Data is the lifeblood of B2B marketing, so when a new law shows up that affects the collection and storage of data, B2B marketers must take notice.
GDPR is such a law, and B2B marketers everywhere are wondering how it will affect them and what they have to do to comply, or if they have to comply at all.
Here’s what you need to know:
GDPR stands for General Data Protection Regulation, which is legislation enacted by the European Union (EU) to protect the privacy of its citizens. It becomes active and enforceable on May 25, 2018, and businesses that don’t comply with it face crippling fines.
The new law doesn’t just apply to companies that are based in the EU, it applies to any company, regardless of location, that offers goods or services, paid or free, to individuals in the EU.
If you monitor the behavior of individuals in the EU, such as for marketing purposes, you must also comply. Even if you’re not handling EU clients yet, but are considering entering a new market in the EU, you need to know about GDPR.
GDPR lays out rules for the allowable collection, use, and storage of personal data. Personal data is defined as any data that can be used to identify a person directly or indirectly. It includes things such as name, photo, email address, and computer IP address — the kinds of details B2B marketers routinely collect.
The GDPR law:
- The right to be informed: People have the right to know what information is being collected about them and how it’s being used.
- The right of access: People have the right to access their personal information and make sure it is processed in a lawful way.
- The right to rectification: People have the right to request that their personal data be amended if inaccurate or incomplete. Companies have one calendar month to update the data.
- The right to erasure: Also known as “the right to be forgotten”, this gives people the right to ask companies to delete their personal data from their databases. Companies must comply within one calendar month.
- The right to restrict processing: People have the right to restrict or suppress the usage of their personal data. Companies can still store the data, but cannot use it.
- The right to data portability: This right enables people to obtain and transfer their data to other IT environments in a secure way, so they can use it for personal reasons with other service providers, such as apps to find better deals or understand shopping habits. You must provide data in a commonly used format, such as CSV.
- The right to object: People can tell companies not to use their personal data for direct marketing, scientific/historical research, to perform a legal task for public interest, or for an organization’s legitimate interests.
- Rights in relation to automated decision-making and profiling: Article 22 of the GDPR has provisions to protect individuals when companies perform only automated decision-making that has legal effects on them.
GDPR doesn’t apply to business data. So things like business name, address, and the generic company email address are in the clear. However, personal business email addresses, like firstname.lastname@example.org, fall under GDPR because they identify an individual.
It’s a lot to take in, and complying requires buy-in at every level, from executives to the IT team and marketing staff.
For B2B marketers, the key aspects of GDPR center around consent and transparency. You must have documented consent for collecting and using personal data, and you must be transparent about how you’re using it. If someone asks you to give them a copy of their data or delete it from your system, you must have a policy in place to comply without undue delay and within 1 calendar month.
GDPR Readiness Checklist
To help you get a handle on compliance, follow the steps in this checklist that targets the key areas where B2B marketers are likely to be impacted.
1. Assess what personal data you currently collect and store
This includes information collected online through forms and cookies, as well as offline.
Did you have consent to collect it, and were you clear about the things it would be used for? Are you holding it for the minimum time necessary and keeping it in a secure manner?
For example, are you using encryption or pseudonymization and ensuring that only people who have a legitimate purpose can access the data?
2. Ensure you obtain consent for every bit of personal data you collect
This includes information you get via website browser cookies. To comply, the individual must specifically consent. For cookies, a pop up on the user’s first visit allowing them to accept or decline is a good route.
If the users don’t click accept, you can’t place cookies. Without cookies, the site should still be accessible, though obviously personalization will be lost.
Here’s an example from the CookieScript website, which helps webmasters create these pop-ups:
3. Collect only necessary data
Forms, whether online or off, are a tempting place to gather as much information as possible. Under GDPR, that’s a no-no.
Ensure forms you use in your lead generation strategy collect only the necessary data for processing.
You must have an acceptable, lawful basis for collecting this data.
Be transparent. You must convey, specifically, what personal data you collect and its intended uses. Include cookie usage and information about if and when personal data might be shared with other parties.
5. Create a data retention policy
Keeping everything forever, while attractive, is not an acceptable policy. Don’t keep data for longer than absolutely required to serve data processing needs.
While the GDPR does not set any maximum time for storing data, it states that data should not be kept for longer than is necessary to accomplish the purpose for which it was obtained.
It is good practice to establish standard retention periods for data you collect and conduct regular audits to ensure you are not retaining data longer than necessary.
6. Implement a procedure for updating or deleting data on request
As mentioned above, GDPR includes a “right to be forgotten” provision. If someone asks you to remove their data, you must do so, though there are a few exceptions. Individuals must also be able to submit corrections to their data, so you should have a system in place to do this quickly and easily.
7. Employ security by design
This means that only people who need the data should be able to access it. It also means you are storing the data in a secure fashion, by employing techniques such as encryption or pseudonymization.
There are vendors popping up to meet this need. Companies that offer these services (among others) include:
- IRI FieldShield - A tool for masking personally identifiable data in your databases and files.
- Protegrity - A data protection specialist with tools that include pseudonymization for organizations.
- Anonos Big Privacy Data Solution - This company’s services can be used to transform data into a pseudonymized format.
9. Develop a plan for detecting and reporting data breaches
GDPR includes a provision that requires you to report data breaches to affected parties within 72 hours of becoming aware of the breach.
10. Consider designating an official data protection officer (DPO)
If you perform large-scale monitoring of data subjects or meet certain other specifications, you’ll need to assign someone to serve as DPO to make sure that your organization complies with privacy-related legislation.
The DPO has the following responsibilities:
- To advise the data processor and the employees who carry out the GDPR requirements
- To monitor compliance — to make sure all parties in an organization know their responsibilities for acting in a lawful manner and that they fulfill those responsibilities
- To make sure that employees and the public are informed of their rights
- To cooperate with the supervisory authority and serve as the contact point
11. Document everything
GDPR requires that you be able to provide evidence that you comply with the regulation. Record the procedures you’ll use for each of the above steps as evidence.
12. Double opt-in
Your existing mailing lists may be a sticking point. Under GDPR, individuals must have given consent to be on the list. Double opt-in achieves this, so if you’ve been using that, you’re in the clear. However, if you purchased names to add to your list or signed people up without obtaining consent first, those records are probably not GDPR compliant.
Failing to comply with GDPR can lead to a fine of up to €20 million or 4% of global annual turnover. The amount of the fine is determined by the degree of the infringement. If there are multiple infringements against GDPR, the maximum fine is levied. Otherwise, a smaller but still substantial fine may be charged. Lower level infringements can be charged up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.
Who wants to risk that?
While it may feel overwhelming at first, complying is a matter of following the steps outlined in this article. First perform a thorough review of the personal data you collect along with how and for how long you store it. Then create a project plan for deploying processes and procedures to comply with the regulations set out by GDPR.
Many marketers will need to make substantial changes, but going forward, no B2B digital marketing strategy is complete without a GDPR compliance plan.
Contact us at KeyScouts today for assistance with developing a compliant B2B online marketing strategy for your business.