GDPR Compliance and Marketing

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

There’s nothing that will send a shudder up the back of a marketer’s spine quicker than the term “compliance” or the phrase “recent changes in regulations”.

Unfortunately, that’s exactly what this article is about.

But don’t go getting all in a tizzy right off the bat. Slow it down, take a deep breath, and hear us out.

We’ve got your back.

If you’re a business owner or marketing officer, then you’re going to love this article because it’s going to quickly and effectively bring you up to speed on the newest consumer data regulation that’s been dropped.

The GDPR is especially relevant to you if you’re a direct player in marketing or public relations arena because it will be directly impacting email marketing strategies and the manner in which professionals pitch company information to journalists.

So, if you’ve been interested in learning more about this newly implemented regulation, then look no further than these next few lines.

GDPR text with compliant-relevant logos surrounding

What is GDPR

The acronym GDPR stands for “General Data Protection Regulation”. This recent digital privacy regulation was officially introduced in May of this year and is meant to help bring standardization to various privacy legislations across the European Union.

The GDPR is meant to shift the “ownership of customer data from the organizations that use it to the individual customer”.

In short, EU regulators have been concerned over the exploitation of consumer data for quite some time and as a result, decided to implement a wide-reaching body of legislation in order to protect and empower the individual.

And when it comes to data protection, we’re not just talking about simple email addresses and phone numbers. Oh no, my friend, GDPR covers much more than that — specifically any data which can be used to identify an individual in any way.

This includes everything from psychological data to cultural, religious, socioeconomic and genetic data. All of these officially fall under the scope of GDPR.

Furthermore, the GDPR applies not just to businesses working with customer data but also to any legal entities working with said aforementioned businesses.

GDPR Compliance

According to a recent article by Forbes, this amount is no small fee. Failure to comply results in a hefty fine. In Europe, the amount is “20 million Euros or 4% of a company’s global revenue, whichever is larger”.

When it comes to GDPR compliance, there are a few things that you as a business owner need to do in order to stay in tip-top shape.

First and foremost, ensuring that you properly achieve customer consent prior to processing or storing customer data is of utmost importance. However, despite what some may think — it’s not just a one and done process.

It’s also important to note the various requirements associated with the act of properly achieving customer consent.

For example, it’s required that consent be “laid out in plain, straightforward language” and also “clearly” explain to the customer how their data will be used and for how long it will be used and stored.

This is the case whether you’re pitching your product, content or services to a lead or a journalist in order to gain publicity.

It’s important to understand that when it comes to GDPR, there are no distinctions which separate these two in terms of regulation and compliance.

So what happens if a company runs into a situation where the customer doesn’t respond?

Previously, failure for a customer to respond resulted in a company being able to pass this lack of response off as consent.

However, now that GDPR is in full effect, this is no longer the case as companies have the burden of proof.

In other words — you as an organization must be able to prove that you received approval from customers in order to use their information.

So, once consent is achieved, we’re all set?

Nope. Companies are also responsible for ensuring that the terms of consent remain accurate and consistently up-to-date with the customer’s most current information and the purpose for which the data collected is used.

Phew! Okay — are we finished then?

Not quite just yet. It’s also worth noting that the customer always has the right to withdraw consent and that you as a company are required to take action when such a request occurs within what the GDPR considers a “reasonable timeframe”.

Furthermore, when such request is made, it’s essential that a company not only remove “all traces of the customer data from its repositories, as well as any other repositories downstream where the data may have been shared and stored”.

Now, if you’re thinking that this sounds like a potentially daunting task, then you’d be correct. In fact, a recent report by Symantec found that a whopping 90% of businesses studied stated that they felt the task of having to properly delete customer data was “too difficult”.

Even more interesting was the fact that the study found 60% of these businesses didn’t even have the proper systems in place in order to effectively manage the situation.

Steps Your Company Can Take to Remain Compliant

Manuel Grenacher, Chief Executive Officer at Coresystems AG has a few tried and true suggestions for companies looking to stay ahead of the game when it comes to GDPR compliance.

Data Protection Officer (DPO)

First — Grenacher suggests that companies hire what is called a data protection officer (DPO) if they don’t already have one on board who can handle “regular and systematic” monitoring and processing of data on a large scale.

In fact, if you are a public authority or a company that has more than 10 – 15 employees and processing personal data is a part of what you do, it’s required that you appoint a DPO.

Data Protection Impact Assessment (DPIA)

The Data Protection Impact Assessment (DPIA) is a requirement for any company which stores personal data in permanent storage. The DPIA is essentially an audit of your “processes and procedures” and is implemented in order to gauge how these processes “affect or might compromise” an individual whose data is being stored, collected or processed.

The 72 Hour Limit

A 2016 study on consumer privacy conducted by TRUSTe/NCSA discovered that 92% of online customers mentioned “data security and privacy” as a concern on their minds and 57% of consumers honestly don’t even have any faith that companies will manage their data responsibly.

This is such important information to keep in mind.

Regardless of the amount of hard work and preparation your company does in order to ensure that you maintain the highest level of compliance and protection for your customers’ data — breaches will continue to remain a constant and substantial threat.

In the event you run into a situation where a data breach happens, the GDPR has a strict requirement that you report it to the local data protection authorities within 72 hours.

Consumers are already untrusting enough as it is when it comes to their perception of your ability to properly manage their personal information. If a breach happens — be up front, honest and handle it expeditiously.

The Data Minimization Principle

The data minimization principle suggests that companies should limit the collection of an individual’s personal information solely to what is “directly relevant and necessary”. It also stipulates that companies should only retain data for as long as it is necessary to fulfill whatever specified purpose they have.

Data Permission, Data Access, Data Focus venn diagram

GDPR and Marketing

Okay, so now you’re aware of the basic fundamentals surrounding the concept of GDPR and how it can and will impact you and your business processes. But what does all of this mean specifically with regards to your marketing processes?

Well, let’s discuss email opt-ins for a moment.

Email Opt-Ins

It’s safe to say that pre-ticked boxes which automatically opt individuals in to receive communications from your company isn’t going to cut it. Even further, you’re going to need to get express consent in a “freely given, specific, informed and unambiguous” manner which is additionally “reinforced by a clear and affirmative action”.

This means that every individual, every lead, every partner, every contact that you send marketing content towards is going to have to physically confirm that they actually would like to be contacted by your company in the first place.

SuperOffice exhibits a great example of how they altered their opt-in form in order to remain compliant with the new regulations.

The only time where a company is not required to follow this procedure to a T, is when it comes to referrals.

In the event an individual enters an associate’s information for the purpose of claiming an offer, a company is not required to receive explicit consent in order to contact them as long as the data being received on the associate is neither being stored nor processed.

However, if a company plans on using this information in any way, shape or form, then they will be held in violation of the GDPR.

Easy Access of Consumer Information‍

Another thing to keep in mind when it comes to marketing is to ensure that the customer’s data is made easily accessible to them in the event they should decide at any time to withdraw consent.

A simple and effective method of doing this is including an unsubscribe link in your marketing correspondence. Thankfully, the vast majority of companies already do this.

Focus, Focus, Focus

Let’s be honest — do we really need to know a customer’s favorite color before they’re able to opt in to our email correspondence? If you’re a business owner or marketing officer, then chances are you’ve grown accustomed to hoarding as much data as you possibly can for the purpose of analyzing it and extrapolating relevant information.

However, it’s important to keep in mind that the GDPR requires you to have a legally justifiable reason for the collection, processing and storage of any and all data that you collect. This includes their favorite color.

With that in mind, some of us may find ourselves needing to scale back a bit so as to avoid collecting unnecessary data.

Conclusion

There’s nothing that will bring a shudder up the back of an individual’s spine more than the word “compliance” or the phrase “recent change in regulation”.

However, the truth of the matter is that attaining GDPR compliance isn’t some far-fetched unattainable goal. Quite the contrary, many businesses already have policies in place that help them comply.

The key takeaway that we want you to receive with this article is the need to truly value and respect your consumers and their personal data. Let’s be honest, pretty much everyone insists that this is their ideal, however studies have shown that far too many companies are falling short when it comes to the actual real-life implementation of regulations which do so.

But not you — because you’ve just been brought up to speed and so you’re already one step ahead of your competition.

Lucky you.

‍Got any questions about GDPR Compliance and Marketing that weren’t covered in this article? Let us know and leave a comment below! We’d love to hear from you!

Or if you'd rather have it handled for you...

Contact us for full Strategic Planning on any compliance you might need!

‍Sources:

GDPR Compliance and Marketing - A Complete Guide