Marketers - Are You Immune to GDPR?
Marketers - Are You Immune to GDPR?
Beginning May 25th, 2018, the GDPR will be in full force, and even us marketers need to make sure all of our ducks are in a row. That’s right - you too are subject to GDPR and now is time to take action!
According to Forrester, many marketers don’t think the new regulation is relevant while still others don’t even think that the data they’re collecting (and how it’s collected) is in scope. As your company is completing data assessments, identifying gaps in its data protection policies, appointing a Data Protection Officer, and rolling out updated policies to ensure compliance with GDPR, you are likely in mission critical mode; generating leads for your company’s sales efforts.
Your lead generation program must be GDPR compliant as you very well may be collecting personal data from EU citizens without even knowing it. You know all those great landing pages and forms you built to capture leads? Well, there’s a chance the next lead that comes in is from an EU citizen and thus is subject to the regulation.
This personal data must be collected for 'specified, explicit and legitimate purposes' according to the GDPR. To best prepare for the coming changes and avoid financial and brand detriment, marketers need to reevaluate and adjust existing strategies for engagement. Here are a few basics that are tantamount to compliance.
Probably one of the most important parts of successfully maintaining GDPR compliancy is obtaining proper consent, and being able to prove its receipt. Organizations, including you marketers, will need to obtain explicit permission to collect, process or store personal data using language that clearly communicates how the data will be used. Gone are the days of hiding behind hard-to-understand legalese and technical language in the terms of consent and pre-marked checkboxes opting-in unsuspecting website visitors.
Further, the consent must be use-specific, meaning that the data collected for something like downloading a whitepaper cannot be used for other purposes, like email marketing campaigns unless you expressly state so. The collection of more data than is necessary for the stated purpose is prohibited, as is retaining data for longer than is necessary for the stated purpose. Organizations also must make it very simple for EU residents to withdraw their consent at any time. Any and all consent forms must also be stored and auditable in the event that a company needs to support that consent was given and for the intended purpose(s).This consent shouldn’t sound threatening to the marketer striving towards increased engagement and “meeting the customer where they want to be met.” Plus, through opting-in, a quasi-pre-qualifying event takes place and should give marketers the ability to reach out with engaging, personalized content to customers who are legitimately interested your brand, services or products.
While historically every single process involving personal data may not be specifically identified, whenever an organization is planning on starting a new processing activity, purpose limitation, data quality and data relevance should be determined. There must be complete accountability and transparency in all processing activities regarding personal data, and outside parties must also comply with any relevant requirements that would impact supply, change management or procurement processes.
Marketers also need to be ready to prove that they were clear about how they intend to use personal data. This means no vague or general language like “marketing purposes” or “future research.”
Lack of opt-out abilities (think an “unsubscribe” button at the bottom of an email) will not be tolerated, nor will pre-checked boxes for opt-in as this assumes consent. Marketers, think CAN-SPAM Act on steroids! Data subjects can change their mind and withdraw their consent – you better be ready to oblige and quickly. In addition to making certain that data subjects can readily opt-out of the collection of their data, data subjects have a right to demand that their data be exported and provided to them in an electronic and reusable format and even erased altogether. At the end of the day, data subjects can even bring a direct action against the company for the failure to comply with the opt-out principles of GDPR.GDPR may seem daunting and onerous, but so as long as your organization’s various teams work together, including the marketing department, you’ll find yourself comfortably compliant by the time May 25th rolls around. Do you have questions about the regulation heard ‘round the world? We’re always here to help, including our fellow marketers – just comment below or contact us here!