Data is the lifeblood of B2B marketing, so when a new law shows up that affects the collection and storage of data, B2B marketers must take notice.
GDPR is such a law, and B2B marketers everywhere are wondering how it will affect them and what they have to do to comply, or if they have to comply at all.
Here’s what you need to know:
GDPR stands for General Data Protection Regulation, which is legislation enacted by the European Union (EU) to protect the privacy of its citizens. It becomes active and enforceable on May 25, 2018, and businesses that don’t comply with it face crippling fines.
The new law doesn’t just apply to companies that are based in the EU, it applies to any company, regardless of location, that offers goods or services, paid or free, to individuals in the EU.
If you monitor the behavior of individuals in the EU, such as for marketing purposes, you must also comply. Even if you’re not handling EU clients yet, but are considering entering a new market in the EU, you need to know about GDPR.
GDPR lays out rules for the allowable collection, use, and storage of personal data. Personal data is defined as any data that can be used to identify a person directly or indirectly. It includes things such as name, photo, email address, and computer IP address — the kinds of details B2B marketers routinely collect.
The GDPR law:
GDPR doesn’t apply to business data. So things like business name, address, and the generic company email address are in the clear. However, personal business email addresses, like gladys.friday@business.com, fall under GDPR because they identify an individual.
It’s a lot to take in, and complying requires buy-in at every level, from executives to the IT team and marketing staff.
For B2B marketers, the key aspects of GDPR center around consent and transparency. You must have documented consent for collecting and using personal data, and you must be transparent about how you’re using it. If someone asks you to give them a copy of their data or delete it from your system, you must have a policy in place to comply without undue delay and within 1 calendar month.
To help you get a handle on compliance, follow the steps in this checklist that targets the key areas where B2B marketers are likely to be impacted.
This includes information collected online through forms and cookies, as well as offline.
Did you have consent to collect it, and were you clear about the things it would be used for? Are you holding it for the minimum time necessary and keeping it in a secure manner?
For example, are you using encryption or pseudonymization and ensuring that only people who have a legitimate purpose can access the data?
This includes information you get via website browser cookies. To comply, the individual must specifically consent. For cookies, a pop up on the user’s first visit allowing them to accept or decline is a good route.
If the users don’t click accept, you can’t place cookies. Without cookies, the site should still be accessible, though obviously personalization will be lost.
Here’s an example from the CookieScript website, which helps webmasters create these pop-ups:
Forms, whether online or off, are a tempting place to gather as much information as possible. Under GDPR, that’s a no-no.
Ensure forms you use in your lead generation strategy collect only the necessary data for processing.
You must have an acceptable, lawful basis for collecting this data.
Be transparent. You must convey, specifically, what personal data you collect and its intended uses. Include cookie usage and information about if and when personal data might be shared with other parties.
Keeping everything forever, while attractive, is not an acceptable policy. Don’t keep data for longer than absolutely required to serve data processing needs.
While the GDPR does not set any maximum time for storing data, it states that data should not be kept for longer than is necessary to accomplish the purpose for which it was obtained.
It is good practice to establish standard retention periods for data you collect and conduct regular audits to ensure you are not retaining data longer than necessary.
As mentioned above, GDPR includes a “right to be forgotten” provision. If someone asks you to remove their data, you must do so, though there are a few exceptions. Individuals must also be able to submit corrections to their data, so you should have a system in place to do this quickly and easily.
This means that only people who need the data should be able to access it. It also means you are storing the data in a secure fashion, by employing techniques such as encryption or pseudonymization.
There are vendors popping up to meet this need. Companies that offer these services (among others) include:
GDPR includes a provision that requires you to report data breaches to affected parties within 72 hours of becoming aware of the breach.
If you perform large-scale monitoring of data subjects or meet certain other specifications, you’ll need to assign someone to serve as DPO to make sure that your organization complies with privacy-related legislation.
The DPO has the following responsibilities:
GDPR requires that you be able to provide evidence that you comply with the regulation. Record the procedures you’ll use for each of the above steps as evidence.
Your existing mailing lists may be a sticking point. Under GDPR, individuals must have given consent to be on the list. Double opt-in achieves this, so if you’ve been using that, you’re in the clear. However, if you purchased names to add to your list or signed people up without obtaining consent first, those records are probably not GDPR compliant.
Failing to comply with GDPR can lead to a fine of up to €20 million or 4% of global annual turnover. The amount of the fine is determined by the degree of the infringement. If there are multiple infringements against GDPR, the maximum fine is levied. Otherwise, a smaller but still substantial fine may be charged. Lower level infringements can be charged up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.
Who wants to risk that?
GDPR affects many aspects of marketing activities and is a big shake up in many ways. You’ve probably noticed a lot more websites requesting consent to use cookies lately, and you keep getting privacy policy update notices. These are due to businesses getting ready for GDPR. There’s even more work going on behind the scenes.
While it may feel overwhelming at first, complying is a matter of following the steps outlined in this article. First perform a thorough review of the personal data you collect along with how and for how long you store it. Then create a project plan for deploying processes and procedures to comply with the regulations set out by GDPR.
Many marketers will need to make substantial changes, but going forward, no B2B digital marketing strategy is complete without a GDPR compliance plan.
Contact us at KeyScouts today for assistance with developing a compliant B2B online marketing strategy for your business.