What is GDPR?
GDPR stands for the General Data Protection Regulation and builds on existing data protection principles, with the core objective being:
- to strengthen individuals’ rights
- to give increased attention to cyber security and technological capacity
- to extend supervision and sanctions across consumer data
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
How we got here…
After four years of negotiation the European Union adopted the General Data Protection Regulation (GDPR) on 14th April 2016. This brings significant changes to EU personal data protection.
The GDPR replaces the previous EU Directive 95/46/EC as well as all EU national legislation on data protection, such as the UK’s Data Protection Act 1998.
Timing of GDPR
The GDPR came into force 20 days after its adoption on 14th April 2016. At this time, it replaced the previous Directive 95/46/EC, as well as all member state data protection legislations.
Despite a two-year grace period for implementation, it is imperative that organisations take an early look at their personal data handling processes in order to be compliant by 2018.
Sanctions and fines
This has huge implications for multinational organisations. If one location or even individual is not fully compliant, then the repercussions could impact the whole organisation as they are based on global turnover.
Key compliance principals
In the current Privacy and Electronic Communications Regulations (PECR) all company addresses are considered to be “opt out” (Germany and Canada being exceptions requiring a double opt-in process). This means you can send an email to a company address without permission, provided you include an option to unsubscribe.
In the new regulation this won’t be the case. There is no distinction made between personal and business addresses. If the information relates to an individual or identifies an individual, then you will need consent to send a marketing email. So an email address that identifies a person such as email@example.com will need consent (an info@ email address will not require consent). It will be up to the sender to prove that consent was given. This means that any data held, must have an audit trail that is time stamped and reveals what the contact opted into, and how.
Implied/Soft opt in is no longer accepted
Under the current regulations, you can email an existing customer providing you give them the opportunity to opt out at the time of purchase (or provision of data via a form completion). This is called implied consent or soft opt in.
Under the new regulation, this has been removed as all consent must be explicit. This means that you must be able to prove that the customer agreed to receive the emails (by a selection action, not just a disclaimer).
Right to be forgotten
Moving forward, everybody will have the right to be forgotten. No longer can you mark the contact as “do not contact” in your CRM database. All personal details will have to be deleted.
It would be possible to anonymise the personal data within the CRM system. Although, it is unclear if this is acceptable through manual methods or if the contact should be able to self-serve this request online at this stage.
However, for many B2B organisations the implications of this are huge as upon request this must be actioned across all platforms and databases that may hold the data. So, integrations need to be tight and update rules refined in order for this to be achievable in an effective, compliant manner.
5 additional impacts for B2B consideration
For many large and portfolio B2B businesses, the channel plays a critical role in their route to market and fulfilment. GDPR has the power to impact as far down as channel agreements in regards to contact data handling and processing. This includes things such as; is the partner allowed to share contact data with the manufacturer? If so, is the partner compliant around opt-in for instance?
With opt-in becoming mandatory, all existing forms published will need to be reworked to be compliant. One challenge for large organisations is understanding all of the places forms are currently deployed. A second challenge relates to the nature of their deployment, if they are hosted on an individual basis, across separate instances and code bases, then this means updating each and every one individually. A way to help future proof this would be through a cloud form solution which enables updating a single code base to be compliant across all forms instantly. One way to fix the challenge of form version control and compliance, is through a solution such as gatedcontent.com.
- Systems integration, rules and logic
The second part of updating the form’s front end is future-proofing all of the back-end systems to ensure compliance. This includes Marketing Automation with new fields, processing steps and rules. From here, this extends to CRM and lead management, and the management of data within these systems.
Events play a huge role for many companies in lead and demand creation. GDPR enforces a far more robust process around the management of contact data from events. No longer can event attendee lists just be included in marketing campaigns, without being able to show evidence for opt-in of communications. This could include an opt-in on stand or a follow-up email. Whatever path is decided, it is likely to result in a change to current standards and greater rigour around the process.
- Governance on data
Finally, the other area that GDPR impacts is in the creation of new contact data records. These fall under the same restrictions as events, but throughout the marketing and sales processes. Take for example, content syndication – contacts being provided by a third party and typically loaded into a database. These will need to be opt-in compliant with evidence of proof. Likewise contact creation through Salesforce will need to go through an opt-in process rather than just be included automatically into marketing contact databases. Probably the hardest aspect of all this will be managing it across different regions and offices; finding an old xls database, a business card laying around on a desk or an email address visible on social media. These all need to be handled appropriately to be compliant. As previously noted, if one contact record, that one person created is not compliant, then the penalty is based on the whole global organisation.
The wide ranging impacts of GDPR will have a significant effect on how business to business companies treat data. Not necessarily in terms of how to practically handle data, but the perception of how it is treated across organisations. Up until now, data has been something that only techies and marketing operations have worried about, well now far more stakeholders are involved in achieving compliance. The level of governance and process changes that many businesses now require presents a significant challenge. While there are still 18 months before the grace period expires, organisations need to start taking action now, or they may well find themselves with inadequate time to take the necessary steps to action everything required.
If you’d like help understanding what your business needs to do to achieve compliance, talk to us today for a GDPR audit.
If you have any questions about managing your marketing in a post-GDPR World check out our webinar recording here.
Our marketing technology experts will show you how GDPR can be a game-changer!