The EU's GDPR law requires compliance by 2018. Even with Brexit predicted to occur in 2019 or after, it can't be ignored.
Last month, I woke up in the blissful world of B2B marketing. I could create campaigns, upload my purchased data lists, segment them as appropriate and set up my lead nurturing series to send. Then it happened. That thud that resounded throughout my perfect little marketing world and shattered that blissful bubble. The judges hammer as the EU General Data Protection Regulation was put into force.
It has taken me a while to come to terms with what the EU GDPR means for my marketing. Below is an account from my marketing journal through this year, with the questions that kept me awake at night, and the answers I discovered along the way. I hope you find it useful!
29th April 2016
So, I've just heard about the EU GDPR. I know it's going to affect my B2B marketing data but I have no idea how. All I know that it all kicks in as of the 25th May 2018. According to my boss, I have until then to make sure all my data is double-opted in.
3rd May 2016
Ok, so I've done a bit more research on the EU GDPR today. I haven't read the law (who's going to read almost 300 pages of legal jargon?) but I found the summary information I needed. Essentially, our soft opt-out approach we've been using won't be good enough anymore. A one-tick box or marketing to data that hasn't unsubscribed is no longer going to be good enough. Arrrgh!
4th May 2016
What happens if I accidently market to data that doesn't meet this new opt-in requirement of the EU GDPR? Will I be penalised? Blacklisted? Fined? It's like campaign initiation fear but a thousand times worse right now.
Just done a bit more research. Turns out if I market to data that hasn't met the EU GDPR then my company could be fined up to €20 million or 4% of our annual turnover – whichever is the higher of the two. That’s a scary prospect. It has definitely upped the anti when it came to my initiation fear. I'm going to have to get a plan in place ASAP. It's this word 'provable', that my data opt-in process has to be 'provable' that has me worried right now...
5th May 2016
You know, last night I had a thought. Can I still market to my customers? I've come to the office first thing this morning and spoken to the boss. As far as he's aware, the GDPR will not be applicable to the legacy consent of customers. This means I'm going to have to get all customers to double opt-in just to be on the safe side.
Again, it's going to have to be provable, so I'm going to have to keep a record of the opt-in message they agree to. I know we're going to be adding the opt-in message to contracts and invoices moving forward. We'll keep the paper copies, but it will be worth having it electronically too. After all, we're going to have to keep a record of the opt-in consent forms for as long as they are a customer, so electronic records will be easier to keep.
6th May 2016
Just when I thought I had my head wrapped around all the EU GDPR changes, I get hit with this bombshell on a Friday: after 25th May 2018, all the opt-out data I have collected will be useless unless I get them opted-in in the new way. Yup, from 25th May 2018, I will not be able to market to any data that hasn't double opted-in. As if I didn't have enough on my plate, I now have this looming deadline!
Oh well, there is no point complaining. After all, if I don't do it I'll be left with NO DATA to market to, which means I can kiss my job in marketing goodbye. I've got two years to get my data to comply. The more I can get to double opt-in, the more I can market to come D-Day. Challenge accepted.
My three-step plan to start getting my marketing data to EU GDPR standards:
1. Start the opt-in process with my existing data
I need to sit down with the tech team and establish how we're going to create a system that will keep track of the opt-in consent forms. I imagine once a contact has filled out a form on our website, we'll be able to send them an email asking the contact to opt-in for further marketing communications. The call-to-action on the email will take them to a confirmation page where they can give their consent. I believe we'll need some kind of reCAPTCHA form to prove the contact is who they say they are too. I'll also need to get the legal team to check over the consent message. So much to do, so little time! I wish my marketing automation platform had this system already built in...
2. Purchase data lists now and work on opting in
Ok, so as soon as the EU GDPR comes into play, these purchase data lists are going to become pretty poor quality. That's why I'm going to buy the ones I need now – with my profile targets killer values and start thinking of ways to get them to opt-in.
The best way I can think of is to make my high-quality material on the website gated. You know, download the whitepaper once you've inputted your email address (oh and agreed to our opt-in message too!). I could even gate event content, so to get the slides from the day they have to opt-in to our communications. Yes, I think that would work.
3. Write a killer opt-in statement
One thing I'm going to have to do pretty sharpish is to write the opt-in statement. From what I can tell, sneaky consent messages that aren't clear and concise can come under just as much fire as no consent at all. So I need one that my legal team will approve, that encourages my data to opt-in and is as clear as possibly can be. No small task at all come to think of it...
