With the General Data Protection Regulation (GDPR) just around the corner, businesses and marketers in Europe and across the globe are gearing up to be compliant with the new set of rules. Though GDPR was adopted in April 2016, the EU Parliament and Council has given a two-year preparation or transition period for businesses to prepare for these changes. With the deadline approaching, GDPR has now become a hot topic among agencies and marketers today. So, what impact will this have on businesses and their marketing teams?
The EU Parliament and Council believed that the current Data Protection (1995) Act was aptly suited for technology that existed in 1995. However, rapid changes in more recent years have made it easy for marketers to collect more data than ever before. The EU Council therefore decided to adopt GDPR to make privacy laws adaptable to current evolving technology, and these new GDPR rules will go into effect on May 25th, 2018. Though it sounds a bit harsh to businesses and other data handlers, the key idea behind the policy is to build trust between the technology providers and the users. GDPR remarkably broadens the privacy rights granted to the EU citizens, and it places many new restrictions on organizations that handle personal information.
Need more information on some key GDPR terms? Here are some basic definitions from GDPR – Article 4.
GDPR will affect any organization that processes or accesses EU citizen’s data. Regardless of where the organization is located, marketers worldwide will need to prepare for the GDPR compliance if they manage any EU data.
There are several things that marketers should consider, including:
Organizations must be able to provide proof that a data subject chose to opt-in for marketing communications, such as checking an unchecked ‘opt-in’ box on a form, and did not enter the list by default. “Double opt-in” (where opt-in is followed up with a “click to confirm”) is also a best practice.
If marketers use legitimate interest for direct marketing, then they will be able to send emails on an opt-out (unsubscribe) basis. However, this is not compliant with GDPR. There are several other rules of GDPR that must be met, and if appealed, proving ‘legitimate interest’ may be harder to do it legally.
Marketers must ensure their forms are made compliant, with a mandatory opt-in requirement. Forms must be designed in a way that complies with GDPR.
Marketers will not be able to use event attendee lists for campaigns anymore. They should consider gathering evidence for opt-in, such as an opt-in from event stands, or a follow-up email post-event.
Consider managing your CRM effectively. Under the “Right to Erasure,” everyone has the right to opt out from your list. These unsubscribed members must be removed or deleted from your records and any other databases.
Every organization must prove that the subject has consented to the processing of his/her personal data.
B2B marketing communications, regardless of the medium, must be about products and/or services that are relevant to recipient’s job title. The content should be made relevant to the individual, not just to an account.
We have an ambiguous situation for email marketing in regarding whether to consider a corporate email ID as a personal email and to communicate on an opt-in basis, or to consider the email ID as a corporate subscriber, meaning no no opt-in required. Therefore, B2B marketers will need to make a choice between consent and legitimate interest when sending emails.
Organizations will face heavy penalties in the case of non-compliance with GDPR. Fines could be up to €20 million or 4% of organization’s annual turnover, whichever is greater.
The ICO (Information Commissioner’s Office) advises following their checklist to prepare for GDPR compliance. Check out their checklist here.
Though GDPR may create complexities for a few businesses, we can take a positive stance on it. Ultimately, GDPR is about creating transparency between businesses and the customers, which builds more relevant and valued relationships between both the parties whilst ensuring the customers’ data is protected.
Disclaimer: Please do not use this post as a guide to GDPR policy and consult your legal team for any clarifications about your company’s GDPR compliance. This blog is for informative purpose only.