulations so if you have been respecting the privacy of your subscribers you’re already more than halfway there.
Of course, you want to make sure your i’s are dotted and t’s are crossed. We are working with our clients to make sure their customer acquisition strategy is GDRP ready. Feel free to book a complimentary audit with us.