23rd June 2016: BREXIT!
Hurray! The UK voted to leave the European Union. Surely this means that the EU GDPR changes don't apply to me anymore?!
Spoke with the boss: Turns out BREXIT doesn't change anything. Nothing comes into effect until Article 50 is triggered, and that could be at least a couple of years away. Plus, we still have to discuss the conditions of our leaving while maintaining certain trade agreements with the EU member states. Even after we leave, we'll still need to have at least an equivalent set of data protection regulations in place in order to keep trading with the EU. So it looks like we are going to have to play by the EU GDPR rules.
There goes my good mood today.
30th June 2016: Meeting with the boss
Today was another fun meeting day with the boss. Why, you ask? Well, as soon as I walked in he hit me with the question "Does the EU GDPR apply to cold calling?"
Truthfully, I hadn't even thought about it.
I was so concerned with my email marketing data, I didn't think of the affects the EU GDPR would have on the sales team. While calling is ok, I know it isn't as effective by itself. Our email marketing is the backbone of our lead nurturing. But he's right, I need to know whether the EU GDPR applies to all forms of our communications.
Thankfully, it turns out only email and SMS marketing messages are opt-in. The rest: calling, post mail and fax are all opt-out. Phew.
16th August 2016: Discussions about a Data Protection Officer
Another blinder of a question from the boss today. "Do we need to appoint a data protection officer?" I've only just come to terms with the final legislation...I would have no idea where to start when it came to hiring a data protection officer.
Luckily, only companies that are public authorities or where the core activities of the organisation require regular, systematic or large scales of data processing need to get a data protection officer.
I needn't have worried. Plus, the only requirement of the DPO's in the GDPR is that they have "expert knowledge of data protection law and practices." Boy, they must be in high-demand at the moment.
26th August 2016: 2am
I know, I know, I'm crazy for waking up thinking of the EU GDPR at 2am in the morning, but I need to write this down now so I don't forget it.
Surely – technically – all my contacts that have clicked on my email campaigns and become "warmed up" data over time count as opted-in data? Like a kind of soft opt-in. I'll look into it.
26th August 2016: 9.45am
Nope, my 2am brain was wrong. There are no grey areas where the EU GDPR are concerned. Soft opt-in doesn't count. Silence or activity doesn't count as consent. No matter how much data engages with my marketing communications, if they don't consent then I can't market to them. Essentially, I need all my data to turn around and say "YES, I WANT TO RECEIVE YOUR COMMUNICATIONS."
27th August 2016: 3am
Another sleepless night, and on a weekend no less! This time, it was the words "retaining data for as long as it is relevant" going round and round in my head. Serves me right for trying to make the EU GDPR my bedtime reading.
I can't sleep until I have the answer.
So I've just grabbed my laptop and checked out the DMA Questions answered section. Turns out the "retaining data for as long as it is relevant" clause is a storage limitation principle. We're not allowed to keep personal information for longer than necessary when it comes to processing the data.
It seems a bit vague to me, so I'm just going to follow the ICO guidance on the matter.
6th September 2016: 6.30am
Well, at least this is a more acceptable time to wake up. Still thinking about work stuff, though. Namely, how I'm going to explain all the EU GDPR jargon terms to my marketing team.
I've got the basics covered:
- Consent: freely given, specific, informed statement that agrees to the processing of their personal data.
- Data Protection Officer: An expert on data privacy who works independently to make sure organisations are adhering to the GDPR.
- Data Controller: The entity that determines the purposes, conditions and ways in which we process personal data
- Data Processor: The entity that processes data on behalf of the Data Controller
- Personal Data: Any information related to a person or 'Data Subject' that can be used to identify the person.
I'll just tell them that they can find the rest of the terms they need on the EU GDPR website.
Then I'll get them to read the whitepaper I created on how the EU GDPR changes are going to affect us. It's time they braced themselves for what is to come!
CommuniGator’s Head of New Biz Marketing, Victoria Dyke, has over six years’ experience in the B2B software industry. Known for her cool head and feisty spirit, we would say Vicki’s spirit animal is a swan. She works incredibly hard under the surface to make sure our marketing glides along effortlessly. Interesting fact: Vicki was born on 20/03 at 20:03. We think that explains why she’s such a perfectionist!