Subscribe

A GDPR Survival Guide For Marketers

  • Written by David Fowler, Act-On Software
  • Published in Demanding Views

David Fowler Act On HeadshotMarketers love their acronyms. The C’s alone contain a slew of them, such as CPC (cost per click), CR (conversion rate) and CTA (call to action).

Lately, a newer acronym has been causing a stir, and any marketers who aren’t up to speed on it yet need to — very quickly.

It’s GDPR, or the General Data Protection Regulation, stringent European Union laws governing the way companies collect, manage and use information on EU citizens.

The law, approved by the EU Parliament in April 2016, becomes enforceable on May 25, 2018. Less than a year from now, companies that violate GDPR will be subject to fines of up to 4% of their annual worldwide revenue or €20 million, whichever is greater.

GDPR’s impact is worldwide because it applies to any organization holding data on EU citizens, regardless of where it is located. (Companies with information on citizens in the United Kingdom aren’t off the hook. British officials have said that, despite Brexit, they plan a full implementation of GDPR.)

GDPR replaces the 1990s-era Data Protection Directive 95/46/EC and is aimed at giving EU citizens greater control over their personal data, protecting privacy and holding companies accountable on matters such as data use consent, data anonymization, breach notification, cross-border data transfer and appointment of data protection officers.

ADVERTISEMENT
For example, organizations will have to honor individuals’ “right to be forgotten” — fulfilling requests to delete information on them and providing proof it was done. They must obtain explicit permission to gather data, rather than implied. And they will be required to allow people to see their own data in a commonly readable format.

GDPR covers any information that can be used to directly or indirectly identify an individual, such as names, photos, email addresses, financial details, posts on social networking sites, medical information or a computer IP address no matter when it was collected.

As you can see, GDPR is a massive law that will require fundamental changes in how businesses function. Though multiple departments across organizations will be affected — including HR, Legal, Finance, IT and Procurement — marketing has the most skin in the game because it’s the primary owner of customer data in the digital era.

With GDPR enforcement starting in less than a year, marketing organizations need to take a few proactive steps now to make sure they’re sufficiently prepared.

Here’s a checklist:

  1. Undertake a comprehensive inventory and assessment of the company’s data collection processes and practices. How do you define personal data? What exactly do you collect? How? Where do you store it; how old is it; and what do you do with it? Organizations can’t comply with the new law without a firm understanding of their own data posture.
  2. Make sure you’re collecting only the data you need. Post-GDPR is not a time for extraneous information that has little or no value to the business but is still bound by the regulation.
  3. Find out where your email contacts are located and, in cases where GDPR applies, design new procedures that allow individuals to give specific, unambiguous consent for any activities involving their information. Remember that pre-checked opt-in boxes will no longer suffice.
  4. Design processes (no pre-checked boxes!) and formats to tell individuals how you intend to use their data and give them an option to say no.
  5. Remember that the burden of proof lies with you. You need to be able to show compliance with GDPR if asked, so develop systems to store and track all information about your data-related interactions with individuals.
  6. Develop a data breach incident plan. The GDPR, unlike the 20-year-old directive it replaces, places strict notification requirements on companies that suffer a data breach, defined as destruction, loss, alteration or unauthorized disclosure of or access to personal data.
  7. Tighten data privacy policies across the organization as well as third-party vendors. Don’t keep any data that you don’t need.
  8. Ensure the organization isn’t running afoul of GDPR’s general ban on cross-border data transfers and that any exceptions meet the law’s conditions.

A final point: Given the law’s complexities, companies should seek a legal opinion of how the regulations may affect them.

GDPR is one of the most consequential acronyms for marketers today, but with enough preparation and operational change, they’ll be OK.


David Fowler is Head of Privacy and Digital Compliance at Act-On Software, a marketing automation provider.