GDPR Explained for Marketers – Part 1

By Erika Goldwater

March 22, 2018

May 25th is the day that the many marketers have been dreading…it’s the day the EU General Data Protection Regulations (GDPR) go into effect. This broad-reaching change to existing privacy regulations is a very big deal, however, understanding the ins and outs of what this means for your organization doesn’t have to be daunting.

In this series of posts explaining GDPR, we will examine areas of the regulation that marketers need to pay attention to. Compliance with GDPR is not going to happen overnight. The key to compliance is understanding key aspects of the legislation that require changes in processes across the organization and specifically, as it relates to marketing.

Overview: The basic principles of GDPR were developed to ensure protection of the privacy and data of EU citizens. The significance of this legislation is broad-reaching and impacts all areas of an organization from customer support to sales and marketing and everything in between.

One major catalyst for GDPR compliance? The penalties associated with non-compliance under GDPR are staggering.

A breach can cost as much as €20 million euros or 4 percent of annual revenue, whichever is higher.

Now that you are paying attention, for this first post we will focus on two main areas of GDPR: Scope and Consent.

Scope: Clearly, as a European Union (EU) legislation, this applies to EU residents. It also applies to the protection of data of any EU resident that may be processed or stored outside of the EU. What does that mean for marketers?

It means that we need to understand the full digital footprint of customer and prospect data. This means documenting where and how every piece of personal data is in our organizations, and we need to identify how it is being used. Even if you are a marketer in the US, sending out a webinar invite to your database, you may be violating GDPR if you don’t have the GDPR-required explicit consent from the individual you are emailing in Italy.

Where to start? A  data audit. As marketers often have many disparate platforms in our martech stack, especially large retail or enterprise organizations, data can be stored in any number of silos. This means marketers and their organizations need to identify where all customer data resides across platforms (CRM, marketing automation, internal and external databases).

Include any third party solutions as well, because you are responsible for compliance of that data too.

Start identifying data storage locations today to understand your vulnerabilities. Document where data lives, how it is stored and if consent for data usage has been given. There will be gaps in consent as the definition of consent has changed with GDPR. But, don’t panic yet. Start with the audit .

Consent: The definition of consent per the GDPR is “Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”

What is not consent under GDPR? Making someone uncheck a box to opt-out or assuming consent without explicitly asking for it. Marketers no longer “own” customer data. In fact, we never did, but we acted and marketed like we did. GDPR empowers the individual to own and protect their data. Additionally, part of consent is being able to see what data an organization has on an individual and being able to produce that for review, edit or even erasure. More on that in the next post, part two.

Best practices for obtaining consent? Ask for it explicitly. Provide a clear view of your organization’s privacy policy (you should go back and review with legal counsel your statement to ensure it meets GDPR guidelines), and offer links to a preference center so that individuals can clearly give consent for specific marketing and sales communications.

Brands should be acting now to 'repermission’ their lists,” according to a recent article in Forbes.

To freely give consent, individuals must know exactly what their data will be used for, referred to as specific consent. An individual giving consent to be on a mailer, doesn’t mean they give permission to be contacted via phone.

Transparency is an important part of GDPR, as individuals want to and have a right to know what their data will be used for and why. If you are clear about your use of data (better customer experience, educational materials, marketing materials, or otherwise), state explicitly what you intend to do with the data.

The upside to GDPR? Marketers and sales only want individuals interested in our solutions and communications to receive them anyway. The idea of mass marketing, or non-personalized marketing has been over for at least a decade and GDPR may just help marketers and their organizations better connect and engage with their buyers.  

Preparing for GDPR by establishing best practices around data privacy and protection will highlight some of the mistakes that marketers have been making for years.  And it will most likely leads to smaller databases. That doesn’t have to be a negative consequence.

GDPR compliance will not happen overnight. But the pathway to compliance might give marketers the opportunity to develop new processes and implement better personalized experiences that will drive higher engagement. And let’s not forget about that €20 million euro fine.

Watch for part two of the GDPR series. Subscribe to our blog here to ensure the content comes to you:

Subscribe to our mailing list

* indicates required

Erika Goldwater, CIPP/US is a B2B demand generation expert with over 15 years of experience in fast-growth technology and consulting organizations. Goldwater has had her privacy certification since 2008, working to help marketers implement best-practices and drive revenue the right way. Prior to Monetate, Goldwater was VP of Marketing for ANNUITAS and Marketing Manager, Strategic Accounts and Partners for Eloqua.

Experience the future of ecommerce personalization

Book your personalized demo today.