At our recent HubSpot User Group in Manchester, which covered account based marketing and the latest on GDPR legislation, Nikita Smits-Jørgensen, co-founder of BusinessBrew, came to talk about how the latter will change the way organisations approach data privacy. Here are the key takeaways that you need to know about. 

Manchester HUG Feb 2018


General Data Protection Regulation (GDPR) was approved on 16th April 2016 and will be officially enforced on 25th May 2018. Based on a person's reasonable expectation of privacy, the legislation is set to strengthen the conditions of consent given by consumers to use their personal information and drastically change the way data privacy is approached. The key points Nikita brought up were:

And if you want to read the video transcript, just click here

Privacy Starts With PR

The new digital age means that eventually, the internet will transform into a huge, permanent database containing all of your information. That information is easily accessed by companies and individuals, some of which may actually abuse it. That's why Nikita stressed that it was important to, on occasion, swap your marketing hat for your consumer hat and think about how it makes you feel that organisations are gathering your data and using it to make decisions about how they treat you. 

Privacy should always start with PR. Make sure that you're always open with your consumers on how you're gathering their data, what data you're gathering and what you plan to do with it. GDPR now requires you to clearly communicate that to your audience and you can actually get into trouble for posting privacy notices that are chock full of confusing legal jargon. 

GDPR Covers All EU Countries

Privacy laws and rules have been coming into force for a while. What used to happen was that an EU law would come out and every country in the EU would come with their version of the law. That originally meant that marketers who offered products and services to people outside of their country were having to weave in and out of various European laws in order to stay compliant. And then even after that, they had to consider local legislations too. 

GDPR has erased that issue. It's one blanket law that covers all of the countries in the EU. If you're not an EU country, the law will still apply if you're trading to people from EU countries. That means you no longer need to worry about understanding legislations in languages that you don't speak nor will you need to worry about how different consumers will engage with you. It's one law for everyone. 

But what if you're a tiny company? Will there be an exception? The thing is, as Nikita explained at the talk, there may be loopholes but the main thing to consider is whether it feels right for you to be doing what you're doing. Laws are rarely black and white, and with this one, there certainly is some greyscale.

When it comes to marketing, you need to think about ethics. If it feels right, document it in your internal privacy policy and have that answer ready if someone asks for it. If it feels wrong and you feel uncomfortable, it's likely to be wrong. So, always keep that in mind. 

Processing Data Must Be Lawful, Fair and Transparent

Have you ever quickly skim read through a form and checked a box which you thought excluded you from receiving marketing emails but then ended up receiving these emails anyway? Chances are, some of your database will be made up of people like that and those people are dead-end contacts as they're unlikely to ever engage with your content, making them a waste of your inbound marketing efforts. 

GDPR has made it that processing data must always be lawful, fair and transparent. Companies cannot hide clauses in the small print, use confusing phrases or include pre-checked boxes that are difficult to find. It must all be readable and understandable for the people in the age group that you're targeting. 

Never collect more data that you need and only ever use that data for the original purpose that you collected them for. If a customer's contract with you is over, don't continue to email them. Not only are you giving yourself a greater workload of data to process and wasting time by contacting potentially uninterested people, does it feel right? 

Consent Should Only Be Your Emergency Line

It's not just about getting that consent box ticked. Consent should only ever be your emergency line which you should use if the other methods don't work. This is because consent is something that can easily be withdrawn (for example, if you annoy a customer by sending too many spam emails which leads to them unsubscribing) and you'll have to remove the data and cease processing. 

Consent shouldn't be a forced part of a contract either. You can't make a person give away their personal information and receive your marketing emails just because they've become a customer. Again, it wouldn't feel right. 

And when a contract with a customer's ended and they're no longer a customer, that legitimate basis will have gone and you can no longer process data. Any good marketer would then try and move the customer back towards consent by encouraging them to a landing page. It's about actively asking for consent but never relying on it as the be all and end all. 

So Now It's Time to Take Your Inbound Marketing Efforts Further

Now that you understand GDPR and how it will change the way you approach and handle consumer data, it's time to take your marketing strategy further. It's important that you're using the right marketing automation platform for you and your business. There are various solutions you can choose, but to help you out, we've pitted four of the most popular against each other so you can pick the one that suits your business needs the most. 

Find out which is the best marketing platform for you


The Transcript

- Alright, so I don't think I have to introduce the topic per se, but I do have a question. Who of you here is absolutely very, very unhappy about GDPR and the consequences that it has for your marketing? Alright, that's a good start. Who doesn't really know enough or hasn't really investigated enough to know what to think of it?


- [Audience Member] Honestly I am.


- That's fair enough. And who's actually excited about it for marketing? Alright, I feel like we have a different conversation when I have more sales people in the room, but I feel like marketers are trying to, are getting on board.


As I said, I'm not a legal specialist, I'm a marketer. I run a small agency together with another x-HubSpotter. We used to work with Olivia. And we realised about a year ago that you can't do marketing without actually understanding GDPR, privacy, and data protection. So we started researching this, and we got certified on the topic, in order to talk about it.


I don't know if you know this excerpt from the New Digital Age, it's been around for a while. But what it basically says is, the internet will become a permanent database with all of your information. You can say you have nothing to hide, but there is a tonne of information on you out there, and companies there can use this. And you can go into a very far fetched Black Mirror scenario and think how big evil corporations can actually abuse that information.


So when we're talking about GDPR, sometimes take off your marketing hat and put on your consumer hat. And think about how it actually feels to you that a lot of these organisations are gathering data, or processing data and then using it to make decisions about how they treat you.


The very most important thing about getting to work with GDPR is, it's a bit cheesy, but privacy starts with PR. It's very, very, very important to openly communicate to your audiences about what you're doing, how are you gathering data, what data are you actually gathering on them, and what do you plan to do with it. It's actually a requirement in GDPR to clearly communicate to your audience, you can for example, get in trouble over having a privacy notice on your website that is legal mumbo jumbo and that no normal human being actually can read. So privacy starts with PR, really think about how you're communicating to your audience about this.


I don't know, has anyone here actually read the legislation? Alright, a few. If you read the legislation, and I do recommend, look into it after day, it helps when you have a bit of context, but a lot of it is not exactly black and white. There is a bit of grey scale. And when you start looking at the right to privacy, versus, there's actually six legal grounds for you to process someones data, we don't only have consent, consent is one of them.


