GDPR stands for the General Data Protection Regulation, and what it will mean (when it comes into force in May next year) is that everyone you market to must have given their consent.
GDPR is an EU law, and before you ask, it won’t be stopped by Brexit.
This blog will be useful if you are looking for:
Note: whilst we know broadly what GDPR covers, the guidelines around exactly how businesses will need to respond to it are still vague. This blog will therefore be updated regularly as more information comes to light.
Have all of your database opted in to your marketing?
Digital minister Matt Hancock has confirmed that the UK will replace the 1988 Data Protection Act with legislation that mirrors GDPR.
With D-day less than a year away, the big question facing marketers is this: is everyone in your database opted in?
If they are not, the fines for being non-compliant are pretty scary. Penalties for some types of breaches are either €20m or 4% of global turnover - whichever is higher. Ouch.
There could also be a reputational impact too. People don’t generally like unsolicited marketing, and they will like it even less when they know that it has become illegal.
So what does GDPR mean for marketers?
It’s too early to know every detail of what businesses will need to do to be compliant, but the following tips should focus your thoughts in the right direction.
If it all seems a bit much and you're quickly realising that you aren't prepared at all, you might find it useful to have a chat about the best way to get going with these points.
1. Make sure that your process for obtaining new contacts is watertight
This means that you must consider data privacy before you obtain any contacts- and throughout the entire lifecycle of data processing.
GDPR focusses largely on consent, which must be “freely given, specific, informed and unambiguous”.
What does that mean in reality? It means that businesses need to be able to prove that a person has agreed.
Pre-ticked opt-in boxes and scanning people’s badges at events without telling them what their details will be used for, will no longer be allowed. There will need to be clearer sign posting on websites - it is likely that best practice will be to ask prospects to actually tick a box saying that they are happy to be contacted.
It also needs to be easy for people to revoke their consent (by unsubscribing).
2. Make sure that you have visibility of and control over your data
You will need to know where your data physically is, and who has access to it.
Under GDPR, there are some new rights for data subjects, including the right to request deletion of their personal data in particular circumstances. For example, they could request to be removed from your database if their data was no longer needed for the purpose it was originally collected for.
Whilst they may not actually ask you to remove it (and hopefully they won't, if you market to them sensibly), what it means in practical terms is that you need to be able to find and delete data when required. If you have outsourced control of your data, you are still responsible for it. The easiest way to manage this responsibility is to use a solution that gives you a clear overview of all your data.
3. Consider introducing inbound marketing
One of the great things about inbound marketing is that it gives you more opportunities to get your prospects to opt in by providing relevant, useful content that they actually want to receive.
Inbound marketing brings people to you, rather than you having to go out looking for them. That makes it an excellent way to establish a transparent and ethical model for collecting prospects’ data, because your audience has by definition ‘opted in’.
Inbound marketing platforms such as HubSpot are going to be even more useful in the post-GDPR context, because they offer you a clear, detailed attribution of which channels and what content is most likely to attract new email subscribers.
HubSpot’s contact record gives clear details of them opting in, data obtained and also if they have opted out. HubSpot won’t let you send emails to people who have unsubscribed.
4. Hire a Data Protection Officer, if you need to
The GDPR may require you to have a Data Protection Officer if your core activities are related to ‘systematic monitoring of data subjects on a larger scale’, or large-scale processing of “special categories” of data. Those special categories include data on racial or ethnic origin, and health. If you establish that you do need one, get a move on, because some estimates are that there are not enough suitably qualified specialists around to fill the expected 25,000 vacancies over the next year!
GDPR can seem like a desert sanddune inexorably sliding towards you, millimetre by millimetre. But as dry as this law is, it is coming.
The overall impact of the regulation is clear - all of us will need to get the infrastructure, technology and processes in place to build an ‘opted-in' subscriber base. While the exact details of how businesses can comply are not yet known, it is clear that it is time for us to start taking responsibility for the way we collect personal data.
Inbound Marketing & Sales Strategist
Leave us your thoughts