Tips for Marketers to Prepare for GDPR

Disclaimer: This blog post provides background information to help increase your awareness of the GDPR and improve marketing processes. It is not legal advice. If you or your company has questions around the information in this post and how it specifically applies to your organization, please consult legal counsel.

You’ve probably seen one or more of the dozens of articles floating around about the impending effects of the General Data Protection Regulation (GDPR). If you’re not in the loop, GDPR is a regulation for all European Union (EU) Member States that replaces the EU’s outdated Data Protection Directive. It promises to tighten privacy protections for online users in the EU and requires organizations to be more responsible and transparent with the way they handle data. The regulation covers the information relating to an identifiable or already identified person and becomes enforceable on May 25th, 2018.

Ready to bounce because you’re a US-based business? Not so fast. GDPR protects the personal data of EU citizens, regardless of where your business operates. If you’ve got a customer or target pool that may reside in the EU, you’re required to comply as well. Same goes for leads already sitting in your database that may just so happen to include EU citizens.

The countdown is on. Are you prepared?

HubSpot revealed that less than half of the business leaders and marketers they surveyed are even aware of GDPR, let alone prepared for it. That’s pretty alarming.

So, what’s the big deal?

Given that 2018 is turning into the “year of transparency”, it’s in your best interest as a marketer to embrace these changes, regardless of whether the GDPR immediately applies to you or not. View it as an opportunity to hold yourself to higher standards around permission-based marketing. You owe it to your future customers.

The complete GDPR is fairly complex (it’s over 200 pages), especially when it comes to details around data security and portability. The more technical aspects may require that your organization get assistance from outside GDPR consultants, but that doesn’t mean there aren’t things you can do now to contribute. Your boss and customers will thank you!

Here are four proactive steps marketers can take to help prepare for GDPR changes, and become better marketers in the process!

Be Strict with Your Opt-In Processes

A big portion of GDPR pertains to email communications. No one likes receiving spam. Unfortunately, some companies still purchase lists of names for email marketing programs (cringe). Not only is that bad practice in general, but there are actual laws that have passed that forbid it in places like Canada and soon the EU, too! If someone in your organization suggests the idea, just say no.

Beyond denouncing yourself from being a spammer, make sure whatever marketing solution you are using can document key opt-in event details like:

  • The date of a user’s consent
  • How consent was obtained
  • Past consent history
  • The reason for processing the information

If you’re already using a best-of-breed marketing automation solution, details around opt-in events will typically be tracked automatically. If you are more of a DIY’er, make sure you review how you’re securely storing opt-in events so that they can be accessed if required. Website content management systems may come with form collection modules that do not store enough information.

One more thing to do when it comes to opt-in process is to review all your company’s online forms. Yes, literally all of them. If you have a larger content-heavy website for marketing, it would be wise to audit your entire website in case there are some old ones buried in there. Even if you didn’t build it yourself, it’s your responsibility.

Make sure all forms clearly state exactly what the user is opting into. Also make careful note of whether any forms have boxes for users to opt into other things as well. One common example is signing up to enter a contest and seeing a check box to also sign up for a newsletter. If any boxes are pre-checked, remove it immediately. Pre-checking a box is not the same as having a user explicitly opt in and do it themselves. That would be a violation under GDPR.

Review Your Opt-Out Procedures

Now is also a good time to review how users can opt out. That should not only include opt-out of receiving email communication, but also from being tracked all together.

You may have marketing tools that honor these requests automatically. If not, you’ll need to make a plan. Opting out should be easily accessible. One example is a company that includes an additional opt-out link within their online privacy policy.

Some questions to ask yourself:

  • How are we handling records that click “unsubscribe?”
  • How are we handling “do not contact” records?
  • In how many systems is personal information stored and shared?
  • How many people in our company need to be aware of these opt-out procedures?

Protect User Data

Do a quick audit of your tools, especially any customer relationship management (CRM) and marketing automation or email.

Review the user list in your tools to see if there are any users that need to be deactivated. Common scenarios are active user names for people that have previously left the company, previous contractors, or team members that still work there but no longer need access to that specific tool.

Further, review permission levels for these tools. See who has access to what data and why. If there are possibilities to limit access, make sure to do so. Sometimes during implementation of a new tool, companies can be in a hurry and set everyone as an administrator or a similar role with open privileges, but according to GDRP standards, this would be irresponsible.

Lastly, make sure you are following your organization’s standards for password re-sets. You may find you’ve never updated passwords for your various marketing tools before. A good approach would be to follow the cadence your organization has set for password re-sets. This will ensure you’re taking proper measures to avoid unauthorized access.

Review Your Company’s Privacy Policy

Is your company’s privacy policy easy to access? When was the last time it was updated? Is it easy to understand?

GDPR requires that the explanation around how personal data is processed must be easily understood, concise, and easy to access.

Although GDPR in its entirety can seem overwhelming, it’s important for marketers to be aware of the key aspects that could impact their work. Even if your company doesn’t process information on people from the EU, I still urge you to share GDPR information and adjust the way your marketing team operates today. Push yourselves to uphold this new gold standard. GDPR doesn’t have to be scary. These changes will push the marketing profession as a whole to perform in way that is more honest, permission-based, and responsible.

For more resources on GDPR readiness through the lens of marketing, check out HubSpot’s GDPR