There's often a balance between your rights in light of those legal grounds, and the right that an individual has to privacy. When it comes to marketing, I think, if you think about standing up in front of the teacher and explaining what you're doing, if it feels slightly uncomfortable and if it feels wrong, it's likely wrong, keep that in mind.


There are a few terms that come up a lot. Data subjects, data control of those processors, and the supervisory authority, or the data protection authority. The data subject, that's all of you, any individual whose data is being processed. The controller, that is the organisation you work for, or the organisation who makes decisions about how to process and treat data. A processor is anyone that works with you. So if you, for example, would be working with Digital 22, they are likely a processor on your behalf.


If they, however, get access to your data, and then not only implement the campaign but actually decide what they're going to do with the data, how they collect data, and they start making decisions on this, they become a joint controller. Which means that your joint controller has a lot more responsibilities.


It's important to think about what you do in your day to day. Are you actually processor of someone else's data? Are you a joint controller? So what are the responsibilities you have to the people you work with? And then finally, we have the data protection authorities. You have one of these in each and every country. The one here in the UK's actually really, really good, in providing good content, answering questions, providing templates on how to tackle certain things.


And that's part of their job. They're of course here to handout fines, to reinforce any kind of limitations, they might want to submit to your processing, but they're also here to talk to you about potential risky processes that you might actually have in the business, answer you and let you know whether or not it's okay.


But really look into the ICO, they have a tonne of great content.


First of all, and I think this is something that most marketers can like, I hear a sigh of relief, previously, and definitely this come up when I was still at HubSpot, there was a, there have been privacy rules and laws for a long time. This is nothing new.


But what happened is that there was a European guideline, and every single European country made their own privacy laws. So what it boiled down to, is okay, how do they do it in Germany, and what are the most strict German rules, and who are our most annoying German customers who will actually make noise about this, because that's what tends to happen.


And then we decided, do we have to stick with local legislation? Do we need to make sure that we comply with German law? Like, what do we need to do? That's no longer an issue and like, is there anyone here who only markets to people in one country? Or are you all marketing across borders?


Got some nods.


Alright, so you no longer have to worry about understanding legislation that is written in a language you don't speak, you no longer have to worry about how different customers would engage with you because there is one piece of legislation across Europe.


The very first question most people have is, does GDPR apply to what I do? Is anyone here in doubt about whether what they do, like, means that GDPR applies to them? I like, you guys have done your homework, I like this. Yeah.


- I've got one person I'm dealing with who's a telemarketing company. And they've said not to worry, GDPR doesn't apply to us 'cause we're a tiny marketing company, and we've got an exception in that. And I'm like, are you really sure of that? If it's something so forceful, 'cause it sounded like it's designed for them.


- So the question is, you're working with this telemarketing company and they think GDPR doesn't apply to them.


- [Audience Member] It applies to a certain extent, but they're still allowed to hold lists on base subjects.


- Right.


- [Audience Member] And they don't have to really request permissions to hold that were mentioned.


- Alright, well we can look at the legal basis you might have for processing data, and then what you can actually do with that data. There might be certain things that they can do, because there is one that's a bit creative, but it does come with some limitations.


However, if you are based somewhere where European law applies, or you target European citizens, assume that you have to comply with GDPR. That's a territorial scope, but then the material scope, if you're processing personal data, wholly or partly by automated means, that would be anyone, so I assume that a telemarketing company processes data partially by automated means, or you have personal data which forms part of a filing system.


Now a Rolodex or a filing system where you keep papers is a filing system. So it applies to every single business. Then what you do with it is of course the next question. You still, people will say that we don't have to be compliant, that's not really the case.


They might want to comfort you and tell you that they can still do your outbound calls, but they still need to think about how they actually gather consent, when consent is required, they need to make sure that they provide people with access if they have questions on their data, your data subjects have the right verification, so if you're processing data which is incorrect, you have to be able to fix it.


If the data subject provides you with information and this one is mainly built for software providers such as, perhaps, HubSpot. Such as, Spotify. You're not allowed to log people in, if someone says okay, I put in data, I created playlists, I now want to go over to Deezer, so give me my playlist. The companies actually have to comply. So it's no longer that easy for cloud providers to lock their customers in, and then finally you have a right to be forgotten.


That is basically either stop processing my data, up until remove all the data you have on me. It's not an absolute right, so this comes with conditions. First of all, if you're processing data based on consent, you have to comply.


So of the six legal reasons you have to process data, consent is sort of like your emergency line. Because consent can be withdrawn, and if you base your entire business around consent, it's very easy for your data subjects to say okay I'm out, I'm not doing this anymore.


The request is only valid if you don't need the data anymore for the original reason you were processing it, and whatever happens it's very important that you actually handle these requests very quickly, because you might have to pause processing while you treat the requests.


So make sure that it's very easy for people to reach out to you, you use your workflows, use the landing page, you make sure that that form always is sent to someone who will look at it right away. So you don't get in trouble and you don't accidentally break a law while you're considering dealing with the question.


Data breaches is something to think about, and before I really got into this, I thought a data breach is if I, you know, leave my unlocked laptop and someone has access to it. Or if I leave something that's printed, I have a guest list for an event, and I have names, email addresses, phone numbers on it, and I leave that behind.


But a fire in your building or a break in, is actually also accidental or unlawful destruction loss, alteration, unauthorised disclosure, or access to personal data. So when this happens, for example, your call centre, they are a processor on your behalf. Within 72 hours, they will have to tell you that potentially someone has that access to your data. It then means that you are required to call the ICO and say this happened to my data, I don't think anyone had access, so the consequences for my data subjects are limited, what do we do?


I don't think I have to talk about the fines, I think everyone who has seen the word GDPR has seen this list, but what is important is to think about what you can do to mitigate the consequences.


You don't get a 20 million fine if you are not responding to data access requests within 30 days. It's not that bad. You can do a lot to mitigate the consequences, and part of that is actually documenting that you have your team educated on the topic, that you practise privacy by design, that you clearly communicate to your audience what's happening with their data and why and how. That's actually a good one. The supervisory authority.


As a European citizen, I can decide which supervisory authority or data protection authority I deal with. So I'm Dutch, I live in Denmark, and I'm currently in the UK. Say, I want to complain about, did anyone connect to the wifi when they came in here? They collect personal information when you use the wifi, as well as information on the device you're using, how you use the wifi, the owner of the venue you're visiting will also have access to this data.


