The B2B Marketer’s Guide to GDPR Compliance
The GDPR will impact B2B marketing in a number of ways. We’ve taken steps to protect our clients and subscribers, so we can continue to deliver marketing success. This guide will cover:
- The purpose behind the GDPR
- How it impacts marketing
- Gathering consent for data processing
- If you are considering legitimate interest for B2B communications
- How to stay compliant when working with partners
- How to benefit from the changes in legislation
As of 25th May 2018, the General Data Protection Regulation – or the GDPR – is in effect. With potential fines of 4% of turnover or €20m, ensuring compliance is obviously critical.
This Europe-wide raft of legislation fundamentally alters how marketing operates, but there are opportunities for marketers with the creativity to spot them.
What’s the purpose of the GDPR?
The GDPR regulates how data about people is collected, stored, and used. The UK’s Data Protection Act (1998) and the EU’s Data Protection Directive were set out for the same purpose. But in the 20 years since these were drafted, the way we live and work has changed so significantly that the Act is no longer considered effective.
One factor is the rate at which we create and store data. According to Forbes, we created more data between 2014 and 2016 than in the entire previous history of the human race. By the year 2020, it is estimated 1.7 metabytes will be created every second for each human being on the planet.
The GDPR evolves and updates previous data regulations. It adds requirements for documentation, risk assessments and procedures to notify data subjects and authorities in the event of a breach. GDPR also introduces “Privacy By Design” – an approach which promotes data protection from the start, rather than being thought about after the fact.
GDPR: How are we compliant?
At Inbox Insight “Privacy By Design” means we’ve undertaken a process of reviewing our software, processes, and documents to build the GDPR naturally into our business.
It’s meant risk assessing our activities and ensuring watertight procedures of handling data in the company. This has helped improve confidence across the company as we’ve been training our team.
The most critical aspects of GDPR for marketers
So what do these changes mean for those who handle data on a daily basis, like marketers?
When you think about personal data and data protection, email addresses are probably top of the list. But “personal data” is broader than that. It can be “any information related to a natural person… that can be used to directly or indirectly identify the person”. That can include their real names or online names, location data, phone number, postal address, IP addresses, and so much more. In short, everything you know about your customers, or how you track your prospects for digital marketing purposes.
Data subjects have the right to access their information, to know what you store and where, to correct or delete that information, and to be notified if there is a breach. You must also notify them of how their data will be used; which likely means updating privacy policies, data collection systems such as online forms, and assessing existing databases.
In order to make that possible, data handling procedures will have to be robust and detailed. This means marketing teams will have to be aligned with any other departments handling data, such as HR and customer service. Data security is a key element of the GDPR, so marketers will find themselves working with IT teams more closely than ever before as any new resources or tools must be vetted for weaknesses.
In the majority of cases, explicit permission is needed from the individual for their information to be stored and used. The ICO makes it clear with a series of bullet points, including ruling out default consent, blanket agreements and vague wording. “Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”
The opt-in email subscription is one of the most well-known forms of explicit permission: a user subscribes to a newsletter or responds to a marketing message, and then clicks to confirm their consent to be contacted in the future.
Many companies have been using an opt-in for some time in preparation, and some email marketing platforms have already made it mandatory.
Consent: How are we compliant?
As a business, we’ve taken specific legal advice regarding our disclaimers to ensure that we’re fully GDPR compliant.
This means that our landing pages’ opt in messaging is clear, specific, and requires a positive action on behalf of the individual.
Legitimate interest in B2B marketing
For B2B marketers, some flexibility is given in the clause of “legitimate interest”. According to the ICO guidelines, an individual’s data can be processed and used “in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”
The Direct Marketing Association suggests this is enough for you to also send them marketing messages, as long as it’s easy for them to opt-out, and the content is about products and services that you believe will be of interest to them. Legitimate interest therefore requires intelligent targeting and understanding of the customer to ensure that your communications are highly relevant.
The ICO suggests there are three elements to the legitimate interest basis of processing data. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedom
If you use this as a reason to contact someone, you assume additional responsibility for their rights and interests. You must keep a record of why you think your message would be relevant to them, and be prepared to justify it if challenged.
Who works with your data?
GDPR will also mean re-evaluating how you deal with suppliers, particularly those who handle data on your behalf or have access to any of the data.
Third parties like email marketing platforms and CRMs are “data processors”: they handle a company’s data on its behalf. Both you and the platform are responsible for the data. A Data Protection Agreement – or DPA – sets out the responsibilities of both parties to ensure that data processing standards are adhered to. Most platforms will be able to provide a template if you do not have one.
When it comes to cloud-based services, data may be stored anywhere in the world and may even be stored in several countries. “Privacy Shield” is a framework designed by the US and EU to help companies comply with data protection regulations on both sides of the Atlantic. Joining the Privacy Shield is voluntary, but once a company has enrolled, the commitment is enforceable by law. You can use the Privacy Shield website to check which companies have signed up.
Major companies like Facebook, Salesforce and Dropbox are certified, but for smaller organisations it is best to check. Bear in mind that increasing numbers of programs are cloud-based so as well as cloud storage, file transfer services and CRMs, this could well include day to day programs like spreadsheets and text documents.
Data Processors: How are we compliant?
We’ve signed up to Privacy Shield and recommend the framework to our clients.
We deliver campaigns through our in-house content marketing platform. When we work with data processors, we audit them and have them sign Data Protection Agreements.
An opportunity to get ahead of the competition
When it comes to data handling and building mailing lists, the GDPR certainly presents some challenges. But there are also opportunities to differentiate yourself and your company.
It doesn’t take long for data to become cloudy and poor quality, and few companies spend enough time on database maintenance. Poor quality data reduces ROI and makes it difficult to gain meaningful insights from campaigns. 92% of marketers may see better management of their data as a priority, but only 8% have achieved it effectively so far. The GDPR forces marketers to review their data, but those who go the extra mile will be able to use this as a jump-start toward data-driven, truly personalised communications.
Requiring mailing lists to re-subscribe will inevitably reduce their size, but it will increase their quality. Those that have opted to remain clearly want to be there and as long as your messages stay on-point, you can build trust and loyalty.
Users will have greater transparency and control over their data, leading to less noise and greater engagement with the brands and topics they are interested in. Outperforming the competition will come from better targeting and messaging.
In recent years many companies have settled into automated, mass-market, poorly targeted communications. In the future success will come from developing much closer relationships with customers: getting to know their pain points and creating creative, relevant content. For marketers with imagination, the GDPR presents an opportunity to differentiate themselves from the crowd and win customers from rival brands.
Ultimately, you’re not alone.
Amplifying your content through compliant channels gives you the chance to deliver content to the right prospects with less risk than mass marketing yourself.
Serving relevant audiences by providing them with the latest insights gives you the perfect opportunity to opt the right professionals into your future marketing efforts.