By now every marketer has (hopefully) done some research into the GDPR and knows they need to get to work on becoming compliant before May 25th 2018.
If you aren’t quite sure what the GDPR is about: It’s the new General Data Protection Regulation that has come into effect in 2016 replacing the previous European Privacy Directive. An important difference between the current regulation and the previous directive is exactly that. A directive from the EU means that every single member state has to create laws based on the directive. This time we deal with a regulation, meaning that each and every country in Europe has to deal with the same set of rules. To be honest, for us as marketers this is good news as many of us gather data of people across European countries and in the past it’s been a pain to deal with individual regulations that were tighter in certain countries than in others. Yes, Germany, we’re looking at you!
Reasons to become compliant
If you have looked into the GDPR, you also know why you’ll have to be compliant. Supervisory Authorities have been established in every EU country and they have the option to fine organisations who do not comply with the regulation up to 20 million Euro or 4% of their global annual turnover, whichever is higher. Even without a fine, they can order you to stop processing certain data and therefore pause business critical processes.
There is a lot to think about when you’re becoming GDPR compliant. It’s a task for the entire organisation. Legal, IT, Sales and Marketing will have to collaborate to become fully compliant with the regulation but there are a few things you can do as an inbound marketer to make your job easier, even if your organisation is still figuring out how to handle the GDPR.
Step one: Document consent
Consent is only one of the 6 legal bases for you to be allowed to process data. Storing data in your CRM also falls under processing. So you may have contacts in your database that haven’t given their specific consent but they are there because they are a customer. That’s fine, albeit with a few caveats.
You are never allowed to send people email marketing without an opt-in. This rule isn’t new and is further articulated in the ePrivacy or PECR, which will be updated in 2018 to match the GDPR.
GDPR does have a few things to say about consent. Consent has to be ‘clear, unambiguous, freely given and specific’. So no more vague statements at the end of a form, hidden notices on your landing page or a pre-ticked box. That takes care of the term ‘clear and unambiguous’ in the legislation.
Next up is ‘freely given’. You are no longer allowed to make a product or service conditional on an opt-in to receiving marketing information. So no more free applications for your users so you can collect personal data or simply not give your customers an option to unsubscribe from marketing email. GDPR even states that you need to communicate the option to opt-out and to complain to a Supervisory Authority as clearly as you do the opt-in information.
Take action: Review your current consent and opt-ins today. Make sure your consent is clear, unambiguous, freely given and specific. Refer to consent, opt-out options and how people can complain in your privacy statement.
Step Two: Information minimisation
A lawyer specialised in privacy asked a group of marketers: “Do you really need their life story in order to do your job?” Well, likely you don’t. When we build an inbound marketing strategy in BusinessBrew, we always advise to develop a few standard forms to use across your funnel:
1) Top of the Funnel form
2) Middle of the Funnel form
3) Bottom of the Funnel form
4) Event signup form
5) Contact us form
You might need more forms over time, for example when you are working on a piece of co-marketing and the data collected will be shared with a third party. However, designing your forms based on your standard forms will help you to only collect data when you need it and when your lead is most likely to share this data with you. You don’t need a phone number at the top of the funnel, your conversion rates will drop if you request it and you don’t risk exposing this data in case of a breach.
Beyond GDPR, using standard forms keeps your life simple if you need to add, change or remove fields or when you want to update your opt-in text.
Something else to consider in light of data minimisation is your ‘open’ form fields such as ‘How can we help?’ You might be, unknowingly, collecting sensitive data that requires additional measures under the GDPR or simply data that you do not need. An example: You’re collecting feedback for one or your products and a customer mentions that the buttons on the device are too small which is a problem because she has arthritis. Oops. Now you’re processing medical data. A simple way to minimise risks relating to open form fields is to only use these type of fields on your Bottom of the Funnel forms that will be reviewed by a marketing or sales rep.
Take action: Review your forms and try to build your three main forms for Top of the Funnel, Middle of the Funnel and Bottom of the Funnel. Based on your buyer’s journey decide on what information you actually need from prospects at each stage of the journey.
Step three: Privacy starts with PR
Privacy, quite literally, starts with PR. The regulation has a few requirements for your privacy notice and how it should be written.
Firstly, your privacy notice should be easily understandable for your target audience. Meaning that if you sell to lawyers, sure, your legal team can write it. However, if you sell to normal humans that speak non-legal language, you should probably ask someone who speaks to your customers to write your privacy notice.
Under the GDPR, the privacy notice should be managed by your marketing team. It’s a good idea to have a few of your customers review your privacy notice and ask them for some feedback. Do they understand what you’re doing with their data and why? Do they know who to contact in case of a concern?
Your privacy notice should contain at least the following items:
1) What data you’re collecting.
2) For what reasons you’re collecting data.
3) How long you’re planning to store the data.
4) If you are transferring data outside the EU.
5) If you are sharing the data with third parties, also other controllers or processors by category.
6) Who your Data Protection Officer is and their contact details if you have one. Even if you don’t have a DPO, list a central contact person for data enquiries and requests.
7) List their rights under the GDPR and how people can opt-out of marketing communications and make requests for insight, correction, limitation of processing or removal of their data.
Take action: Start by reading your privacy policy yourself and see whether you fully understand it. Start rewriting it with your customer in mind and answering the 7 points mentioned here. Then share it with legal for a final review.
These three steps are a good way to start working towards demonstrating GDPR compliance. As I mentioned, GDPR is a huge task and you should collaborate across your organisation but marketers can get started now by making sure that they document consent, limit the amount of information you collect and clearly communicate to your audience how you are dealing with their data.
Every marketer should understand the basics of privacy law and GPDR. It’s simply not an option in our field anymore.
About Nikita
Nikita Smits-Jørgensen is co-founder of inbound marketing and GDPR consultancy BusinessBrew. While being ISO certified in privacy regulations for sales and marketing (GDPR / PECR) she aims to work with marketers in plain English to get GDPR-ready.
Nikita met fellow BusinessBrew founder Evelyn Wolf during their tenure at inbound marketing powerhouse HubSpot where they assisted businesses of all sizes and industries as well as marketing agencies in building their lead to customer generation funnels.
BusinessBrew is geared to help companies make the most out of their inbound marketing and privacy efforts in the most time and cost-efficient manner through workshops, training and the delivery of strategic playbooks.