We will then communicate to you marketing messages and offers via email and SMS. By signing up to the wifi you agree to be contacted by them and us. I don't think that's entirely compliant with GDPR, so say I want to complain about that, I could choose to do that in the Netherlands, because I find it convenient to do so in my native language.


Actually they have open office hours, no clue whether they do that in Copenhagen where I live, so I might do it there, or I write the ICO because it's convenient to do so in English. It's then up to the data protection authority to deal with the local data protection authority, where I don't know where these guys are headquartered, where they are based, but it's up to the data protection authority to then deal with them.


And I as a citizen only have to deal with the protection authority that I choose. Which is very convenient, and which is one of the reasons that a lot of people think that GDPR is different because citizens are actually aware of it.


I don't know what it's like over here, but the Dutch radio has public awareness commercials to explaining GDPR to people, and telling them what their rights are. This popped up the other day and I was very, very surprised. On the, yep, go ahead!


- Will that be impacted by Brexit for that, say obviously between how the use is and how the bias--


- I have heard, the question is the impact of Brexit. If we go all the way back to the territorial scope, one of the options is if you target EU citizens, so if you would by any chance sell to an EU citizen that lives in the UK, if you target people who live in Europe, it would still apply, and apart from that, we've heard the line the UK will have a GDPR lookalike when Brexit comes through. So, don't get your hopes up, is the answer.


The question is, I don't know if anyone's in doubt about whether or not you need a DPO, a data protection officer in the organisation. It's fairly straight forward.


If you have more than 250 employees, or if your core activity, so if you're a one person startup, and your core activity is monitoring or processing personal data, you need a DPO. So it's not that many businesses that apply to it, like 250 is a decent amount.


If you don't require a DPO however, it's a very good idea to nominate one person who actually keeps an eye on privacy and how it's dealt with. Just think about all the departments that have to be compliant, that have to think through this, all the questions you're going to get from your customers, it would be very, very convenient if you can direct that to one person or one department that actually has answers.


Now, the definition of personal data is quite important, because you need to know whether or not you are processing personal data. Any information relating to an identified or identifiable natural person. So that's obviously a name, an email address, a phone number, it could be an IP address, it can be a company registration number, if that's for example a sole trader.


But in the context of this room, it can also be the woman with the pink jacket. There's only one of them here, we can identify Olivia, so the woman with the pink jacket, is personal data. It's very important to consider the context of your processing.


When I was learning about GDPR, I was in a room with some people who worked with farmers. And when this came up, they asked, is the identification number on a cow personal data? And everyone was sort of laughing because it seemed kind of ridiculous, right?


Well, they work in the Netherlands, in the Netherlands, most farmers are sole traders. So the ID number on the cow can actually be linked to a particular farmer. And I guess you can get all kinds of information about the farm, so it could even have some serious consequences if you share that data. So yeah, the answer is yes. The ID number on the cow is personal data.


I had never considered that something like that could be personal data before I started looking into this. The context of processing, it's very interesting. Because you might think, oh, my department, we only gather this information, and it's not that relevant. We anonymize our SurveyMonkey results, for example, so that's fine.


And then you go like, well, do you gather IP addresses in that SurveyMonkey? Yeah, you do. Do you know that you are typically targeting companies that have one head of marketing? And are you asking the head of marketing to fill in the survey?


All of a sudden, all of the information you gather there, is information that is person, person, and data, that can identify a single person. So, it might be someone else in your organisation, but it also might be one of your processors. So you think you gather data which is not personal data, you work with a processor, one plus one equals two, and all of the sudden you're processing personal data. Does that make sense?


So, whenever you're in doubt, just break it down, any information. Information that's collected or meant to be collected.


Think about the relationship, the purpose, and the impact on privacy rights of these individuals, whether you can single out a person, woman in a pink jacket, and taking into account, it means reasonably likely by the controller or the processor in order to identify a person, and then it has to be a living person, or certain forms of corporation. Which on a European scale gets a bit complicated, because I don't know about you, but I don't know what these are in every single European country.


Something that I get asked a lot. So we're not to use automation anymore, or we can't use automated decision making anymore. It is right that personal data, that as soon as it gets partially automatically processed, GDPR applies, but it's important that, GDPR doesn't mean you can't do your job anymore, it doesn't mean that you are not allowed to process this data anymore. You want to just think about how you do it and why you do it.


So a few questions. Does GDPR apply to this picture? And why? Yeah, well there is personal data, and obviously you can identify a person. But if anyone of you hands me your business card, and I stick it in my pocket, it's not yet, GDPR doesn't get applied, because it's not part of an automated system.


However, if I sit in the airport tonight and I take some pictures of all of your business cards so I can send you the checklist I promised, or I can answer a question you might have, all of a sudden I have those pictures on my camera roll on my phone, and that is an automated filing system, because it's organised.


So just a business card in itself, if I put it in my pocket and I don't pay attention when I leave the building and I drop it, it's fine, it's not a data breach. If I then however lose my phone with the pictures of your business cards on it, it's a data breach because I leaked your information.


Does it apply to my notebook? Yes, no, maybe? I see a lot of heads going like this. It does. Because if we look back at this bit, “data that are intended to form part of a filing system”. I'm taking meeting notes and in the notes is personal data about a company I'm meeting, and after my meeting I will put that data into my CRM System. So even though its not an automated system, it's just my silly notebook, GDPR applies.


Does GDPR apply to this photo? Maybe, maybe. It does. It's actually, it's biometric data, which is a special category of data which should be treated with a bit more respect, there's an entire article speaking about how to treat biometric data, but in this case it's a photograph of one of our ex colleagues, Noemi. And I find that photograph in the HubSpot CRM System.


It is, it's easy for me to identify a person, because everyone has access to Google, and we can do a reverse image search, and then I'll find out that this is Noemi who works at HubSpot.


Someone actually had a question about this the other day because biometric data, a picture of a face, so is sensitive data, you have to think about what you do with it, you need explicit consent.


So I was in a workshop last week, and someone asked me, like, what do we do? Should we be doing that? Can we use HubSpot, and if they pull in those photographs, is that okay? I didn't know. So we reached out to HubSpot support, HubSpot support didn't have a clear answer for us, because we asked can we then turn it off, if we're not sure, can we then just please not process that data? Which we currently can't.


So I went back to the legislation, and what it actually says is you have an exception here, part of article nine says you're not supposed to process this data if you take extra measures, and if you don't get explicit consent, unless this data has been made public by the data subject.


