We’ve explained what consequences GDPR has for your marketing efforts before. Some of you might have considered which of your marketing and sales practices become more difficult once the rules are in full effect. But, most people we speak with consider 25 May 2018 far enough out to not prioritise the work needed to prepare. We disagree.
Ask yourself what part of your marketing database you’re not allowed to contact after that date. How much time would you need to segment your database on opt-in information? How long do you need to run an opt-in or engagement campaign? Finally, have you reviewed your sales and marketing handover?
Responsibilities for Marketing and Legal
Even though the rules are specific, there are many grey areas that privacy and legal specialists are still debating. We expect that those discussions will continue for the foreseeable future and most likely until the first fines have been received.
We don’t recommend waiting until that time because there are a number of straightforward tasks that you can get working on today. We’ve compiled a list of tasks that your marketing team can start working on. Even though we always recommend discussing and getting sign-off from your legal counsel on any documentation relating GDPR, these tasks fall within the responsibility and skillset of your marketing team.
Does GDPR affect my business?
Most likely, yes. If you work with personally identifiable data of residents in the European Union, GDPR is applicable to you. If you ask customers to create an account before you fulfill their order or if you ask leads to fill in a form in order to send them a document, you will need to be compliant. Even if you use Google Analytics to track visits to your website, GDPR applies.
If you are in fact a marketing agency both you and the end client have to be compliant. Even by having access to your customers CRM system you expose yourself to fines if you are not compliant. Because we at BusinessBrew help our customers optimise their HubSpot portals, we have to make sure we are compliant. Even if we weren’t doing any marketing ourselves.
If you are a business owner, you are obliged to review all of your service providers. Have you shared a list of contacts for an event? Does a sales trainer have access to your CRM system to help your sales reps? Does an agency manage your social presence? All of these suppliers have to be compliant.
Think you don’t need to worry about GDPR because you are based outside the EU? If you handle data from European citizens, you have to follow the rules as well. There are no exceptions!
GDPR to-do list
Alright, you understand that it’s time to get to work. It might take time to engage legal counsel but there are a number of things you can handle with marketing and sales already now. We’ve broken the tasks down to 9 topics for you:
- Define opt-in status for all contacts
The first step is to define whether or not specific opt-in has been recorded for your existing database. Document what these groups have opted in to and define who you need to contact to renew their opt-in or get specific, explicit opt-in from.
- Compliance for new contacts
Before you launch any new (opt-in) campaigns or activity you want to ensure that all new efforts are compliant with GPDR. You want to clean up all assets around data collection and ensure you monitor opt-in expiration.
- Create opt-in campaigns for existing contacts
Because you started considering GDPR early on you have plenty of time to run re-engagement campaigns for the contacts that have been identified as not having the correct opt-in recorded.
- Sales compliance
Compliance with GDPR doesn’t stop with marketing, since you hand over your leads to sales and your sales organisation might leverage tools such LinkedIn and contacts acquired at events it is important to educate your sales team on the implications and consequences of GDPR as well.
- Prepare for information requests
An important part of GDPR is the requirement to respond to a request for information “without undue delay and at the latest within one month of receipt of the request”.
When an individual requests information you are required to provide them with an overview of what data is being recorded, where data is stored, for what purposes you’ve recorded the data, how long you intend to keep it and more. Businesses can attest a request if the request is unreasonable you can read up on Article 12 for this.
This way you provide a clear answer with little effort from your side. You can automate your responses and create breathing room for yourself to review the request and manually add additional information if required.
- Prepare for data breach
Organisations are obliged to report breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” to the relevant authorities. In the case of a personal data breach, organisations have to notify the appropriate supervisory authority without undue delay and, where feasible, no later than 72 hours after having become aware of it ”if the breach is likely to result in a risk for the rights and freedoms of individuals."
Even though this task might not lie with marketing, the consequences and a possible fallout are likely to have an effect on you. You can work with your legal counsel or privacy officer to prepare crisis communication that you can use to update your contacts if needed.
- Review external parties that work with your data
All service providers who access your client data need to be compliant. If they aren’t you want to reconsider your collaboration with them. Make sure to start reviewing service providers well before May 2018. This can be a marketing agency but also the software provider of your marketing or CRM system.
- Privacy page
You need to provide a clearly written privacy page. This privacy page needs to be signed off by your legal counsel but it’s important to offer a page in simple and plain language as failing to do so can be enough to receive a fine.
- Clean your database
It might speak for itself, but before 25 May 2018, remove all data belonging to contacts that haven’t engaged with you in a while or that you haven’t acquired the right opt-in from. If this list is long, it will hurt but keep in mind that these contacts aren’t likely to buy from you anytime soon and you don’t want to risk a fine over these contacts.