As a marketer or digital marketer, your job is to get the word out regarding your organization’s products and services. With the advent new data privacy laws like the General Data Protection Regulation (GDPR) which went into effect May 25th, 2018 – your job just got more difficult.
Under the regulation, citizens have greater control over their consumer data privacy and how organizations use personal data. GDPR is by no means all doom and gloom. Compliance is necessary on many levels and protecting end-user data should be important to all countries.
In order to better understand the impact of GDPR regulations on your business, it is necessary to first get a baseline of what GDPR is and how the new regulation is implemented.
What is GDPR?
The General Data Protect Regulation at its core is a legal framework. The framework outlines what is and is not allowed with the collection and processing of personally identifiable information (PII) for citizens of the European Union (EU).
While GDPR is focused on EU individuals, it will also affect companies in the United States that do business with customers of the EU. There are seven key principals in the lawful collection and processing of personal data. The seven principals are:
- Lawfulness, fairness, and transparency – Personal data needs to be fairly and transparently processed in a lawful manner when it belongs to an individual.
- Purpose limitation – Data must be collected for a specific and legitimate purpose and not processed in a manner that is incompatible with the initial purpose
- Data minimization – Data must be kept in the form which permits the identification of subjects for no longer than is necessary for the purpose of data processing.
- Accuracy – Every reasonable step must be taken to ensure that personal data is accurate, processes for its intended purpose, and erased without delay.
- Storage Limitation – Personal data may be stored longer than its initial purpose, but only if the data will be processed for scientific, historical, or statistical purposes.
- Integrity and Confidentiality – Personal information must be processed in a manner that ensures the security of the data, including protection against unauthorized access or unlawful processing. Specific care must be given to accidental damage, destruction, and loss.
- Accountability – Controllers and processors of data are accountable for their processing and must demonstrate compliance.
The seven GDPR principals set out to define the lawful processing of personal information. Data processing includes alteration, collection, communication, erasure, restriction, storage, and use.
Which aspects of GDPR matter for marketers and marketing campaigns?
With a solid understanding of GDPR requirements, which areas should marketers pay special attention to? Typically, marketers have extensive databases, email marketing initiatives, and operations. The seven GDPR principals have become top of mind for marketers but there are a few areas that especially matter. The three areas of most concern are data collection, data permission, and data storage/processing/erasure.
Data collection can come in many forms. Whether you are talking about email opt-ins, survey collection, website data collection, social media, or e-book download; individuals must now consent to wider use of the data. A good example of the GDPR process would be a user opts-in to receive an artifact from your website and you collect the user’s information (like first name, last name, and phone number). Before you can use that information again for any other reason, you must contact the user and get permission. The key is to add specific data points that the user must agree to terms and conditions as well as opt-in for additional content like a newsletter or email list.
When collecting customer data to say convert newsletter signup to a lead, be careful in what information is collected. Remember, the collected data must be scoped for the specific purpose and relevant only to the initial purpose. An example of collecting only the right information is a web form collecting information for a whitepaper. For the form and data collection to be GDPR compliant, the questions need to stay in the spirit of the white paper. Think to yourself, do I really need to know how many people are in the prospect’s household or how long they have lived at an address if the information you really need is a first name, last name, and email address.
As you learned above, any data that you collect, and store must only be used for specific and legitimate purposes. You are only allowed to use collect marketing data for its intended purpose for which it was collected. If you plan to share the data you collected with another company, you need to have the consent of the person that you collected the data from. Organizations must also make sure that the stored data is protected at rest and in transit. This protection extends to access, alteration, destruction, disclosure, and loss of PII data.
The Marketers GDPR Checklist
A typical marketers GDPR checklist is as follows:
Do you process or store EU citizen information – First and foremost, when it comes to your GDPR checklist, make sure that you process or store personal data of EU citizens before doing anything else. While strong data governance practices are a great idea for any organization, if you are certain that you have no EU citizens data, focus on something else.
Do you use website cookies? – You are required to inform visitors to your landing page or web site what types of cookies you use and get explicit consent. Be sure to look at all the marketing automation and publishing tools you use to make sure you’re including the right verbiage about your cookies.
Inventory your current database – What data do you have in your database today? Under GDPR you should be looking to include things like where the customer or prospect lives, opt-in data points, and overall data protection.
Who else has access to your database? – As a marketer, you may share information with other firms. Make sure you know who has access to your database and what they can do with the information. This goes both ways and if another organization grants you information to the database they have, make sure they are following policy.
The new normal of information requests – Automation an orchestration of information requests is critical in GDPR compliance. Make sure that customers and prospects can view in real-time what data you have, how it is being used, and give them the ability to opt-out or unsubscribe with full erasure in real-time.
Assume Breach – A good rule of thumb in information security is to assume breach. There are harsh penalties for non-compliance and organizations that suffer a data breach and fail to have safeguards in place. Look at frameworks like Zero Trust in order to minimize or prevent breaches and seek legal advice before making sweeping changes.
Being a marketer in the post GDPR era is going to different. Many organizations are having to rethink the way that they approach marketing, but they can use the shift as an advantage. Customers and potential customers should be enticed with the added value of a GDPR ready organization. Consumers are clamoring for transparency and want to know how their data will be used. With data breaches on the rise, marketers that focus on security first will be the ones that companies gravitate towards. What, after all, is peace of mind worth?