Since we're pulling in photos from social media profiles, it doesn't specifically say social media profiles are okay, but we can all assume that you know that if you put a photo on any of your social media profiles, you make that data public. So again, not legal advice, but I think this is okay.


- [Audience Member] How does that look, 'cause most social media profiles, you can say well I only wanna share it with select people that I agree with, say on like, your Instagram for example--


- Yeah.


- [Audience Member] You can say, my accounts private. And social requests that, and then you can accept that, so how is that? It sounds like they're all the same, or because that pro is out there, so you give it consent for that--


- I don't, well, I think that's how a lot of the social media providers like to think about it, but unless you make it explicitly, you explicitly make it public, you shouldn't use it. So, if you build a scraping tool to get to someones private Instagram to Instagram photos or, and I'm sure none of you have ever, in this room, have ever done this, but you work at a startup, and someone says oh, well just build a scraping tool, and we get email addresses from LinkedIn. Don't do that, that's not something that someone has made publicly available, so don't.


- Usually all the social media channels have this particular bait, which is the public information.


- Yeah, exactly.


- Even if you just--


- You know, there is a photo and there is a name, usually not much more, then you agree that this bait is public to everybody, even if your account is private. Make claims to your, with your friends. There is a public part in Instagram, in Facebook, in LinkedIn, at least.


- Yeah, definitely. And so I think what will happen is that more and more individuals will become more aware of the information that they make publicly available. I also think that the big social media networks are the first ones who will get sued and fined under GDPR and I assume, I hope, they change some of their practises.


I was in Dublin airport yesterday and Facebook takes ads out in those old fashioned paper ads in the airport that says, you control your privacy settings and how we use your data. I was a bit sceptical, but at least, there is a conversation on the topic starting.


Important to know is processing is anything you do with personal data. So if you say, oh but I have the list lying around, but I'm not emailing them so it's fine, GDPR doesn't apply. Collecting, recording, storing, sharing, using, erasing, all of that is processing.


Now we're getting to the two most important parts of what I wanted to explain to you today.


First of all, if you do not want to read the legislation, which I get, it's not very riveting to read, read article five, because article five talks about the processing principles. Processing has to be lawful, fair, and transparent. So no more hiding in like small print, pre-checked boxes that are hard to find, it has to be readable, understandable by your audience.


So if you market to kids, either verify that it's parent consenting, or make sure that it's understandable for the people in the age you're targeting. It has to be lawful, so if you say, oh, everyone who works here, we're entitled to share your pictures on social media, that's not entirely legal, you will need to actually, you can't put that in the employment contract, you need to make sure that you get separate consent for something like that.


Limit processing to the original purpose. And we're going to get into the six reasons for which you can process data. But say, oh, I'm processing someones data because they're a customer, and they have a contract with us, the contracts over, so you don't have a reason to process data anymore, so is there another way I can argue that I can process this data and can I still email these people? That sort of creativity, not really okay. Don't collect more data than you need.


So these guys for the wifi, in order to provide me a service, do they really need to see what websites I visit on the wifi? They could also just block the websites they don't want visited on their premises. They don't actually have to analyse what I do all day. Something like that is fine, like in most countries, in most places.


If you live in a less democratic place, and the government would like to know who visits liberal media, for example, something like that can have serious consequences. So part of the legislations here, to make sure that organisations and governments can't abuse that data and can't use it against you.


Don't collect more data than you need. Who has open form fields on their website? And who actually reviews what comes in and decides whether or not you should keep that data? Okay, so I see a few people going like, maybe I should, yeah.


So you might be processing data that you don't want to process. One example is we talked to a bank about GDPR yesterday, and they say yeah, like our support team struggles, because people share all kinds of financial data, credit card details on Twitter when we provide support. Like, all the sudden we're processing data that we don't want to process.


A silly example, you ask feedback on your product, oh yeah, I couldn't use the TV because the buttons on the remote are too small, and I have arthritis so I didn't like that. You're processing someones medical data, not okay, that comes with a whole other set of requirements.


So when you have open form fields, when you use them in marketing and they're convenient and your bottom of funnel forms, you might have a contact form that, hopefully someone, every, in a blue moon will fill it in. Review that and make sure that if you accidentally process data that you shouldn't be processing, delete it. Only keep data as long as you need it.


So when we talk GDPR and marketing, a lot of it comes down to being a good marketer and practising proper email marketing. Who know by how much an email list will deprecate year on year?


- [Audience Member] 25%.


- Thank you, thank you! I think I learned this at the same place as you did. But yeah, there is a stat out there, that you lose about 25% of people, move jobs, people leave the company, people get married, change their last name, so old lists, and people say, oh I have a database of 20,000 contacts, 20,000 leads, do you really?


It's unlikely that all of them are still valid and valuable, but on the other hand, if you process data, so you decide, okay, we have a process here and we're gathering leads. GDPR actually says, you need to figure out how long you should keep that data.


So my sales process on average takes nine months. And when someone comes back, they actually expect that I still have the data that I provided to them. You're all annoyed when you come back and you have to fill in a form again, or you get on the phone with someone, and you have to explain your situation again what you want from them again.


So okay, I decide that I keep data on leads for 12 months, because that's quite reasonable, average sales process takes nine months, so for my leads I keep the data for this long. My customers however, local tax authorities, need me to keep data around for an X amount of years. Okay, so certain data on my customers, I keep for a longer time.


Nowhere in GDPR states how long you can keep data, but again, you have to be able to stand up in front of the teacher and say, data on leads I keep for a year because of this. Like, if it feels right, if you can explain it, great. Document it in your internal privacy policy, and have that answer ready when someone asks.


This seems like an obvious one, but keep the data secure, whether you're a controller, whether you're a processor, make sure you don't share it with unauthorised persons. Make sure that you don't share it with people who are based in a country where GDPR doesn't apply, so people might not be aware, and they're not compliant. There's all kinds of safeguards you can take for that. Make sure that there's passwords on your company laptops, silly things like that.


And then finally, the accountability principle. So, you'll know about these PR scandals, of like Uber was a recent one, where oh, we leaked data of I don't know how many people, and yeah, we didn't tell you about it, it was a year and a half ago, it's all fixed now, and we're sorry.


“I don't know” is not a good excuse if the ICO comes knocking and wants to talk to you about what you're doing. You need to take responsibility, demonstrate how you're compliant, and then educate everyone you work with. So everyone knows.


