Any company that collects any online data from any citizen of the European Union (E.U.) is impacted by the new General Data Protection Regulation (GDPR) law that will go into effect May 25, 2018.
GDPR is to date the most comprehensive privacy law ever enacted, and it’s dramatically changing how companies collect, use, transmit and store data on E.U. citizens.
If you’re an inbound marketer located in the E.U., you already know about GDPR. But what if you’re not an E.U. business? Do you still need to worry about GDPR compliance?
Let’s look closer at the intent of the regulation, the risks of not complying, and whether your inbound marketing needs to be GDPR compliant.
What Is GDPR and Does It Apply to You?
GDPR supplements the E.U’s 1995 Data Protection Directive by addressing a major gap in that directive: how companies handle the personal data of citizens of the 27 E.U. member states.
Specifically, GDPR gives E.U. citizens the right to access, change, remove, and restrict the way companies collect and process their personal data.
GDPR broadly defines “personal data” as any information that can be linked to an individual. This can range from personal data (e.g., names, physical addresses, Social Security numbers, etc.) to data that is connected to an individual but doesn’t specifically identify the individual (e.g., IP addresses, behavioral data, ethnic origin, etc.).
Whereas the 1995 directive applied only to companies within the E.U., the GDPR law applies to any company that uses the data of any E.U. citizen.
If you market to or even just monitor the behavior of E.U. citizens, GDPR applies to you.
This isn’t necessarily alarming. Inbound marketers typically collect extensive amounts of personal data, but good inbound marketers are very careful about giving individuals access to things like opt-out mechanisms and subscription preference centers, which gives individuals a certain amount of control over their data.
What Makes GDPR Different for Inbound Marketers?
What’s notable about GDPR is that it requires companies to obtain explicit consent from an individual before collecting or using any personal data.
What Is Explicit Consent?
Per the GDPR, companies must ask for consent with “clear and plain” legal language. The individual must provide consent with a “statement or a clear affirmative action” that is “freely given, specific, informed, and unambiguous.” This means the individual must understand you are collecting their personal data, must specifically agree to this, and must understand they can withdraw their consent at any time.
Why is explicit consent important?
It’s important because inbound marketers often rely on “implied” consent to collect and use information – which is not the same thing.
To be GDPR compliant, you may need to change how you manage the forms on your landing pages and how you grow and use your contact database:
- You can no longer infer an individual’s consent because they gave you their business card at a trade show or they filled out a form on your website and clicked “Submit.”
- You can no longer include a pre-checked “Subscribe now!” button on your forms and let that stand in for consent.
- You can no longer assume that just because the individual hasn’t opted out of your emails, it’s okay to keep on emailing that person.
Related Content: 7 Advanced Strategies for More Effective Landing Pages
As part of obtaining the explicit consent, you must make it clear who’s collecting the data (e.g., if it’s just your company or if an outside partner or third-party vendor is involved), why the data is being collected, how you will protect that data, and how long you will keep it.
You must also offer the individual a way to access their personal data, and the individual must be able to easily change their subscription preferences and delete their personal data at any time. This isn’t new, but the penalties for noncompliance are: Sanctions can reach €20 million (nearly $25 million USD) or 4% of annual revenue, whichever is greater.
What GDPR Best Practices Should You Implement?
There’s no grace period for becoming compliant with the GDPR law. If GDPR applies to your company, start taking steps now to update your data strategy.
There are a range of GDPR best practices you should consider, including:
- Review how you obtain consent currently and make sure you’re recording that consent (including what was consented to, how, and when) in your database, so you’re prepared if you’re ever audited.
- If you do not have explicit consent from the contacts currently in your database, launch a permission pass campaign to obtain that consent.
- If you aren’t going to use a piece of information (e.g., employer, phone number), don’t ask for it.
- Consider adding a link to your subscription preference center directly to your website footer, so individuals can easily unsubscribe, view your privacy policies, and understand your terms and conditions.
- Establish procedures to respond to any requests from individuals for access to their personal data within the mandatory one-month response timeframe.
- Establish procedures for individuals to withdraw their consent.
- If you rely on any third-party vendors or tools to collect personal data, verify they are GDPR-compliant. The E.U. will hold you accountable for this, in addition to the vendor.
- Validate that any personal data you or third parties collect is secure against external threats.
- Establish procedures for notifying individuals in the event of a data breach. GDPR requires individuals must be notified with 72 hours of a breach.
You may also find this GDPR Compliance Checklist from HubSpot helpful in understanding what you need to do, so you can organize your strategy.
Remember: GDPR affects every company that collects or processes the data of any E.U. citizen, regardless of where the citizen is located or where the company is based, what industry they’re in, or how big they are.
But also remember: Every business is unique, and how GDPR impacts your business may be different from the advice provided here. Please consult with a lawyer to understand precisely how GDPR affects your business and what your specific responsibilities are.
In the end, GDPR compliance comes down to honesty and transparency – which are also the bedrock of good inbound marketing. When you’re clear and upfront, you’ll not only be a better marketer, you’ll also find compliance with GDPR becomes simpler.
Ready to take a closer look at how well you’re implementing inbound marketing today? Clariant Creative can provide a free, no-obligation audit that covers the most important aspects of inbound marketing, so you can see what you’re doing well – and what you could be doing better!