Any company that collects any online data from any citizen of the European Union (E.U.) is impacted by the new General Data Protection Regulation (GDPR) law that will go into effect May 25, 2018.
GDPR is to date the most comprehensive privacy law ever enacted, and it’s dramatically changing how companies collect, use, transmit and store data on E.U. citizens.
If you’re an inbound marketer located in the E.U., you already know about GDPR. But what if you’re not an E.U. business? Do you still need to worry about GDPR compliance?
Let’s look closer at the intent of the regulation, the risks of not complying, and whether your inbound marketing needs to be GDPR compliant.
GDPR supplements the E.U’s 1995 Data Protection Directive by addressing a major gap in that directive: how companies handle the personal data of citizens of the 27 E.U. member states.
Specifically, GDPR gives E.U. citizens the right to access, change, remove, and restrict the way companies collect and process their personal data.
Whereas the 1995 directive applied only to companies within the E.U., the GDPR law applies to any company that uses the data of any E.U. citizen.
If you market to or even just monitor the behavior of E.U. citizens, GDPR applies to you.
This isn’t necessarily alarming. Inbound marketers typically collect extensive amounts of personal data, but good inbound marketers are very careful about giving individuals access to things like opt-out mechanisms and subscription preference centers, which gives individuals a certain amount of control over their data.
What’s notable about GDPR is that it requires companies to obtain explicit consent from an individual before collecting or using any personal data.
What Is Explicit Consent?
Per the GDPR, companies must ask for consent with “clear and plain” legal language. The individual must provide consent with a “statement or a clear affirmative action” that is “freely given, specific, informed, and unambiguous.” This means the individual must understand you are collecting their personal data, must specifically agree to this, and must understand they can withdraw their consent at any time.
Why is explicit consent important?
It’s important because inbound marketers often rely on “implied” consent to collect and use information – which is not the same thing.
To be GDPR compliant, you may need to change how you manage the forms on your landing pages and how you grow and use your contact database:
As part of obtaining the explicit consent, you must make it clear who’s collecting the data (e.g., if it’s just your company or if an outside partner or third-party vendor is involved), why the data is being collected, how you will protect that data, and how long you will keep it.
You must also offer the individual a way to access their personal data, and the individual must be able to easily change their subscription preferences and delete their personal data at any time. This isn’t new, but the penalties for noncompliance are: Sanctions can reach €20 million (nearly $25 million USD) or 4% of annual revenue, whichever is greater.
There’s no grace period for becoming compliant with the GDPR law. If GDPR applies to your company, start taking steps now to update your data strategy.
There are a range of GDPR best practices you should consider, including:
You may also find this GDPR Compliance Checklist from HubSpot helpful in understanding what you need to do, so you can organize your strategy.
Remember: GDPR affects every company that collects or processes the data of any E.U. citizen, regardless of where the citizen is located or where the company is based, what industry they’re in, or how big they are.
But also remember: Every business is unique, and how GDPR impacts your business may be different from the advice provided here. Please consult with a lawyer to understand precisely how GDPR affects your business and what your specific responsibilities are.
In the end, GDPR compliance comes down to honesty and transparency – which are also the bedrock of good inbound marketing. When you’re clear and upfront, you’ll not only be a better marketer, you’ll also find compliance with GDPR becomes simpler.
Ready to take a closer look at how well you’re implementing inbound marketing today? Clariant Creative can provide a free, no-obligation audit that covers the most important aspects of inbound marketing, so you can see what you’re doing well – and what you could be doing better!