And then the final bit of information that I want to go in is, choose one that you're legitimate basis for processing personal data. There's six of them, four of them are relevant for marketing, and you stay in your lane.


You cannot say, oh you know what? Maybe the other one is more convenient because I have more freedom and I can do more with the data, so I'm now going to go left and I'm gonna choose that lane. Not okay.


Also, when you decide how to treat your data, So when you sit down and create a data process inventory, which you should be doing, think about what is the legal basis? So someone is a customer, what is my legal basis for processing their data? In that case it would be fulfilment of a contract.


So you have six. Vital interest, it doesn't happen often, I think when you're a marketer, that you need to process data because someone's passed out on the floor, and can't give you an answer. What we do is very important, but not that important.


Public interest the same, I don't think it will happen very often that you need to process data in order to prevent a disease outbreak, unless you work at a National Disease Control Centre, then absolutely, happy days, you can use that one. No one does work there today? Alright, good.


So consent is the one we mainly hear about when we're talking GDPR. So everyone's like, just get that tick box done, make sure that we get consent, and we're all good, happy days, we can spam them indefinitely. Not really.


First of all, consent is your emergency line. Only use it when any of the others don't work, because consent can be withdrawn, and then you have to remove data or you can, you need to stop processing. It's important that consent can't be a forced part of a contract. So you can't say, because you're now my customer, you will have to receive my marketing emails indefinitely. Not how it works.


So contractual necessity. This one's quite nice. So if you have a contract with someone, and anyone who offers freemium service, money has to actually exchange hands. So if you sign up for one of HubSpot's free products, you might sign the terms and conditions, but that doesn't mean that they're entitled to just process your data and contact you, because money hasn't exchanged hands.


If you need to process data in order to fulfil steps to get to a contract, so you need to do a background check or credit check in order to create a contract with someone, you can process data. And what I just said, you need to decide how long you, for example, keep data.


So when your contract ends, people are no longer a customer, your legitimate basis is gone, and you might not be able to process data. Hopefully you then recheck with them, is like oh, you know what? Here's some good information on how you move of our platform, it's a landing page, there is a checkbox, and opt in to our marketing details, like any good marketer will end the relationship with the customer hopefully like that.


So when ends, you go back to consent, and you actively ask for consent.


Legal obligation, not really likely, unless you want to talk about, for example, local tax authorities require me to keep data. So I need to keep data on certain data subjects. And then the last one, and this is where, eyes typically start to sparkle, legitimate interests, and this is the legitimate interest of you as a business.


Now, when I talked to privacy consultants and people who are very, very passionate about that, they say, oh well, you need consent and you can't market me anymore, and those emails, and let's talk about account based marketing now. Yeah, you can't do that.


Legitimate interest, the continuation of a business is legitimate interest so as a sales rep, if for example, my email address is publicly available on my website, on my LinkedIn profile, because I actually want to hear from people. If someone reaches out to me and says I saw this, we have this service, it might be really interesting for you, I think it becomes why I get a nice personalised email. I think that's fine. There's nowhere in GDPR that says that's not allowed.


If you would then take my email address. A good example, last week I actually sent an angry email back as I was coming off a plane. Someone that clearly scraped information from my Twitter account, Hi Nikita Smits, prior to your latest tweet, with a very long ugly link of the tweet, you were talking about GDPR, we have created some great content on GDPR. Click spam, not interested.


A day later, I get another email, third day, I get another email, I've been hitting spam. At some point I decide to reply, and it's like, really dude, you're emailing me about GDPR, and you're spamming me with data you took from, do you really think this counts?


So there are limits to legitimate interest. Don't take that email address and drop it in a marketing database. Please don't. If you send that initial email and someone says, hey stop contacting me, or you get, it gets filed as a spam email, just stop, please don't do it. Does anyone have a question? A scenario that you would talk about in these? Yeah.


- So for a client, they want to do a referral programme, where they like, an individual confers with the others to their service, the individual with the others about the service, the individual will get the monetary reward, and the personalservice as well.


So if I, for example, were to go into a first with the others, I would have to provide the information, that personal data, so there's a legitimate interest for the business, there's a legitimate interest for myself to refer over. There's potentially legitimate interest with the refer written, so my code of thinking is that if we purely use their email address, for example, to facilitate the referral, and we delete their email address we get, there's minimal impact on their interest and it's only one email. Is that okay? Or is that somewhere where they really shouldn't do this?


- [Nikita] What do you think? Does it feel okay?


- [Audience Member] Yeah.


- Yeah. I think if you actually do it that way, if you send one personal follow-up email, like hey, your buddy, so and so, sent us an email, they think you're interested, are you interested? If so, go here, engage with your content, fill in the landing page, ask for consent at that point. I think that's okay


- [Audience Member] So you're good with that?


- No, no, disclaimer, I'm a marketer, not a lawyer! I do not give legal advice, none of this can be used as legal advice, and BusinessBrew cannot be held liability. I have to put that slide back in, I had it in, I took it out, but I'll put it back in. But think about you do it.


Another way is to be completely safe, just have that person who was interested in referring his or her friends, have them send that email on, don't even process that data. Why would you get into sort of like a grayer, murkier area, if you don't have to?


- [Audience Member] Yeah, I mean, I 100% see your point. As I think for the clients perspective, say ask 'em what if their current customers to go and email out there and that is gonna have less of success rate. Having said in email, disable your engage, provide your email address and we'll do the rest, just send this one email.


- I don't know, how would you respond to that? Respond to an email address from a person or company you don't know, or your friend who says, hey I used these guys, they're great, also I get like a refund, so just use them.


- [Audience Member] Yeah I mean it would be emailed to the person who's being referred, would have your paid such and such, that's who referred you. Even personally, if somebody just said, I'm gonna refer you to something, site the original address, and then they'd go off, and you should get the email, says it's If somebody says, this is really good, can you go ahead and send an email? Yeah, I can--


- Well you're not really supposed to share other people’s personal data with third parties. I don't know how this work as an individual. So if you use something for a pure, in a pure household situation, GDPR doesn't apply. But I wouldn't dare to answer whether or not you have limitations under GDPR if you, for a personal household situation share someone’s personal data with another organisation. I'm not sure.


- [Audience Member] Okay, so that's the grey area, okay.


- I think so, yeah.


