GDPR Compliance: 8 Steps B2B Marketers Need to Take
Forget Bitcoin, Personal Data is the new currency.
Just think about what Facebook, Apple, Amazon, and Google have in common – they all thrive on collecting user data, at scale.
Not only that, their ability to effectively monetize this data with advertising has turned them into multi-billionaires. The more data you give, the richer they get.
Fair trade, right?
Data exchange has gotten out of control. Our name, address, location, work experience, bank details, and more, have become the world’s most valuable commodity. Everywhere we go, anywhere we are, whether on our phones, on the streets, and now, in our homes, our digital footprint is actively monitored.
After all, even if we refused to give out our personal information, we’d be completely isolating ourselves from society – away from our friends, world news, and everything in between.
This is exactly why the European Union (EU) released the General Data Protection Regulation (GDPR), a landmark privacy law which comes into effect on May 25, 2018.
By placing extensive restrictions on how companies collect, store, transfer or utilize personal data of EU individuals, the GDPR aims to put the control back in the hands of consumers as they gain greater transparency over their private information.
As long as your company does the following…
- Process personal data of EU individuals (e.g. direct information, location data, online identifiers etc.)
- Have an establishment in the EU
- Offer goods or services to EU individuals (i.e. language, currency, mentioning EU customers)
… the GDPR applies to you.
In other words, any company doing business in any of the 28 EU member states, physically or remotely, can be caught by GDPR if it doesn’t comply. And the thing about “compliance” is that you not only have to be proactive in demonstrating it, you also have to involve the whole company in the process (not only Legal); namely, sales, marketing, product, and even HR.
From a marketing standpoint, what’s your piece of the puzzle? What can you do on an individual or department level to ensure your company complies? Most likely you’re a ‘Data Controller’ – meaning, you decide what’s “personal data” and how it’s to be processed. In this case, you have new legal responsibilities.
Luckily for you, we’ve put together this handy checklist, highlighting the 8 steps B2B marketers need to take in order to meet the standards of the GDPR:
Step 1: Raise Awareness
As mentioned earlier, the GDPR isn’t an issue you can tell legal to take care of and everything will be solved.
Raising awareness across the organization is extremely important for preparing your marketing strategies and aligning them with the upcoming changes. In particular, consider decision makers, C-level executives, and anyone who’s responsible for inputting and storing your marketing data.
You may also need to look at training employees, implementing a comprehensive internal communications plan, and bringing additional resources to get your data compliant. Make sure there’s at least one marketing delegate who’s devoted to GDPR and can represent the marketing team’s objectives to the company.
In most circumstances, organizations that store large volumes of data are advised to designate a DPO (data protection officer) to carry out the data protection strategy within the company.
Step 2: Map Existing Data
Conduct a thorough check into which personal data is currently held through a “data audit”. You will need to appoint people across the business to facilitate the audit. This is a very significant piece of work, so get started ASAP.
Some questions the GDPR requires you to know includes:
- Who are your data subjects? (e.g. customers, employees, partners)
- What personal data is processed (e.g. name, address, email, IP address)
- Where is their personal data stored? (e.g. CRM, marketing automation) Are you able to quickly access and erase it?
- Who in the company has access to this data? Who inputs/erases it?
- Is the data shared with any third-party platforms? (e.g. digital advertising platform) If so, do these third-party platforms share it with other parties?
- Why is personal data being processed?
- What mechanisms do you have in place to protect this personal data?
- How is data being processed? How long should it be kept for?
- What are the timeframes for keeping and erasing personal data?
Check out this GDPR personal data audit template.
Let’s face it, privacy policies are painful!
We never personally read them, nor do we expect our audience to. Hence why the GDPR expects you to complete a comprehensive review of your current privacy notices and make sure they’re super clear, concise, and easy to read! None of that legalistic language and lengthy text.
In practice, your privacy notice must indicate:
- Which personal information you’re collecting
- Why it’s being collected
- How will it be used? (e.g. will it be shared with third-parties)
- Who is collecting it
- How long the data will be kept for
- Individuals’ rights:
- The right of access, rectification, restriction, and objection
- The right to lodge a complaint
- The right to withdraw consent at any time
Here’s a great example of a ‘bad’ and ‘good’ privacy notice:
Step 4: Manage Consent
The driving force behind any B2B marketing campaign is lead generation. But to generate leads in the first place, you need their permission.
Under the GDPR, a data subject must provide explicit and clear consent before you can legally collect his or her personal information. Check if the way you seek consent complies with GDPR.
Consent requires a positive opt-in, no pre-ticked boxes for example. That’s why all of your web forms (e.g. for webinar registration, eBooks downloads, blog subscriptions) must clearly outline why personal data is being collected, how it’s going to be stored and used, and what you’ll be sending them in the future.
GDPR also safeguards individuals’ “Right to Be Forgotten”. Therefore, you have to provide a simple way for them to withdraw their consent (to opt-out). For example, have a clear “unsubscribe” button at the top of all marketing emails.
Step 5: Re-Engage to Gain Consent
By May 25, you have to prove consent of every existing contact in your database, otherwise, they have to be removed. If you’re worried about losing a significant portion of leads, then you better launch a re-engagement campaign.
Email every contact who you would like to approach with relevant information in the future (e.g. newsletters, events, blog posts, webinar details). Remember, the purpose is to demonstrate consent, so reassure individuals that their needs and pain points are top-of-mind for your organization.
Be frank by informing them of the following items:
- How you got their personal data in the first place?
- Why are you re-engaging with them? (e.g. to provide them with more blog digests)
- What can they expect to receive in the future given that you have their consent? (e.g. promotions, events)
- How can they control what they receive? (e.g. to freely opt-out)
Step 6: Examine Marketing Automation Platform
Looking at how you gather data and where it’s being stored is critical for reaching GDPR compliance. As a B2B marketer, your personal data is most likely managed with a marketing automation platform, in which case you have to make sure it’s also compliant.
Have no fear! There are a few key changes that you’ll be required to do. Firstly, we recommend you work closely with your customer success/support manager to understand what steps need to be taken to reach compliance.
Secondly, you’ll need to ensure that your existing leads have provided you with complete consent (as highlighted above) or they will have to be erased completely from your MAP.
Step 7: Ensure Smooth Data Transfers
What happens if a user asks to reveal their data? How would you respond appropriately?
At any given time, individuals can request to access, transfer, delete, and trace their personal data. And as a general rule, you only have 30 days to do so.
Ideally, you should implement an automatic mechanism to support such requests in a scalable way. More importantly, make sure that the data you provide is presented in a well-structured format, such as a CSV file, and that it can easily be imported to other data controllers.
Step 8: Think Positive!
It may sound a little cliche, but despite the many obstacles presented by GDPR, there are also numerous opportunities.
Firstly, GDPR calls for fewer opt-in’s and therefore a much leaner database. As a result, your marketing campaigns are going to more targeted, and your audiences are likely to be far more engaged.
Additionally, with email no longer being the most effective channel for delivering your message, you’re going to have to turn to alternative methods where consent is easier to obtain.
Social media is a perfect example of a channel where audiences initiate the first point of interaction. Their consent is freely and explicitly given as they like, follow, or connect with your brand’s page. For more information on how social media can safely overcome your GDPR challenges, check out this article.
When it comes to GDPR compliance, everyone in the company has a role to play, including marketing! The sooner you start auditing your marketing data and aligning your web forms, privacy notices, and campaigns with the GDPR obligations, the less likely your company is to face harsh penalties.
As always, keep your eyes open for any updated information. The ICO (Information Commissioner’s Office) is constantly publishing new guides and articles to help your company interpret and comply with the GDPR.
Join me and Adam Dore, Head of Technology Services at Successflow as we turn GDPR from a problem to a potential in just 7 steps! Sign up here for the webinar: