If you’re like most global marketing people, you’ve likely been spending more time on GDPR than you’d like. For those not intimate with GDPR, it stands for General Data Protection Regulation. Starting on May 25th, 2018, this new data privacy regulation from the European Union comes with some heavy fines for non-compliance, and it directly impacts how marketers do their jobs in a large majority of the EMEA region.
GDPR Foundational Elements:
- GDPR impacts how organizations capture, process and use all contact data in the EU.
- The US does not have a national set of rules surrounding personal data protection. However, US companies targeting individuals in the European Union need to comply.
- There is no distinction between customers and non-customers in GDPR.
- There is no distinction between whether an organization markets B2B or B2C.
There have been a whole bunch of articles written by smart people on what GDPR is. I’ll break down (my interpretation) what it means for marketers.
At its core, this privacy rule says that organizations cannot use (or some believe even posses) personally identifiable data to leverage for marketing purposes without explicit consent from the individual. What constitutes personally identifiable data? Well, without creating a long list, it’s everything modern marketers have learned to collect in their CRM and Marketing Automation tools. This includes simple contact data (name, company, phone numbers) as well as cookie data and other behavioral data sets. Remember, this is focused on contacts in the EU.
What does this mean for global marketers?
- You can not email contacts in the EU unless you have explicit consent (yes, this includes customers).
- You can’t collect cookie or behavioral data that is linked to contacts in the EU without explicit consent.
- You probably can’t have a database full of contacts residing in the EU (this depends on the amount of risk you’re willing to take).
- For EU contacts, it impacts data append, data collection from events, the data your sales team is allowed to add, and even impacts how you may pass leads to a channel partner.
For the rest of this post, we’ll focus on some highly actionable things that you can have your marketing agency do (fairly easily) to head down the road to compliance.
Many organizations are using “explicit consent” as the way to manage GDPR. Explicit consent, also known as express or direct consent, means that an individual is clearly presented with an option to agree or disagree with the collection, use, or disclosure of personal information.
Taking explicit consent into account, below is the list of actions your web design, digital and/or marketing automation agency can take to start you down the road to compliance:
- Country Field: Add a country field to all of your contact forms on your website (if one does not already exist). Your website agency or digital agency should be able to leverage whichever marketing automation solution you’re using to accomplish this in short order. This will help you understand which contacts require opt-in.
- Explicit Consent: When countries are selected outside of the US, you’ll need to have logic created to display a tick-box that the contact can click on to explicitly opt-in to future marketing communications. Remember, even if they opt-in, GDPR would say that they’ve only opted into specific items that have been clearly stated. With that said, you’ll need to work with your legal council to figure out the right verbiage for both the opt-in as well as an update to your website privacy policy.
- Cookie Tracking: Add an opt-in / opt-out option on your website for cookie collection and usage. There are a number of plugins and apps that accomplish this. You can even make them so that they only appear to certain country IP addresses, or are based on the language setting in the contacts browser. The goal of this approach is to be compliant where you need to be while removing the opt-in/opt-out select from displaying for contacts that don’t require it.
- Update Core CRM / Marketing Automation Systems: You’ll need to make updates to CRM and Marketing automation tools, allowing fields to note whether someone has opted in or out. Whichever agency you use to work on these tools will be able to make the changes easy enough. It will be up to you and your team to make sure you don’t mass-email any contacts that have not explicitly opted-in using the above-mentioned web-form collection methods.
This is a short list, and covers some of the easiest pieces and parts to support compliance with GDPR. There is a whole lot more. However, if you can get these items done, and make sure that you’re not pounding EU contacts, that have not explicitly opted-in, with email messages you should be ok in the initial days, weeks and maybe even months of GDPR.
Nobody really knows how to interpret all the regulations set forth by GDPR. What you want to avoid is being the first company that they attack and bring forth to help create “law” around what’s ok and what isn’t.
—-
Quick legal disclaimer – I’m not a lawyer. What I’ve written here should not act as legal advice. If you do business in the European Union, you should definitely get your legal council involved in any decisions…. Period.