A Beginner's Guide to Marketing and the GDPR

The General Data Protection Regulation (GDPR) is a new legislation that goes into effect on May 25, 2018 and will change how companies gather, store and use consumer data. Though it’s a European law, it affects any marketer that gathers data on a global basis.

For example, if you or your clients have even one “data set” (that’s GDPR-speak for “contact”) who’s European, the GDPR rules apply to you for that individual—so keep reading.

The GDPR is positioned to tip the data scales in favor of consumers for the first time in recent history, and it could significantly alter your marketing strategy in the process. If you’re one of the 94% of marketers who aren’t GDPR-ready, it’s time to listen up.

Those who disregard this legislation could be hit with fines that would make your head spin—plus, it’s just not cool to be sneaky with other people’s data. We know you’re better than that.

Below, we’ve provided a roundup of the best information, tools and tips for preparing your marketing strategy to become GDPR-compliant.

But first, a disclaimer: This blog post is not a comprehensive guide to the GDPR legislation and should not be treated as legal advice or legal recommendation. If you have questions about the GDPR as it pertains to your specific circumstances, consult an attorney.

Alright, let’s get into it.

What is the GDPR, Anyway?

The GDPR is a European privacy law that protects consumers from unfair, unclear and unethical uses of their data. You may have noticed updates in your automation software or data collection tools like the one below from Google Analytics:

An email from Google Analytics to all users.

These aren’t your average skim-and-delete email notifications. The GDPR will change how we, as marketers, use data. Historically, companies haven’t been required to disclose information like the following:

• What kinds of data they store about consumers.
• What they’re using consumer data for.
• Why they ask for (or require) the data they do.

Starting May 25, the rules about data will heavily favor the consumer. The law is specific to individuals who reside in the European Union (EU) and European Economic Community (EEC), but companies all over should be aware. If you have even one person on your contact list from the EU or EEC, your forms, privacy policy and email tactics will likely have to change to avoid breaking the rules for that contact.

Keep in mind, the GDPR was penned by lawyers and lawmakers—so don’t expect a light read if you intend to dive into the specifics of this regulation. But we’ve listed a few main pieces of the law below.

1. Gaining Data

In other words, how you got the consumer’s data in the first place. You can’t assume someone wants to be contacted, even if they fill out a form with their email address. The consumer must consent to be communicated with, which under the GDPR means “freely given, specific, informed and unambiguous” permission.

What does this mean in practice? Well, it will be against the rules to use pre-checked boxes on forms, for one. Remember, consumers must intentionally opt in as opposed to opting out.

On this note, we should mention that consumers need to know what they’re opting in for. A six-point-font link to an unclear, 3,000-word privacy policy won’t cut it. Companies will have to be prepared to tell consumers what data they’re gathering and what they plan to do with it, all in plain English.

2. Storing Data

It may go without saying that any data marketers collect has to be protected—really protected. If your company stores “personally identifiable data,” including metadata like IP addresses and browser cookies to create profiles of consumers, consumers will now have new rights with regard to how you can use that data. And it’s up to companies to make this data easily accessible to the consumer, so they can see exactly what information is known.

Furthermore, if a company has a data breach, the rules of reporting it will become stricter under the GDPR. In the future, a company must report a data breach to a supervisory authority within 72 hours of learning of the breach, or risk a hefty fine.

3. Deleting Data

The right to be forgotten is a newer concept under the GDPR, and gives consumers the power to request that outdated or inaccurate information about them be removed. In this case, neither the company that obtained the information in the first place, nor any third-party organizations, may access the information once it’s deleted.

Also, just because someone opts out of your marketing communications then changes their mind doesn’t mean you can resurface old data about them. According to a recent HubSpot webinar, if a user unsubscribes—at which point you must remove or completely anonymize their data—and then resubscribes later on, they must be treated as a brand new contact.

How to Prepare Your Marketing Strategy for the GDPR

Don’t get overwhelmed. We know it’s a lot of information, but preparing your marketing strategy to be GDPR-compliant is possible. In the next section, we offer a list of great resources, some that include checklists of their own—but here are a few action items to get you started:

• First, get budget and buy-in. It will take some manpower to get your marketing efforts up to the GDPR standards. By presenting a well-researched plan, get C-suite buy-in and the necessary budget to become compliant.
• Scrub your mailing lists. Remove anyone for whom you don’t have a record of their opt-in. If you’ve purchased mailing lists in the past (again, you’re better than that!) it’s time to forget those folks ever existed. From now on, it’s all about gaining consent.
• Double check your forms. Remember, no automatically-checked boxes! Get those forms GDPR-ready. Don’t forget about pop-ups, too—not just your gated landing pages.
• Update your privacy policy. Look into GDPR-compliant privacy terms, and implement them in your company. Then, make sure consumers can easily access and understand them.
• Get the sales team on board. And other departments, for that matter. Basically, if anyone in your company interacts with customers online, they should be well aware of the GDPR regulations.

(Lots) More GDPR Resources

As the title suggests, this post is by no means a comprehensive guide to getting GDPR-ready. However, a number of other marketing experts across the web are ready to arm you with more information. Here are some of our favorite resources:

General GDPR Information

• European Commission. Go straight to the source!
• HubSpot. They have everything from a product-readiness guide to a glossary of GDPR terms. Even if you aren’t a HubSpot user, the resources are valuable.
• Wired. Nitasha Tiku (@nitashatiku) covers general GDPR information and how some companies are preparing.
• Strategic. Fes Askari (@FesAskari_SIC) gives a solid run-down of the GDPR for digital marketers.
• Smart Insights. An overview, including proprietary data, plus many other related articles.
• SuperOffice. The “definitive guide” to GDPR and marketing, provided by Steven MacDonald (@StevenMacd0nald).

GDPR Specifics

• ComputerWeekly.com. Chris Evans (@chrismevans) talks all things data storage in this article.
• Econsultancy. What is “privacy by design?” Ben Davis (@herrhuld) has answers.
• Mailjet. Specific to email marketing, learn the rules and recommendations to get ready for the GDPR.
• GDPR EU.org. What happens if you break the rules? Learn about the fines and repercussions.

GDPR in Practice

• Digiday. Ross Benes (@RossBenes) provides a roundup of how some ad companies tried (and in some cases, failed) to become GDPR-compliant.
• DMA. A lengthy checklist to help your organization get up to speed.
• GDPR Checklist. Pretty self-explanatory.
• IT Governance. A solid checklist with additional helpful links.

Stay Updated on Marketing Best Practices

As marketers, we can’t let important changes like the GDPR regulations go unnoticed. Subscribe to the PR 20/20 blog to get other real-time marketing updates straight to your inbox!

Image credit: Pexels