- [Audience Member] Yeah, absolutely. As a consumer, I've had the experience, I wanted to recommend something for my friends, the Gusto app, with me talking about it, they were interested about it. But they certainly don't, going through the greeting, in a secure way, so I have to go and collect the sort of code for my app, and then me personally have to send it to my friends, and they will then have to use that code, when they get, themselves get into contact with the company.


- Yeah, I think it's the most common way of doing it. As a marketer, I would always--


- [Audience Member] It requires a lot of effort from me, I must be very excited to recommend it.


- Yes, I think as a marketer I would choose that route. 'Cause I think an email from you is gonna be 10 times more effective than an email from me. So, with some of these, don't think too much about GDPR and compliance, just do good marketing. It's that simple. Someone else had a scenario?


- Yeah, say, you mentioned it before a little bit, about using a scraping tool. So if we say, well I can ensure that answer, it might be for a translator, for like a seminar like this, and get a lot of consents, and basically speak, you know,to try and engage with more propriety in industry. So like in a complex market you really, what we go to the fit to try and use to find that email or hook to the--


- [Nikita] Yeah.


- It's not being used on LinkedIn, and to try and get their email just to send an invitation. Would that then not be like?


- Yeah, there's nothing in GDPR that says you're not allowed to reach out to people on social media.


- [Audience Member] You mentioned the scraping tool, you mentioned something like that.


- I mentioned a scraping tool that gets email addresses that are not publicly available and that you then gather.


- [Audience Member] Well could you send the message on and you could say, here's the link to the invitation.


- [Audience Member]like people go and check, don't generally check the LinkedIn emails, so we get that first, and you get like LinkedIn email-- so you get like, what, 15 or something? But if you're ordering one of these events, you might wanna send out all of your invitations to get where you need to be. So those emails are what, four to five, so even if you are connected to someone, I would like connecting to someone who sends the message on LinkedIn, they haven't responded to the email I sent to them, or the email. So that's why it's always it's, in terms of your success rate for getting the invitation previews back to get the email address, you do something like fire back an email or--


- If you get the email from a source that's allowed to share it with you, happy days. If, for example, I don't think many of you consented to Rikki giving me all of your email addresses, so if I now would go tomorrow, hey Rikki, really great audience, well done on getting these people in the room, share the list with me so I can try to sell them something. No, can't do that, you shouldn't do that. I've said no to people who ask me after I had organised an event.


If however, he had said, okay, actually both the speakers would like to share their slides with you afterwards, so this data will be shared with HubSpot, and BusinessBrew and you have actively consented to that, that would be okay.


So when you do these kind of things, think about it beforehand, like ask the organisers, is this a co-marketing event? Or can I just, you know, put up my slides and do my very best to talk about the services we provide, and then hopefully you go back to my website and download a great GDPR checklist. Everyone, we have a great GDPR checklist for marketers. Like, you know, make sure that you talk to the event marketers, and actually see if you can set up an agreement, and before hand get people to opt-in, approve their okay. Again, if it feels--


- [Audience Member] Well the trouble of it is, is the actually getting of the email address. Is that where the breach of GDPR is because you can't, if that's the first part that pops up, how are we able to say, do you consent to all this contact here?


- Yeah, you're not--


- [Audience Member] Would that be a contact breach?


- So you're not allowed to share data, so that would be unlawful access to data. Like, if Rikki tomorrow gives me all of your email addresses, that would be a data breach, because he is doing something that is not legal.


- [Audience Member] Would it be LinkedIn to that breach, or would a client?


- If someone in LinkedIn would give you the email addresses, I assume it's LinkedIn. If you build a scraping tool, then you're just wrong.


- [Audience Member] Well, if you use a scraping tool that you didn't build then--


- Okay--


- [Audience Member] It's not a scraping tool if you're not trying to find--


- You decide--


- [Audience Member] You're just trying to get an email address that's linked to that account.


- So the question is if you use a scraping tool that you didn't build, are you the controller or the processor in this case?


- [Audience Member] The processor.


- Are you deciding which email addresses you're gonna get? Yeah, I think so, you say, oh I want to scrape, like of this batch of people, so you're the controller, you're completely responsible for what you're doing. Also, you shouldn't be working with that processor, because you're not allowed to work with processors who aren't GDPR compliant, as actually article 29 explains that you shouldn't do that.


So the same would go and now I'm gonna, maybe get into a fight with someone, but if your cloud service provider isn't compliant by May 25th, you can get out of your contract. Because under European law, you're not allowed to work with people who aren't compliant. The good news is this means that they all will be compliant, right? But no, just don't. Yeah.


- I think it's possibly it takes, a decent quality marketing, because a scraping bot, I've seen people with a page of code talking, an AI talking to people in LinkedIn, having conversations with a bot, they don't even realise it and then they're engaging. So it's between lever and adding value. When people don't wanna talk on LinkedIn, to a AI or a person, that's there call.


- That's where it gets super complicated. So if you build a bot that uses AI to talk to people, and basically gets 'em to give the email address. Does that feel wrong? Like, again, like a lot of it is on a grey scale. Is this okay? And then okay, if you were to do that, you get the email address, what would your legal, by the way, how are we on time? Because I can-- Okay, just cut me off when I need to stop asking questions. What is your legal basis? So you get that list of email addresses from your beautiful bot and they're great contacts, what is your legal basis for processing that information? Anyone?


- [Audience Member] So I was under the impression, that especially in a corporate B to B sense, if it's a good list and it's relevant, you could process that data and email them, under legitimate interest, is that not correct?


- Yeah, like if you then email them on like, the distinction I like to make is email them on a one to one basis, see if they engage. If they don't engage, then that balance of your reason to process someones data and reach out to them versus their right to privacy, it kinda goes towards that end of the scale, so then just stop processing the data.


- [Audience Member] Yeah, but could you not do that through the examples of where you're sending them relevant event invitation, and you do that through HubSpot use all the personalization type goods, make it relevant to them, is that not, it's done well, it's good marketing, the list, yeah it's cold, but good lead to lead data?


- It's still a marketing email. When our customers ask us, we say just don't do that, try a personal email, if it doesn't work, stop, and don't put them into a marketing database. And it doesn't matter whether it's B to B, or B to C, by the way, there is this beautiful line, you have GDPR and then you have the PECR, which is the regulation around electronic communications, which will be updated this year, was supposed to be in line with GDPR, but they're a bit delayed for various reasons.


