In a world after the Facebook data breach, data privacy has become more important than ever. People are unwilling to allow their personal data to fall into unknown hands to use as they see fit. Customers don’t feel like they signed up for a breach of privacy when they signed up for your email list. But what does this have to do with the marketing industry? Read on.
The good news for EU citizens is that starting on May 25, 2018, the General Data Privacy Regulation (GDPR) will add an extra layer of protection for personal data. The legislation will have a huge impact on how organizations (large and small) obtain, store, manage, and process personal data.
The problem is that, according to a HubSpot survey, only 36% of marketers have heard of GDPR, and 15% of those have done nothing to prepare. Why should this matter to you? GDPR is going to impact the entire marketing industry, and you’re going to have to be ready to implement a variety of changes if you want to stay in compliance.
Why Is GDPR Important?
Data is a key component to marketing success, and any regulation that changes how data can be obtained, used, and maintained will have endless ramifications. Even if your company is based outside the EU, GDPR could apply to you as long as you control or process the data of any EU citizens.
And if you don’t think the GDPR really matters, think again. If you’re not in compliance, the penalties are severe. Your organization could incur fines up to €20 million or 4% of your global annual revenue (whichever is greater). And even small violations could equal big fees, so non-compliance is not a risk you should be willing to take.
But though the GDPR may be more work for your marketing team, it is good news overall. The legislation will target those companies that use shady marketing practices and put their own needs ahead of consumers’ needs. For example, buying lists, cold emailing, and spam will no longer be viable marketing tactics.
The best news of all, GDPR will have little to no impact on your inbound marketing practices. Producing and distributing valuable content is one of the best ways to gain new customers. Your chances of success will only increase as the “grey area” players are kicked to the curb.
GDPR’s Impact on Marketing
So, how exactly will the new GDPR impact your marketing practices? It’s going to require you to review all of your marketing processes and tools to ensure they adhere to the strict legislation that prioritizes customer privacy. There are six main questions you’ll want to ask your marketing department.
- What personal data do we collect and store?
- How do we obtain this data? Did our customers provide the necessary consent required, and did we inform our customers how we’ll use their data? Were we crystal clear about our purpose and offering the customer the ability to withdraw their consent at any time?
- How long do we hold our data—longer than necessary? Do we keep it up-to-date?
- Is our data stored safely and securely using encryption as an extra privacy measure? And do we only use the data for its stated purpose?
- Do we collect any special categories of data, such as children’s data or biometric data, and if so, do we meet the standards in place for those special categories?
- Do we transfer EU data outside of the EU? If so, how do we protect it?
Once you have the answers to these questions, you can start looking at the various stages of your marketing strategy to ensure that you’re handling personal data correctly at each and every stage.
Data Collection
From the moment you start collecting marketing data, the GDPR goes into effect. The key here is transparency. Before you collect any data, even if it’s through cookies, you’ll need to request consent from the customer. Consent can no longer be assumed, and you can’t use “opt-out consent” either. Instead, you’ll need to set up a system where your customers are required to specifically agree to how you’re collecting data and how you’re using it. Customers should also be able to opt-out of consent at any time.
In addition, the GDPR also provides limits on the amount of data you can collect. No longer can you collect excess data, “just in case” you might need or what it some data. The GDPR only permits your marketing team to collect relevant data that are limited to what is necessary for the intended use.
Data Use
Under the GDPR, when collecting data, you’ll also need to tell your customers exactly what you’re going to use their data for and gain consent for that specific purpose. You’ll need to set up a system where your customers are required to agree on how you’ll use their data. And if you ever change how you want to use your customer’s data, you’ll need to go back to them and let them know the changes, requesting consent once again.
Data Storage & Protection
Once you have the data, the GDPR requires you to store it securely with the appropriate security provisions in place. This means that you’ll need to protect all personal data from unauthorized use, accidental loss, disclosure, access, destruction, and alteration. And depending on the type of data you collect, you may also need to add encryption for an extra layer of protection. Standards of storage differ based on the sensitivity of the data you collect.
Data Accuracy & Accountability
According to the GDPR, storing out-of-date data is a problem. You must ensure that your data is as accurate as possible and that consent is always up-to-date.
The key to this is keeping clear records of your compliance. This may mean that you appoint a data protection officer (DPO) to ensure that all of your data is being collected, stored, used, and processed appropriately. You’ll also want to put policies in place that govern every aspect of data collection, use, storage, protection, and accuracy within your organization.
Data Retention and Deletion
Finally, under the GDPR, there are specific rules for how long you may retain a customer’s personal data before it needs to be deleted. In the simplest terms: you can retain personal data for as long as it’s necessary for your purposes. This means that you need a plan in place for how long you will hold onto data before deleting it once a relationship has been terminated. If you are required to keep specific data for a certain period of time due to auditing laws, make sure this policy is made clear to your customers.
And when it comes to deletion, by request of the customer or after the termination of the relationship, the data should be deleted not only from your system but from all systems that had data access. This means that if a vendor’s system used your customer’s data down the line, they’d also need to delete the data.
Final Thoughts on GDPR and Marketing
The General Data Protection Regulation (GDPR) isn’t necessarily bad news for your marketing team. What it really focuses on is providing greater transparency and personal data control to EU citizens. To ensure that your organization remains in compliance, just remember to:
- Be upfront and transparent with your customers about when and how you’re collecting data, including how it will be used.
- Always get customer consent for data collection and use.
- Store and protect all personal data based on GDPR standards.
- Keep all data up to date.
- Put a policy in place for data retention and deletion after relationship termination.
The GDPR goes into effect on May 25th, so make sure your organization is prepared.