Data-driven marketing is no longer an option in today’s world, it’s a requirement. Modern marketers know that in order to successfully engage their customers, they need to understand them inside and out, and communicate with them according to their needs and expectations along the customer lifecycle.
This approach generally means collecting a lot of data – from IP addresses cookied on your website, to form fills and social media interactions – marketing is often the owner of the customer profile data used for ongoing marketing campaigns to prospects, customers and partners.
Now, for organizations with any kind of activity or customers in the EU, the regulations around how that data is collected, stored, and accessed are becoming more stringent with the General Data Protection Regulation (GDPR).
Does the GDPR affect your business? If it does, how will you have to change your marketing activities in the future? What is the deadline for compliance? We’ve got these answers and more below where we compiled the highlights you need to get ready for the GDPR.
If you’re looking for a deeper dive, check out our on-demand webinar for more specific tips on how GDPR will affect your business, and what you can do to prepare.
What is the GDPR
The GDPR is a digital privacy regulation from the European Parliament, the Council of the European Union and the European Commission. It was created in April, 2016 and will become enforceable on May 25th, 2018. Failure to comply after that could entail up to €20 million in fines or 4% of your global turnover.
The intent of the GDPR is to give EU citizens more control over their data privacy and standardize regulations for any business working with an EU citizen’s data (whether the company is located in the EU or not). The last time the data privacy laws in the EU were updated was in 1995. A lot has changed since then with the rise of social media, smartphones, and marketing so it follows that the personal data privacy laws needed a refresher.
Who does the GDPR apply to
Once you start digging more into the language of the GDPR, you’ll see reference to three main entities that the GDPR involves:
- The data subject – This is the person whose data is being collected. If your data subject resides in the EU, then the GDPR applies to your company regardless of whether you are located in the EU or not.
- The data controller – This is the organization that is collecting or housing the data subject’s data (ie your company!).
- The data processor – This is the organization (or software) that processes data on behalf of the data controller. For the majority of our marketing clients, the data processor is Marketo (or any marketing automation platform) and Salesforce (or any CRM).
What data does the GDPR apply to
The GDPR applies to a pretty broad sense of personal data. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
What the GDPR means for marketing
By now it should be clear that digital marketers are involved with a lot of the data the GDPR applies to. So it follows that there are a couple specific areas where the GDPR is going to change marketing processes.
1.Explicit Opt In
Under the GDPR, your contacts must now explicitly give consent for you to collect any of their personal data. Consent is clearly defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes” using “a clear affirmative action.”
What does this mean in layman’s terms? Basically, assuming that anyone who fills out a contact us form can now be marketed to is no longer going to cut it. You need to collect explicit opt ins for any further communications.
Here’s a great example of a GDPR compliant opt in form versus a non-compliant form. Note the explicit check box (not just a message at the bottom of the form) that allows contacts to opt in to receive future marketing communications.
2. Data Transparency
Your contacts under the GDPR will have more control over how you collect and use their data. This includes their right to request a report of where their data is being used, and taking that a step further, requesting that you completely erase their data from your records.
This means that you will need to provide contacts with access to their data and the ability to rescind consent. Marketo will require an unsubscribe link in any email you send, but you can also customize your unsubscribe and preferences pages to give your contacts more control about how they receive communications from you.
3. Data Justification
GDPR requires you to legally justify the processing of the personal data you collect. This means you’re only collecting data from your contacts that will directly relate back to the value you are providing them as a company. Just like in the above two requirements, you will need to be prepared to come with receipts. During an audit, you must be able to prove not only what data you have (#2) but why you have that specific data and what value it brings to that contact. At the end of the day you need to prove the data you are collecting is always in the best interest of the contact.
How is Marketo responding
As the data processor, your CRM and marketing automation systems have specific responsibilities for compliance with the GDPR. Marketo has stated on numerous occasions their full commitment to compliance with the GDPR as a data processor:
“Marketo will be in compliance with the GDPR by May 25th, 2018 and Marketo’s services already include the functionality necessary for our customers to comply with the GDPR’s consent requirement. We have carefully examined the relevant provisions of the GDPR and we are closely tracking applicable GDPR guidance issued by regulatory authorities. These steps are helping us to develop tools for our customers relevant to GDPR-compliant use of Marketo’s services.”
The main responsibility as a data processor under the GDPR is data protection. One way data processors comply with full data protection is by implementing pseudonymisation to their data. The GDPR refers to pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.”
One example of of pseudonymisation is encryption, which essentially makes it so that the original data cannot be read without a decryption key. Under the GDPR this decryption key must be kept separate from the pseudonym data.
Getting started with compliance
So you’ve established that the GDPR applies to your company. While many of the compliance activities we’ve covered in this post involve marketing, ultimately it will be a company-wide data governance effort to make sure you are fully compliant with the GDPR. So where do you start?
- Start building your data governance team – Work with company leadership to prioritize a committee for GDPR compliance to ensure that the effort extends across your entire organization.
- Assess your current compliance state – Evaluate your existing data processes. What systems are currently processing any type of personal data? What’s the process for updating and removing data from these systems? Document where you are or aren’t compliant with the GDPR within these systems and use that as a baseline for where to focus your efforts.
- Create your data opt in and request processes – This is where you’ll get into the meat of designing your full GDPR compliance. Walk through everywhere you collect personal data, and make sure you’re posting privacy notices and are fully compliant with explicit opt ins for data consent. Evaluate any issues with security and document how you will detect and respond to any breaches. Determine the process for when your contacts request to access or delete their data. Start outlining how you will train the rest of the company on all of these processes.
- Compile documentation – Under the GDPR you’re required to supply copies of all of the above processes. Start collecting your documentation for your opt in forms, privacy notices, employe trainings, and any other processes you have in place to handle the processing of personal data and requests from contacts.
Have a question about the GDPR or just looking for some help in making sure your company is fully compliant?
Check out our on-demand webinar, “Spooked by GDPR” or contact us for more information.