On May 25th, the General Data Protection Regulation (GDPR) takes effect and European regulators will begin cracking down on how companies are treating European Union (EU) citizen data. Despite the looming deadline and having two years to prepare, many companies have done very little to change how they collect and process data to comply with the new regulation. According to a study by Ernst & Young, only a third of global companies have a plan in place for GDPR. The number gets even smaller for North American companies – only 13% have a plan in place.
Personal data includes name, address, photo, email, bank details, IP address, social posts, and medical information. Who uses this information the most in a company? Marketing.
GDPR Will Affect All Marketers
Not Just Those Located in the EU
All companies, both in the EU and outside the EU, that collect personal data from EU citizens will be required to be in compliance with the GDPR. Failure to comply with the new regulation could cost a company up to 4% of global revenue or 20 million euros (whichever is higher) in fines.
Another reason you should pay attention to the GDPR: Your consumers. HubSpot found that 90% of consumers think the GDPR is “a good thing.” Additionally, if a company is 100% transparent about how and when they will use a consumer’s personal data, 22% are very likely to find that company trustworthy and 50% are somewhat likely.
In today’s world, trust is everything. Marketers who make the GDPR a priority in their strategy, will build consumer relationships based on trust and loyalty.
How Will Marketing be Impacted?
The GDPR will likely affect every part of your marketing funnel, from the time a European consumer visits your site, to the time they make their purchase.
You likely rely on cookies to track a consumer’s behavior, such as their shopping cart and wishlists, and to create personalized retargeting ads. Most retailers have an implied or soft opt-in for cookies. It usually says something like “By continuing to this website, I accept cookies.” Under the new rules, this will no longer be sufficient. In addition to an explicit opt-in for cookies, such as a tick box or an “I Accept” button, you will need to have an easy way for the consumer to opt-out.
According to the GDPR, changes to consent are defined as the following:
“The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
What does this mean exactly?
Today, if a European consumer fills out a form on your site to download a report, you may assume they also want to receive promotional emails. Because of this assumption, you automatically put them into an email campaign for your new product. Starting May 25th, the consumer must be freely given the option to opt-in (consent) to promotional emails when they filled out the form to download the report before being added automatically.
In addition to consent for data collecting, you will also need consent for data sharing. For example, if you are co-hosting a webinar with a third-party, you must also receive consent from the consumer to share their data with the third-party and clearly define how they will use that data (such as promoting upcoming events, newsletters, or product launches).
Restrictions on the Type of Data You Collect
Many marketers are guilty of asking for more data than deemed necessary. Once the GDPR takes effect, you should skip the “nice to haves” and focus only on the data you need from European consumers. For example, if a consumer wants to download a report, it makes sense to ask for their email address, but do you really need to know their yearly income? Probably not. If you are unable to legally justify the data you collect and process, your company could be at risk of being fined by European regulators.
Under the new regulations, European consumers have the right to review, edit, and delete their data. As a result, you will likely see an increase in the number of consumers asking to be deleted from your database. According to HubSpot, 59% of European consumers would ask to be completely deleted if given the option.
Your Marketing Automation Platform and CRM System
Let’s say a consumer asks to have their data deleted from your CRM system, but it did not get deleted from your marketing automation platform. If the consumer continues to receive promotional emails, you are violating the GDPR. Both systems will need to be updated when a consumer opts-out of communications to avoid this.
What about segmentation?
You will likely want to review most of your vendor contracts before the May 25th deadline to ensure they comply with the GDPR. Article 28 of the GDPR includes a list of items that need to be included in your contracts with vendors. (Note: Only your third-party vendors that process EU citizen data will be affected by the GDPR.)
When auditing your existing data, there are two questions to ask yourself:
- Does your existing consumer data have clear documentation regarding which communications they consented to and when?
- Can you legally justify keeping the data you have?
If you can’t answer “yes” to both of these questions, you will need to determine which data you can legally keep and create a plan to ensure existing consumers have explicitly consented to marketing communications from your company.
Preparing for the GDPR
While the GDPR will likely cause a headache for your marketing department, it also gives you and your company a huge competitive advantage if you can get ahead of the new regulation. Consumers will place their trust in companies that are transparent as they transition their policies to comply with the new rules. Before the deadline, here’s a checklist to make sure you and your company are in compliance with the GDPR by May 25th.
Note: This article should not be considered as legal advice.
Interested in learning more about GDPR? Check out our sources: