By John Kennedy on 2017-08-06 16:08
One of the major challenges facing B2B marketers in 2017 will be the preparations for the new EU GDPR data privacy legislation. Businesses have less than twelve months now to get ready to comply with the regulation when it comes into effect on 25th May 2018.
The GDPR or General Data Protection Regulation (click to read all 261 pages of the directive) is designed to unify data privacy laws across the EU, giving EU residents more control over their personal data and how organisations can use and must protect this data.
It is hard to think of a business or organisation today that does not collect or use personal data in some way or form. Whether you have employees, customers or vendor relations – if the data you hold relates to an individual you will need to comply with the new GDPR. Personal data is any information relating to an identified or identifiable natural person or ‘Data Subject’. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
The Current Legislation
The current Data Protection Directive 95/46/EC dates back to 1995, when the internet was still in its infancy and we were not so familiar with search engines, social media networks, smartphones and cloud computing.
Technology has evolved significantly since the introduction of the current legislation and the environment has seen explosive growth in the volume of data being managed, advances in the use of video and photos in electronic communications and the impact of a borderless 24/7 Internet and digital economy. In addition, it is not just how users have changed in their adoption of technology, companies have also noticeably transitioned from legacy infrastructure and applications to the SaaS (Software-as-a-Service) model with a different data mentality.
The new GDPR takes these challenges into consideration and will impose new obligations on organisations that process the personal data of EU residents giving individuals more control over their own private information in an ever digital world. As a result of the GDPR, businesses will need to be far more transparent with how they manage and process personal data.
As a business you still have time to develop transparent and easy to grasp data policies for your employees, customers and third parties - for them to understand the efforts and why it is important to comply with GDPR. Preparations should be looked at as an opportunity to enhance the way your business handles personal information, to improve processes and to show how you are getting ready for the demands of customers.
Addressing Company Fears
Only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant by the deadline. According to the survey nearly a quarter of companies have not even started preparing yet, and consent is the biggest cause for concern, cited by 70% of respondents. Almost 40 percent of businesses are worried that they may not be compliant according to a Veritas survey of more than 2,500 senior technology decision makers.
If you operate a consumer facing business, it is likely that you may receive requests to stop processing personal data, erase or transfer it. Now is the time for you to think how you will handle and respond to these requests and the potential impact on the systems and processes you have in place today.
If your company is found to be in breach of the regulations you will face steep penalties and may be fined up to 20 million EUR or 4% of annual global turnover. The loss is not only financial, from a marketing and PR perspective, any breach carries the risk of damage to your company’s reputation at the expense of customer trust and loyalty.
As well as laying down foundations that will protect consumers, the marketers that take action now will be better placed to take advantage of the situation next year.
What Are Some Of The New Steps That An Organisation Needs To Consider?
- A right to be forgotten also known as the right to erasure
- A right to access, rectify or erase personal data
- A right to data portability
- A right to object to profiling activities
- Increased transparency for individuals on how their personal data is collected, used, stored or otherwise processed
- Requirements for the provision of easily accessible and easy to understand language
- Greater accountability and more detailed compliance responsibilities for organisations
- Companies must notify data authorities about data breaches within 72 hours
- Ensuring the ongoing confidentiality, integrity, availability and resilience of systems that store and process data
- The purpose of acquiring personal data and how it will be used
- Whether the data will be transferred internationally
- The period for which the data will be stored
- The individual’s right to withdraw consent at any time
- The individual’s right to lodge a complaint
- Document and audit trail on what personal data is held, where it came from and with whom it is shared
- Planning on how to handle requests within regulated time frames and in a machine readable format
- Review how consent is sought, obtained and recorded
Consent & Accountability
Consent forms a big part of the new regulations and may force some organisations to approach individuals in their data base for further permission to use their data. This will give marketing a hard time to maintain a positive experience by presenting multiple options that they need the individual to consent to at a time many other companies may be doing the same thing. GDPR places a lot more focus on consent that is specific, granular, and auditable. The exact use of the data that is being consented to must be simple to understand and expressed in clear terminology, and it must be easy for a subscriber to withdraw their permission.
The largest concern for most marketers about GDPR is consent. Proving if necessary that you have an audit trail showing that a contact has double opted-in. You must be able to show that you got the consent in the correct way, stored it properly and have an audit trail. If your contacts are silent or you take inactivity as a yes, you will be breaking the rules.
The inbound methodology sets out to attract rather than distract an audience and grows attention organically by generating website traffic using educational content for visitors searching to learn something. This audience may have already expressed an interest in what you have to offer - by visiting your website, downloading content or opening an email they have already opted-in for. Gated content as a tactic to collect email addresses with a double opt-in consent will be a valuable way to build a qualified data base as you will not in the future be able to send to a B2B contact an unsolicited email for marketing.
What Is A Double Opt-in?
A double opt-in email feature gives you the ability to require that your email recipient confirms that they want to opt-in. When you enable this feature, typically the workflow is to first send out an opt-in request email after someone fills out one of your forms. From this email, the contact will have to click on a link in the email to confirm that they want emails and to confirm who they say they are.
When using a double opt-in your emailing lists will be far better qualified, although you may end up with a smaller list - having a contact willingly opt-in should see the list perform better. There is of course also the protection against spam bots and fake subscribers. Users that have to confirm that their consent are typically the ones that will engage more readily with your business.
GDPR Explained: Getting Prepared
IBM have written for organisations a great e-book on understanding how GDPR works for reference, a good place to start to learn about the implications of GDPR.
GDPR - Staying Positive
Many organisations will discover the need to re-design their approach to GDPR compliance and data protection practices. The new legislation will not only affect the way data is collected and processed, but also how organisations will develop and execute digital marketing strategies.
GDPR represents an opportunity for organisations to consider data privacy compliance more strategically, as it becomes key to their data strategy and the digital transformation of their business.
We will not be able to replace the need for legal advice, and this blog cannot be used as legally binding advice. It is important that you discuss GDPR and its implications for your organisation with appropriate legal advisors.
Some questions to think about as you carry on with your preparations:
- What products and services do you offer? Do they include data analytics, profiling, etc.?
- How does your organisation interact with third parties, is there any data transfer involved between these third parties?
- Who is looking after privacy and compliance within your organisation?
- Have there been any interactions or consultation with the data protection authorities (DPAs)?
- How will you handle and manage data requests from individuals?
- Do you have privacy or data training in place?
- How did you obtain the personal data that you currently hold?
- How long will you keep the data?
- How secure is it, both in terms of encryption and accessibility?
Good luck, and take the time to get ready for GDPR!
Image source: www.freepik.com