There’s been a lot of chatter about GDPR recently and how it will have a big impact on marketers, in particular, those doing business within the EU, and those companies outside the EU marketing to EU citizens. We've seen a lot of confusion in the North American market so let's run through all the GDPR basics to get you up to speed.
What is GDPR?
For reference, we first blogged about GDPR back in September 2017 - New Rules For Collecting Inbound Leads And Data From EU Citizens. GDPR stands for General Data Protection Regulation and it’s being brought in by the EU to replace the UK Data Protection Act of 1998.
Why is it being introduced?
GDPR is being introduced for two key reasons. Firstly, to update an older law which was created before a massive increase in the usage of Internet and cloud services. Secondly, GDPR is designed to give the EU an identical set of laws for every member state.
Who does it effect and when?
Originally, the law actually came into force on 24/05/2016 but businesses were given a two year period to comply (until 25/05/2018). It will affect both businesses (controllers of data) and IT processors (such as software companies).
GDPR will apply to all parties, even those outside of the EU if they deal with EU residents’ data.
How do we need to handle data under GDPR?
As a business (a controller of data) you need to make sure personal data is used for a specific purpose and handled lawfully and transparently. Once the specific purpose is carried out and the data is no longer needed, it's a requirement that the data is deleted, and therefore a process needs to be in place to delete 100% of the data trail.
“Lawful” is the key word here, and it has a range of alternative meanings. You must ensure one of these apply: The person has given their consent for the data to be processed, and you must comply with a contract or legal obligation.
How do we gain consent?
As marketers, the consent issue will be the big change here. We need to put a process in place to ensure they are giving an active and affirmative confirmation.
This active consent means passive acceptance such as asking people to opt-out after the fact or pre-ticked boxes are no longer allowed. We also need to keep a record of how they gave consent and allow them to withdraw that consent at any point if they request it.
Which data is included?
Any data which was included in the original EU Data Protection Act is included and the scope has been expanded further. One noticeable change for inbound marketers is that IP addresses and online identifiers are included.
So the data we need to look at - are common marketing form fields such as those below:
- Phone number
- Email address
- Job title
- Place of work
- IP address
It’s also worth noting that this applies to both B2B and B2C data.
What are the penalties?
The penalties are much more severe; if you fail to follow the basic principles, such as gaining consent, you could be fined up to €20m or 4% of global turnover, whichever is greater.
You will also be penalized if you do not report any data breaches within 72 hours. Previously companies have not reported issues and hoped no-one would find out. GDPR intends to eradicate this lack of transparent business practice.
"If your business is outside the EU, and you actively do business with EU citizens either in a B2B or B2C capacity, you will likely have individuals filling out your online forms and providing you with their personal data, so you will still have to comply fully with GDPR."
Impact on Inbound Marketing
If you are practicing Inbound Marketing you're most likely in good hands as you're already on the right side of this law. As opposed to those practicing outbound marketing who are going to need to seriously review their EU data acquisition strategy. With inbound marketing, all you need to do is review a few tactics.
To make sure you are fully compliant with GDPR, these are some of the areas you need to look at:
- Landing pages and forms - You will need to ask for proper consent to market to people in an opt-in fashion (not a pre-ticked checkbox) and include a link to your policy on:
- Why you are asking for the data
- How you will use it
- Clear opt-in and opt-out rules - The best approach is to adopt double-opt. After the contact has filled in the form, they should get an email asking them to confirm their email address and opt-in. This approach is also a good way of keeping your database clean too!
- Email follow-ups and automation - Making sure you only use the data in a specific way, e.g., if someone downloads an eBook on X subject - they are only giving consent to receive information about X subject. You don’t then have consent to send them information on subject Y.
- Request for data - Document a process so that if individuals request to understand their data - you can provide it (how you handle it, who has access to it, and how they gave consent). You need to be able to provide this information within 30 days on the request.
- Your software - It will be helpful to use software which can help with the process and data requests. We use HubSpot which has proven ideal as;
- HubSpot has their software and data process fully documented, with automatic compliance
- It’s easy to provide customers with their contact record and data
- You can delete the data, securely, at one touch of a button
- Your current database - Audit your current database to try and establish consent; this audit may be a good time to do a cleanse and be honest about why data was captured.
- Cookie and IP opt-in - They have been around since EU Cookie Law but now might be a good time to implement a consent for Cookies and IP tracking.
- Hiring an data protection officer - If you have over 250 employees or more and your core business is to process data, you will need to look into hiring a Data Protection Officer.
Want to learn a bit more from the source? I recommend reading the official documentation (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/) and asking others in your marketing team, IT teams, and management to do the same.
Looking for a technology which can handle your GDPR compliance needs and make it easy? The HubSpot Marketing Platform and the HubSpot CRM are perfect software tools to use. HubSpot are making substantial changes to their product to help you comply with the regulations. Check out the HubSpot GDPR playbook or watch this quick-hit two minute HubSpot video.
THE BRIT AGENCY is a B2B Digital Marketing Agency providing Inbound Marketing, Inbound Website Design, and Inbound Sales services to companies around the world. We're focused on growing website traffic, qualified leads and sales, using the Inbound lead generation and marketing automation process.
THE BRIT AGENCY is a Certified Platinum Tier Hubspot Partner, a HubSpot CMS and GDD certified Inbound Website Design Agency, a HubSpot Certified Trainer, a Shopify eCommerce Partner, and a certified "Google Badged Agency Partner". We have offices in Toronto and Barrie, Canada ... and Salisbury, UK.