The GDPR: What It Is + What Digital Marketers Need to Know
- by Alyson Shane
Disclaimer: this blog post is intended to provide background information about how marketers can comply with EU data privacy laws like GDPR, not as legal advice. We're not lawyers, and if you have specific questions about GDPR we recommend that you contact your attorney for accurate info. What follows is basic information and guidelines.
If you've been anywhere near a computer in the past few weeks it's likely that you've heard about GDPR, or the General Data Privacy Regulation coming into force on May 25, 2018 - but do you know what this means for you as a digital marketer?
HubSpot's research concluded that only 36% of marketers have heard about GDPR, and 15% of companies surveyed haven't taken actions to ensure that they comply with the new legislation, so we want to take this opportunity to explain some of the basics about GDPR, how it applies to your business, and what you can do to ensure you comply.
Let's dive right in:
Let's start by addressing two important points:
- If you handle or control the data for EU citizens (or their businesses) then GDPR will apply to you.
- Penalties for noncompliance will be severe. Depending on the type of violation companies may be fined up to €20 million or 4% of their annual global revenue - whichever is greater. So this new legislation comes with some sharp teeth.
This means that if you (or your company) has engaged in any shady marketing practices like cold emailing, spamming, or buying email lists, then you're in for a world of hurt. And honestly? We're okay with pushback on these tactics because they're outdated, shady, and damage the work digital marketers like us do to provide real value for our clients and their customers.
We'll just say this at the outset: there's a lot to keep track of when it comes to GDPR, so we're going to apply it to inbound marketing tactics and explore how to adapt to the new regulations and incorporate the changes into your inbound practice:
How Will the GDPR Impact Your Marketing Activities?
Essentially the GDPR came about in the wake of the Facebook-Cambridge Analytica scandal and the increased public attention on the fact that it can be really hard to know who is collecting and using your data.
This change requires organizations who collect data ('Data Controllers') to be transparent in how the data provided by the user ('Data Subjects') will be used in the future, and provide the user with the chance to give their consent. The language in the GDPR dictates that consent needs to be clear, written in plain English, and must be "informed, specific, unambiguous, and revocable."
Lots of organizations use gated content to build their email lists and generate leads for their business. This is usually a pretty simple exchange: the user provides some basic information, like their name, email, and sometimes their business name, and in return they get access to a ebook, whitepaper, or other type of valuable content.
Now that the GDPR has come into play, businesses need to provide additional information about how they're planning to use that data - whether it's to follow up via email, track that user's activity on their website, etc., it all needs to be communicated clearly from the get-go.
Additionally, if the business wants to use that data for any other purpose they need to follow up and acquire consent from the user before they can legally use it again.
Data Collection + Sharing Restrictions
In addition to clearly communicating how a users' data will be used, new GDPR rules dictate that businesses can only collect data that is:
- Necessary for the purpose of collection
This means any data collected that's deemed "unnecessary" or "in excess" will constitute a breach of the GDPR, and your business will be fined.
Additionally, if your business attempts to use data for reasons other than the specified, legal, and previously agreed-upon purposes, then you'll need to acquire additional consent from the user in order to do so.
Collecting data in exchange for gated content is commonplace - we already know that - but new GDPR rules are much more specific about the kind of data that you can request from a user in exchange for your gated content.
For example, if your company offers an ebook about developing C-suite leadership and team management skills, then it's appropriate to ask for data such as:
- The user's name
- Their email
- Business name
- Number of employees in the business
However, if you tried to collect data about the user's personal life such as their relationship status, employment history, and salary, then it would be seen as excessive and not required by a company offering B2B resources. Additionally, your business can only use stored data for it's original, intended purposes - so additional consent from the user is required in this instance, as well.
Increased Data Security
Once data has been collected the GDPR dictates that businesses need to use "appropriate technical and organizational security measures" to protect against the accidental loss, disclosure, destruction, alteration, and access to that data.
Once a business has data stored in their system it becomes their responsibility to ensure that it is safe and secure. The type of steps they may need to take to encrypt the data and keep it secure depends on the type of data collected and how they're planning to use that data.
Keeping Data Accurate
This one's a little non-newsy, but the GDPR now makes it officially acceptable for people to contact businesses in possession of their data so that it can be updated to be as relevant as possible.
You're subscribed to a newsletter that you really enjoy reading, but have switched to a new email service provider and want to contact the sender to let them know where they can reach you at your new email address.
(Like we said: this one's a little non-newsy since lots of folks already do this, but it's GDPR official now.)
Every business is accountable for how the data they collect is used, ensure that they have records of consent for all the collected information, and that policies are in place that meet the GDPR's restrictions on how that data can be used.
Let's say your business wants to run a marketing campaign using data you've previously collected (like a Facebook Custom Audience) and have contracted to a third party company to handle the advertising aspect of your campaign.
With GDPR in effect, your business will need to obtain consent from all users to use their data before using it (like we talked about above), and that consent needs to be clearly recorded, and any third-party contractors need to comply with Article 28 of the GDPR, which applies to Processor contracts.
Updates to Data Retention + Deletion
Under the GDPR organizations can keep the data they collect for as long as it's needed to fulfill the original purpose collection, which means that a data retention policy needs to already be in place which clearly outlines how long they'll hold onto the data once it has been received.
Most companies already have data retention politics in place, but we recommend double-checking local laws and regulations, as well as GDPR rules, and ensuring that your data retention policy is transparent and clearly communicated to the user.
You're a customer and you close your account with an organization because you no longer want or require their services. At this point the business will need to have a data retention policy in place (and comply with it) that meets GDPR standards if they want to retain any of the data lost when the account closes.
(On this note, you may have heard that Facebook has recently rolled out a Clear History function which not only acts as a "clear cookies" option for Facebook data, but also allows users to see which apps and services have accessed their Facebook data. You can read Mark Zuckerberg's post here, and a great in-depth discussion on the HackerNews forum about it here.)
Final Thoughts on the GDPR
While the GDPR may sound like an inconvenience from a business and marketing standpoint, legislation that protects user data and increases transparency between the people who share data and the companies that use it helps keep everyone's data safe and used respectfully.
Here at Starling Social we don't believe that sharing data, or asking for it, is a bad thing. Collecting data in aggregate helps us deliver better content and ads that grow businesses, solve problems for our clients' customers, and provide revenue that helps keep people employed, but it's important that organizations are transparent and up-front with the data they want, and how they intend to use it.
At the end of the day, the GDPR offers an important opportunity for organizations and marketers alike to rethink how we approach collecting and using data, and how we can use it to create more personalized, effective, and efficient content that serves our customers.
Want more info on GPDR and what it means for marketers? Check out some of the resources we used when putting this article together:
- Implications of the GDPR for marketing in UK and Europe via Smart Insights
- Is Your Company GDPR Ready? via Smart Insights
- The Role of Marketing in GDPR via Forbes
- How GDPR Impacts Marketers via Social Media Examiner
- European Union GDPR Information Portal