If you are in the business of demand generation – collecting leads and using data to target prospects and customers for your business – then you’ve most likely heard of GDPR. For those of you that may not be as familiar, we’re talking about the General Data Protection Regulation (GDPR) legislation of the European Union. This legislation goes into effect May 25, 2018. This applies to protections for the personal data of European residents regardless of whether you process that data inside the EU or not. North American companies that process such data will have to comply with the GDPR requirements. If not, the fine can be up to 4 percent of annual revenue.
So, what does this mean?
While you may not target Europeans now, many suspect similar regulations coming soon for U.S. residents and businesses and updates to CASL in Canada. It is best to take steps now for GDPR (and hey, it really is best practice) to ensure you are keeping your customer and prospect data private and secure. When we talk about “data,” it is the personally identifiable information (PII) – name, email address, phone number (and obvious secure information such as account numbers, SSN, etc. – if your business collects and stores that information). Canadian businesses are in good standing due to CASL but the increased focus on data integrity will increase the pressure on the more stringent legislation that government has struggled to put in place.
What is the gist of what I need to know?
Of course, it is always smart to consult legal advice and experts who are well-versed in GDPR. However, from a marketer’s perspective, there is low-hanging fruit that can be implemented now within your campaign architecture and tactics as best practice to help you prepare. While this is not everything, it is a start.
1. Data collection forms
At the point of data collection (forms), it is no longer compliant to have a generic opt-in for marketing purposes. Provide detail on what the information (email address) will be used for, what will be communicated and how (in what channels). Reconsider a global opt-in to a tiered opt-in for different topics and different channels (i.e., I opt-in for offers related or unrelated to my product or service, via text, mail, email, phone, etc.).
2. Opt out or opt down
Have an easy and known way for all users to completely opt out or better yet (for us in marketing) to opt down. When someone elects to opt out or opt down, the regulation states that this should be done “immediately” – so in real time. Are your systems set up to reflect this – all the way downstream and back to other systems you may use?
3. Documenting consent
CRM is great and most of us have processes and date stamps in place for lead collection. Make sure your data/lead capture contains hidden data fields that indicate the required information under this regulation. Moving forward we need to ensure evidence of accountability:
- Who? – Contains the identity of the individual and tagged with a unique identifier (UID) (email is not considered a true UID as many people have more than one)
- When did they consent? – Date stamp the submission on the UID record
- What did they consent to? – What was the offer, what was the opt-in clause?
- How and where was it collected? – Landing page, URL, etc.
4. Capture cookie consent
A cookie is a text file that is stored on a user’s computer and later retrieved by a web server (so I’m told – this is for the techies out there). There are different categories of cookies for different purposes – performance, functionality, social, targeted advertising, strictly necessary, etc.
As what we do in the realm of marketing communications becomes more and more data-driven and digitally integrated, being compliant and using best practices as we capture, store and use the data for delivering targeted and relevant communications is just plain smart.
To continue the conversation or if you have any questions, feel free to contact us!