GDPR: What it is and What it Means for Your Marketing Team

GDPR. Four letters that have struck fear into marketing teams across Europe. What’s been an elephant in the room for so long finally comes into force on May 25, 2018. But what exactly is the General Data Protection Regulation and how is it going to affect you?

This article provides the essential information you need.

What is GDPR?

The General Data Protection Regulation is an upgrade of the existing EU data protection laws. The idea behind the legislation is to make it easier for people to control how companies use their personal information.

GDPR rules mean that companies cannot collect and use personal information without consent. Personal information being, for example:

  • Name
  • Phone number
  • Email address
  • Internet browsing habits collected by cookies

Individuals can request a copy of any and all personal data that a company holds about them, which must be provided within 30 days. They can also request that data is deleted under the “right to be forgotten” law. Additionally, any data breaches must be reported to the relevant parties within 72 hours.

GDPR applies to personal data, which means it’s related to individuals rather than businesses. Therefore, the impact is expected to be greater for B2C companies than B2B companies. However, given that B2B marketers often deal with people within these businesses, this is not something that should be ignored.

Organisations have until May 25, 2018, to ensure all data processing activities are compliant. The maximum penalty for non-compliance can be up to €20 million or 4% of global annual turnover, whichever is greater.

What GDPR means for marketing teams

In B2C, consent from customers is required before any data can be collected or used. Consent is a clear “yes” or “no”.

In B2B direct marketing, the opt-out policy will remain similar to its current status under the Privacy and Electronic Communications Regulations (PECR), which is that electronic marketing messages (email, text, live chat, etc.) can be sent without prior consent, so long as there is a clear and simple way to opt-out.

However, there is a grey area, as specified by the Data Protection Network:

“The text is ambiguous as to whether a distinction can be drawn between corporate email addresses and individual email addresses. For example, will it still be possible to use opt-out for the former? The text can be read that member states will be able to make a provision for this under national law. However, even if this exemption holds, named corporate B2B data (e.g. joe.bloggs@company.com) is personal data and would have to be processed in line with GDPR. B2B marketers would therefore need to make a choice between using Consent or Legitimate Interests for sending electronic communications. It is hoped that as the text goes through the committee process there will be more clarity on this.”

GDPR doesn’t state that B2B organisations must obtain an opt-in for marketing (good news for live demos and online sales meetings), but it’s best to be transparent either way.

Why GDPR is a good thing for marketers

It has a lot of CMOs pulling their hair out, but GDPR should be seen as a great thing for marketing for several reasons:

  • Greater transparency increases trust. People are wary of sharing personal details with companies in fear of where their data will end up. Transparency creates a better understanding and means that companies need to communicate more openly and provide value to prospects. With prospects in control of how data is collected and used, trust between businesses and customers will greatly improve.
  • Respect needs to be earned. Marketers will have to work harder to convince prospects to hand over details. Attention will be harder to gain and quicker to lose, so valuable, meaningful relationships will be key.
  • Marketing needs to be better. Only the best content and customer interaction will survive. This is where tools such as live demos will become even more important for businesses — giving marketers and salespeople the chance to interact with prospects one-to-one to provide true value (there’s that word again!) and relationships that lead to sales.

How to prepare for GDPR

With the deadline for compliance looming, it’s important that marketing teams are fully prepared. Here’s what you need to do:

  1. Review and audit the ways that you currently collect, process, retain and remove data that may have come from non-compliant sources, such as scraping. You may wish to look into a tool such as ECOMPLY for this.
  2. Consider how long data needs to be retained.
  3. Look at data security: how data is protected and removed when it is no longer needed.
  4. Appoint a Data Protection Officer to take responsibility for data protection (this is often not necessary for startups or small businesses, but is a grey area you may need legal advice on).
  5. Review and amend current privacy notices.
  6. Raise awareness of the implications of GDPR with shareholders, decision makers and all other relevant parties.
  7. Review the six lawful bases for processing data. According to the Information Commissioner’s Office (ICO), these are:
    • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
    • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
    • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
    • Vital interests: the processing is necessary to protect someone’s life.
    • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
    • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
  8. Ensure there is a clear and simple way for people to opt-out of communications
  9. Regularly review data collection procedures and privacy policies to ensure your business remains compliant.

For marketing teams, GDPR is about greater transparency and more personalised marketing. Create campaigns that are focussed on value and building meaningful relationships. Give prospects an understanding of why they should opt-in and what they can gain from it, and you’ll earn their long-term trust.