There’s a lot of talk about GDPR at the moment in market circles, and rightly so. It could have a big impact on marketers, in particular, those practicing digital / inbound marketing techniques.
So let’s just jump right in...
What is GDPR?
GDPR stands for General Data Protection Regulation and it’s being brought in by the EU to replace the UK Data Protection Act of 1998.
Why is it being introduced?
GDPR is being introduced for two key reasons. Firstly, to update law which was created before the boom in internet and cloud services. Secondly, to give the EU single market an identical set of laws.
Who does it effect and when?
The law actually came into force on 24/05/2016 but businesses were given a two year period to comply (until 25/05/2018). It will affect both businesses (controllers of data) and IT processors (such as software companies).
It will apply to all parties, even those outside of the EU, if they deal with EU residents’ data.
How do we need to handle data under GDPR?
As a business (controller) you need to make sure the data is used for a specific purpose and handled lawfully and transparently. Once the specific purpose is carried and the data is no longer needed, it is a requirement that the data is deleted.
“Lawful” is the key word here, and it has a range of alternative meanings - the key ones for marketers are below. You must ensure one of these apply:
- The person has given their consent for the data to be processed
- Comply with a contract or legal obligation
How do we gain consent?
As marketers the consent issue will be the big change here. We need to put a process in place to ensure they are giving an active and affirmative confirmation.
This active consent means passive acceptance such as asking people to opt-out after the fact or pre-ticked boxes are no longer allowed.
We also need to keep a record of how they gave consent and allow them to withdraw that consent at any point.
Which data is included?
Any data which was included in the Data Protection Act is included and the EU has also increased the scope further. One noticeable change for inbound marketers is that IP addresses and online identifiers are included.
So, common marketing fields / data, such as those below, are included:
- Phone number
- Email address
- Job title and place of work
- IP address
It’s also worth noting that this applies to both B2B and B2C data.
What are the penalties?
The penalties are much more severe; if you fail to follow the basic principles, such as gaining consent, you could be fined up to €20m or 4% of global turnover, whichever is greater.
You will also be penalised if you do not report any data breaches within 72 hours. Previously companies have not reported issues and hoped no-one would find out. GDPR intends to eradicate this lack of transparent business practice.
But I’m from the UK, and we are leaving the EU - does this still apply?
While we are a member of the EU, which the UK will most certainly be in 2018, we are bound by GDBP.
It is also believed that the UK will adopt the same legislation when the UK leaves the EU, so companies using data from the EU can continue to do so legally.
Impact on Inbound Marketing
If you are practicing inbound marketing already the good news is you are already on the right side of this policy change. As opposed to those practicing outbound who are going to need to seriously review their data acquisition strategy. With inbound marketing, all you need to do is review a few tactics.
To make sure you are complaint, these are some of the areas you need to look at:
- Landing pages / forms - You need to ask for consent to market to people in an opt-in fashion (not a pre-ticked checkbox) and include a link to your policy on:
- Why you are asking for the data
- How you will use it
- Clear opt-in and opt-out rules
- Adopt the double-opt in approach - After the contact has filled in the form, they should get an email asking them to confirm their email address and opt-in. This approach is also a pretty good way of keeping your database clean too!
- Email follow ups and automation - Making sure you only use the data in a specific way, e.g., if someone downloads an eBook on X subject - they are only giving consent to receive information about X subject. You don’t then have consent to send them information on Y subject.
- Request for data - Document a process so that if individuals request to understand their data you can provide it (how you handle it, who has access to it, and how they gave consent). You need to be able to provide this information within 30 days on the request.
- Your software - It may be helpful to have a software which can help with the process and data requests. We use HubSpot and that is ideal as;
- HubSpot has their full journey documented, automatically
- It’s easy to provide customers with their contact record and data
- You can delete the data, securely, at one touch of a button
- Your current database - Audit your current database to try and establish consent; this audit may be a good time to do a cleanse and be honest about the why data was captured.
- Cookie and IP opt-in - They have been around since EU Cookie Law but now might be a good time to implement a consent for Cookie and IP tracking.
- Hiring an officer - If you have over 250 employees or your core business processes data, you will need to look into hiring a Data Protection Officer.
- Learn a bit more - I would advise reading the official documentation (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/) and asking others in your team, IT teams, and management to do the same.
You’ve got fewer at 10 months (from the time this post was published - July 2017) to get this task done, so my advice would be to get going - rather than putting it off.
Looking for a system which can handle your GDPR compliance needs and make it easy? The HubSpot Marketing Platform and the HubSpot CMS are ideal, compare the HubSpot CMS against Wordpress and more below...