Disclaimer: This blog post does not provide legal advice on how to comply with EU data privacy laws, such as the GDPR. Rather, it provides background information so that you can better understand the GDPR. As legal information is not the same as legal advice, where an attorney applies the law to your particular circumstances, we encourage you to consult an attorney if you have questions about its accuracy or interpretation.
In essence, you should not consider this legal advice or a recommendation for any particular legal understanding.
You've probably about the General Data Privacy Regulation (GDPR). Marketing and how organizations obtain, store, manage or process EU citizens' personal data have been significantly affected by this legislation.
In 2018, a research found that Only 36% of marketers have heard of GDPR, and 15% of companies have done nothing, putting them at risk of noncompliance. Most companies were not ready for the GDPR, but 6 years later. did things change in this regard?
Two important parts of the Regulation: First and foremost, even if you're not located in the EU but process or control data about EU citizens, you're subject to the GDPR. Secondly, GDPR will come with severe penalties for violators. Violations can result in fines of up to €20 million or 4% of a company's global annual revenue (whichever is greater). There is no way for companies to ignore these big penalties because regulators mean business.
We believe the legislation is a positive step. In this way, marketers can continue to do positive work that puts people and their concerns first. As a result, marketers will have to work harder to earn people's attention and establish ongoing relationships.
For marketers to succeed, hard work is not be enough: they must also become more creative. Again, we don't consider that a bad outcome. We should welcome anything that gives consumers more power and makes marketers better.
The companies that have put their own needs ahead of consumers and employed shady or outbound tactics are in for a shock. As a result of the GDPR, marketing tactics such as buying lists, cold emailing, and spam has become obsolete.
As well as being outdated, these tactics provide a poor experience for the recipient and are becoming less and less effective every day. It puts the consumer first and attracts them with valuable content, which is the antithesis of these tactics. As a result, others will have to adapt their marketing strategies as a result of regulation.
Are you wondering where to begin with GDPR? There's a lot to digest and we have created a dedicated GDPR web page to provide you with information about it, including what it is, why it came about, and a glossary of terms, as well as some of the most important changes the GDPR makes to EU data privacy laws.
As we work our way through the inbound marketing methodology, let's look at the GDPR principles you should consider at various stages:
In the GDPR, there is more transparency between the organizations that collect and control personal data (the 'Data Controllers') and the individuals whose personal data is being collected (the 'Data Subjects'). Any organization that draws people to its website and wants to collect data via a form must clearly communicate to them what the data will be used for.
The individual must give their consent, and that consent must be clear, in plain English, and "informed, specific, unambiguous, and revocable". It is also important to inform data subjects that they can withdraw their consent at any time.
Example: Meet Shawn Strickwater. He lives in Spain, has a passion for interior design, and we’re going to use him as an example throughout this post. If Shawn downloads an ebook from The Glue Company to research what materials he can combine for the decoration of his new house, The Glue Company will need to make sure that they explain to Shawn how they’re planning to use his data.
It is important that The Glue Company communicates clearly with Shawn and obtains his consent if they intend to track Shawn's use of their website, send him more information via email, or share his information with affiliates outside the EU. Under GDPR, 'opt-out consent' will no longer be permitted for The Glue Company to pre-tick a box on a form to send information to Shawn by email.
At any point during the relationship, if The Glue Company wants to use Shawn's data for a new purpose, they will need Shawn's consent to use the data. In addition to being transparent at the time of data collection, it's important that companies remain open and transparent throughout the marketing process and after the relationship ends.
Under the GDPR, an organization is only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection, when it is collecting data from an individual in order to convert a website visitor into a lead. GDPR violations include data collected by the organization that is deemed unnecessary or excessive.
Example: The Glue Company created a landing page for prospects like Shawn to download an ebook on living room colour schemes. Before Shawn can download the ebook, he will need to complete the fields created by The Glue Company. It’s reasonable that they might want to collect his name, email address and even details about the project Shawn is about to undertake. However, if they were to attempt to collect information about Shawn’s family (for example, if he is married or how many children he has) or his health, this would be excessive as that data should not be required by a decorating company.