There is a final draught text available that you should actually look into, and somewhere in there it says, you have dedicated marketing email addresses in B to B, and you can email those.


So a lot of people they saw that, and they were like, as long as it's a B to B email address, I can just whatever email I would like. No, you can send email addresses to marketing at info at, share your spam at, that's not gonna do a lot of good anyways, so it doesn't really matter, just forget about it.


But otherwise B to B, B to C, doesn't matter, it's personal data, it helps you identify, it is a B to B email address, but it clearly points to an identifiable person.


- [Audience Member] Okay, I thought, the privacy, there might have been an update since I've last read it, but I thought it had been scaled back after people at the data staff had push back on that say, this groups familiar impact. B to B marketing, is that not the case?


- I don't think the people who make these laws do it to make our jobs easier, but to protect European citizens, so I highly doubt it.


- [Audience Member] Sure. 'Cause I had a call with the ICO, and speak to someone there, and I have had different conversations where people have said different things. Different calls about the same question. But--


- Grey area.


- [Audience Member] Yeah, but basically it's a lot more to protect say, you know, someone receiving a call at nine PM trying to sell PPI, but then sending an email to someone, trying to sell a B to B service as well.


- [Nikita] I'm personally not going to risk it, that's all I'll say. Yeah?


- Do we need to reconfirm our consent with the data that we learn from partners?


- So the question is do you need to reconfirm your consent. Does your consent hold up against GDPR? Is it unambiguous, specific, freely given, there's a whole list, are you actually specific? Was your privacy policy up to date with GDPR at the time of consenting? Like, how long ago have they consented, have they actually engaged with you since? Because, GDPR doesn't say how long consent stays valid.


But it does say, assume that consent doesn't stay valid forever. So if I consented, if I downloaded one eBook, and then all of your emails for the past two years have gone straight to my trash folder, I haven't been back to your website. Can you argue that the consent is still valid?


So you have sometime, right now, before May 25th, so use that time for re engagement campaigns. Go into HubSpot, create your lists, see when people have consented, set up some lead scoring, check how they've engaged with you since.


If they drop under a certain lead score, maybe consent again. If it's been more than a period of time that you can argue for your particular business that it makes sense, then consent again. If the consent wasn't really up to scratch with GDPR, then just get consent again. And re engagement campaigns are anyways good for your list so. Yeah.


- [Audience Member] In terms of gettin' your current list, how do we go about to find out that HubSpot app fully GDPR compliant themselves? So for example, their preference in there. Well the way the preference centre is currently built, it says un-tick the ones that you don't want to receive, whereas currently on GDPR, it has to say tick the ones you want to receive. So currently they're saying come to our preference centre, pick the type of content that you want to receive, following they've got to do that on an un-tick basis, that's not compliant?


- So, if you would do that through your preference centre, then maybe it's not compliant, then make sure that if people have filled in a consent before, any content you send to them make sure that that field isn't prefilled so that people have to do it again on your actual consent tick box, and don't send them to your preference centre. I would use that if people are trying to unsubscribe. So do it the other way around. In general, if you're working with processors that are compliant, like I know that HubSpot is working very hard on it--


- [Audience Member] Yeah, it's just figuring out that day of when they're going to be. So I guesslike if we have time to re-permission all that currently, I guess it's like, do we get to May 25th and actually all the hard work that we've been doing up to that day is actually not compliant anyway.


- Yeah, well you shouldn't, after the 25th of May, you shouldn't use processors or any cloud providers who aren't compliant. So if you work with any companies that you know aren't compliant, and you know, we're a two man business, we're very tiny and we can yell at anyone, and they say okay fine, take your business elsewhere.


If you work for a larger organisation, that conversation is easier to have with your account manager. Like prepare, if you work with a small CRM system that you know that won't be compliant, start researching alternatives now. It's not great news, but do that. And your specific question with the preference centre, just do it for your landing page and make sure that they go through the consent tick box again.


- [Audience Member] And there's more updates, I think this next one for B and B build webinar.


- Yes.


- [Audience Member]


- There's gonna be a series, we're actually joining the marketing team for that.


- [Audience Member] Oh, great.


- Yeah.


- [Audience Member] When is it?


- The first one's gonna be in March with the Legal Council, and then there's gonna be one with Econsultancy, and then we're gonna look at some practical scenarios.


- [Audience Member] So you'll even some changes from the initial one so.


- Yeah.


- Just a quick question going back to business cards. If I was to give you my business card today, am I giving you consent to upload that into your CRM and process it? Or am I just kind of giving you consent to just email me on a one to one basis?


- Consent is, like it has to be unambiguous, specific, and on me to actually prove that you have consented. So I can't prove that you gave that business card to me, or I took it off the floor while here. You haven't told me what you consented to or opted into, so I wouldn't use that. Like the other day the question came up, a conference, and fishbowl with business cards, like does it mean people have consented? Use an iPad with a landing page instead please.


- [Audience Member] Could you put a tick box on your business card?


- Well you laugh, but in theory, like you can consent, like on a piece of paper. So if you get people to actually fill in a piece of paper, and say yes, I hereby consent that such company can reach out to me with all their beautiful marketing offers, why not? You just create some admin hassle for yourself, because then you need to make sure that when you get audited, you can actually prove that this happened when it happened and how people have engaged with you after. So technically, I think so. Yeah.


- [Audience Member] Yeah, we have lots of existing customers so we have lots of contractual necessity to stay in touch with them, but it's not all about their contracts and their deliveries, it's about inviting them to, we are also sending them marketing emails, inviting them to events and to buy more, and whatever things, that's alright.


- Yeah, you can email customers about products that relate to the original purchase. So, if I come over to your offices and we do a workshop on GDPR, I'm not allowed to send you emails about our persona workshop, because yeah, you can argue it's both marketing, but is it really related?


If you are a kitchen company, and I sell you a fridge, don't start sending me emails about cookers. You can send me information, maybe you could stretch and say okay freezer or a warranty, or you can send me information on how to clean my fridge, but it has to be related to the original purchase. So in your organisation you actually want to go and have a look at what products are related.


Yesterday when we were at the bank, we talked about okay, we're in the corporate treasury department, some services that we do are all to help businesses get established in this country. So what sits in that box, and what can we reasonably argue that is included. They might be slightly different services, but they all belong in the box of we help your organisation get settled in this country.


We had this conversation with a software company, and they have a tonne of different options and services, but everything has to do with better content delivery online. So when you can reasonably argue that everything is like one product with different options and different services, yes. Fridges, cookers, no.


- [Audience Member] That's harsh.


- Sorry.


- [Audience Member] Sorry--


- Sir, man in the back was first.


- [Audience Member] I thought so, there's no one there that would say that's a quite a grey area, because a fridge and a cooker are both white goods, they're both related, I have my fridge and my cooker in my kitchen, I might be rendering my kitchen and redecorating in there, I would be interested in purchasing, for example, a cooker and a fridge at the same time. And I find it difficult to see how you could say, well these are financial services, let's put these in one box. It seems like--


- Well, financial services, we have a corporate account with these guys, they have no business emailing me about a personal mortgage, or about a personal credit card.


- [Audience Member] Yeah.


- So, grey area, I'm not going to tell you what it is, but decide it in your organisation, document it, put it in your privacy policy. Or ask the ICO.


- [Audience Member] Okay.


- Yeah.


- [Audience Member] Verbal consents, if I'm speaking to somebody and I say, where we're going to probably email you again in the future they said yes, can I just tick a box on that contact list? Or do I need to record the time and date that they do it? Do I need to even record that verbal aspect? I'm not even gonna touch that audio file. Otherwise every time I spoke to somebody, I could just say yeah, they gave their consent, and they cannot prove otherwise--


- So how would you prove, because it's fine that they can't prove otherwise, but there is the accountability principle, and this is on you to prove that they have consented.


- [Audience Member] Then if someone you know, has done that and has left the company, you can't prove--


- Exactly, so if you get--


- [Audience Member] We're back to forms going to someone--


- Yeah, well if you get consent over the phone, use the CRM system, shameless HubSpot plug, you're welcome. And place a call from the CRM system, so it's automatically recorded. When you do that by the way, do tell people that you're recording it, because a voice can be seen as biometric data, so give people the chance to not be recorded if they don't want to. You need to get explicit consent.


So technically you would need to do a click one if you're okay with this, click two if you don't wanna be recorded. But yes, otherwise if someone, if you're in a LinkedIn conversation, and someone says, oh yeah great, no I don't wanna fill in a form, but just send it to me, here's my email address, and you ask, so you're okay with receiving marketing information from us? Yes I do, take a screen grab and put it into your CRM system. But it's on you when you get, and it's fine as long as you don't get audited, but when you get audited make sure that you can actually prove that someone has consented.


Time for more questions?


- [Rikki] Probably got a few more minutes if anyone's got any.


- Alright, so really good questions now.


- [Audience Member] So on this of how you'll actually sort your contacts. So obviously they are in actually very possible with details which obviously violates GDPR, what if it gets referred on by a colleague? Like you've culled the inception, and you outline what you wanted to do with the details on the phone, even though it's not in person, you send them to that's getting concerned, I say here's the requirement, the details on our outline map, is that still kind of in line with GDPR?


- What do you want to do with the data?


- [Audience Member] So basically what the company actually does, is they get the information sent by a fellow colleague after researching the person they want to reach out to, so they got the receptionist. So a lot of people


- Has the data subject made this information publicly available?


- [Audience Member] It depends, depends where your LinkedIn and not.


- Well, I put my email address in my LinkedIn bio, and my LinkedIn bio is public, so in that case yes. If it's not, then you're already, your third party is giving you personal data, so then you want to wonder. Okay, maybe we can argue legitimate interest, so then what are you going to do with the data? Am I dumping them in a marketing data base? Please don't. Am I sending a nice personal email and do I respect it if someone doesn't respond after a certain amount of emails and if someone says stop contacting me, am I actually deleting the data? I think you're better off.


- [Audience Member] Okay, so on the next of that, would you put a sentence where the people who did get referred on the and then built in to all this if you didn't respond at all to that email and you deleted the ECOM, is that kind of ethical, or unethical approach as such?


- Does it feel right or wrong?


- [Audience Member] It's not my question, I was relaying a question.


- Alright, I think it's okay.


- [Audience Member] Okay.


- Again, not legal advice.


- [Audience Member] Yeah, you're only a marketer.


- Exactly. Last question.


- So, if somebody says I don't wanna receive communication from you anymore, do you unsubscribe them or do you delete them? Because if you delete them, then there's a chance if they get back into your database someway. So is a non subscribe list where, even though you are still withholding their data, is that a legitimate interest of keeping that data? Because you're basically saying, I've got this list of people, I know they don't want to be contacted too, I'm going to exclude them from all my columns, however, I'm still keeping their data for the legitimate interest of stopping them from receiving it?


- [Nikita] Yeah, so what was your original lane? Why were you processing their data originally?


- Maybe they're coming back to it, so they're coming inbound, they've downloaded a Whitepaper, say six months ago--


- So that's consent, okay, so then if someone says, unsubscribe me, unsubscribe them. If they ask you to delete their data, adhere to the request and delete their data. If your lane was contractual necessity, you can say I'm very sorry, I'll unsubscribe you, and you will stay in our database for an X amount of time more, because we have to keep your data for blah, blah, blah.


So always go like think about your original lane, you can't switch lanes, you can't say, oh you know, originally it was consent, but someone withdraws consent, so now legitimate interest might be a handy argument for me, you can't do that. It's not like you pick and choose your legitimate interest lane. You have one and you have to stick to it.


- [Audience Member] Just to clarify, so the lane you choose is not necessarily a code you lined what would say it's obviously based on the source of that data, am I right?


- It goes even further than that, it's with the particular process. So I might be an employee, so there is a contractual necessity for processing certain data, and that has certain consequences. I also really like the information from my marketing team, so I've opted in.


So another process. So the process is where you start, not the organisation, not the company.


I think I'll have to wrap up, I'm actually gonna be around, and I don't have a meeting until one o'clock, so I'm happy to answer questions after. We do have a tonne of content on our website, we have a great checklist that helps you go through certain of the things that you should be taking care of, and that are sort of in your realm as a marketer, because you have IT that needs to take care of things, you have legal that needs to take care of things, but marketers also have a very big responsibility here.


The content I shared today is part of an online course. So if you're interested, there is a 10% discount, if you use HUG Discount, so go ahead. Happy days!


- [Audience Member] Thank you very much!


- Alright.



New call-to-action

Subscribe To Our Blog

Let Us Know What You Thought about this Post.

Put your Comment Below.