Organizations are only allowed to collect and store data for specified, explicit, and legitimate purposes. It cannot be used in a way that is incompatible with the purpose for which it was collected. In addition, if they plan to transfer or share the data with another company, they must obtain consent from the person concerned.
Example: The Glue Company's ebook motivated Shawn Strickwater to enroll in a course to improve his painting and decorating skills after he downloaded the ebook. If The Glue Company is using a third-party training company to run the online course, The Glue Company will need to ensure the training company has Shawn's consent to use his data. Additionally, the training company will not be able to use Shawn's data for any other purpose than what he consented to.
Once data is collected, the organization must ensure it is stored securely and in compliance with GDPR security provisions. Personal data must be protected against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration by using "appropriate technical and organizational security measures." In order to protect their data, companies may need to encrypt it, pseudonymize or anonymize it, or separate it from other data in their systems depending on the type of data they collect and how it will be used.
Example: Since Shawn Strickwater's data is now stored in The Glue Company's systems, it is The Glue Company's responsibility to protect it. The Glue Company should have assessed the types of data they intended to collect and worked with their security team to ensure that it meets GDPR standards before collecting the data.
Security standards will vary depending on the kind of data collected (for instance, biometric data, sensitive data, or data about children) and how it will be used. Contracts with vendors touching that data contain the relevant security safeguards, and only employees who need access to that data have access to it.
Organizations will now be able to correct or update their data at any time if the information is inaccurate.
Example: Shawn Strickwater bought some paint from The Glue Company and signed up for their loyalty program to receive discounts and design ideas via email. He has moved to a new email provider and wants The Glue Company to update his data so he can receive emails at his new address.
It is the organization's responsibility to ensure compliance with the GDPR. In addition to keeping records of compliance (for example, consent records), they must create policies that govern how their data is collected and used.
It's also important to ensure that they implement a 'Privacy by Design/Default' policy, so they are systematically considering the impact that a project or initiative may have on individuals' privacy. In order to ensure the security of the data processed on their behalf, controllers will need to update their vendor contracts.
Personal data may only be retained for as long as necessary to achieve the intended purpose. When a relationship ends, they should ensure they have a data retention policy that outlines how long they will retain that individual's data for, as well as their business justification for doing so.
Organizations need to consider whether any laws or regulations require them to keep some of the data for specified periods when drafting their retention policies. By law, they may be required to retain some financial data for auditing purposes. Although this is permitted, it should be clearly outlined in their retention policy and communicated to Amy. Even at this early stage of the relationship, the principle of transparency is crucial.
Data controllers must comply with individual requests that their data be deleted at any time and confirm the deletion, not only from their own systems, but also from any downward vendors whose systems process that data on behalf of the organization, if the individual requests that their data be deleted at any time.
In order to comply with the GDPR, organizations must take several steps. The marketing industry is boosted by three big changes:
The GDPR requires marketers to provide even more value to customers in order to succeed. The job of a marketer becomes more challenging as a result. To attract consumers and earn the right to speak with people, they need to work hard (really hard). They should -- attention is a valuable commodity that has been abused by marketers for far too long.
As a result of the GDPR, EU citizens have greater transparency and control over how their data is used by organizations. Transparency is crucial. Few people today realize the benefits of sharing data, but they do it because they want to use a service or product. Transparency requires companies collecting data to communicate and provide value to their customers. It is expected that greater communication and transparency around data collection will lead to a better understanding of why people should share their data.
Let's not fool ourselves -- GDPR raises the bar for marketers. Strategies without GDPR-compliant consent mechanisms are consigned to history. As a result, marketers need to think differently and innovate. To succeed in this new reality and comply with GDPR, we will see better, more creative, and thoughtful marketing.
GDPR was a watershed moment for the marketing industry. It's rightly causing many organizations to rethink how they approach marketing, but it's also an opportunity for businesses to emphasize the importance of people sharing their data and how it results in better products, better services, and a more efficient data economy.