There is little doubt that you have already heard of the EU’s General Data Protection Regulation (GDPR), but if you haven’t this article will tell you more about the regulation and how to prepare before it’s May 25, 2018 enforcement date.
Many marketers and website managers incorrectly assume that this regulation doesn’t apply to them if they don’t have operations in Europe. Others assume that their CRM or marketing automation tools will handle all of the necessary requirements. These assumptions simply aren’t true and that’s why we are writing this article to help you get your ship in shape.
Here are five steps to help ensure your marketing department is in compliance with GDPR rules:
1. Create a GDPR Team & Review Your Company’s Data Handling Procedures
Appointing an individual or team to ensure consistency in your data handling procedures is a recommended step in placing all of your marketing endeavors and existing contact lists through a thorough review. This lead person or team should work closely with the marketing department to ensure that GDPR rules are being closely followed before deployment of marketing campaigns to contacts in the EU.
- Review Existing Mailing Lists
All EU contacts must have a record of consent. If you don’t have this on file, you must remove any individuals without a proactive consent record. If you have email automation, you may need to segment your lists to ensure that you secure a record of consent for future mailings. - Document all Data Collection Mediums and Processes
Create a master list of all of the marketing data collection touch points, to ensure that every list has a process in place to obtain consent in the future. This can include any type of data collection, including sales, partners, email lists, list purchases, website registrations, event registries and any other method by which you collect customer data. - Consistently Ensure the Success of the Program
Ensure that the rules are consistently being followed by reminding the marketing team of the GDPR rules and consequences. Additionally, it may be wise to create a learning and development training to ensure that all marketing employees are familiar with the rules.
2. What To Do When Collecting Personal Data
There are multiple steps that need to be taken when collecting personal data to ensure compliance with GDPR. Your organization may have additional methods of collection and may require a more customized method, so this should be used as a general guide.
Collecting Personal Data on Websites & Web Forms
- Provide Clear Consent Wording
Businesses are required to write a natural, easy to understand and non-legalese language consent notification when collecting personal data. Post clearly how all information will be utilized. - Include a Cookie Consent Notice
On all web forms that collect cookie data, it is important to have a clear notice. It is advised to follow similar conventions and verbiage outlined in this consent notice.
(Example: “This site uses cookies to offer you a better browsing experience. Learn more about how <name of organization> uses cookies and how to change your settings.”) - Create an Age Verification Process
GDPR requires parental consent when collecting data from someone under the age of 16. Create a process for verifying age and getting parental consent when necessary. - Add Country of Residence to Web Forms
Note that this is different than collecting the company or office headquarter’s country location. The country of residence must be collected in order to ascertain whether the person’s data is regulated by GDPR.*GDPR recognizes IP addresses as personal data as well. Many marketing systems use IP data for logging actions and events. It is recommended that IP validation be removed from any marketing workflows.
In Person
If collecting data in-person at an event or conference. You must ask for consent to collect their personal data. You should include a box to sign, initial or check to indicate that the person has given their consent. In addition, you should ensure to ask the “Country of Residence” in person as well, as this will help determine the jurisdiction of GDPR.
3. Actively Manage Collected Leads
- Double Opt-In / Re-verification
It is recommended that marketers send a double opt-in or re-verification email to all EU contacts, verifying their email address and renewing their consent to receive emails, in-app offers, direct mail and other marketing materials from your organization. Remember that you should only send this verification to those who are actively subscribed. It is still illegal, at risk of fines, to email someone in the EU who has unsubscribed from your list. - Communication Preferences
Creating an online communication preferences center will give your contacts better control of the types of data they would like to receive. This preferences page will allow users to review the lists in which they are subscribed and manage their subscription to each. To ensure compliance, each list should have a clear description and the frequency of which the emails are sent for each list. Utilizing your list of data collection mediums from Step 1 is a great way to ensure you give full control of communication preferences to your list contacts.Example Communication Preference Center:
4. Regularly Update Privacy Policy and Proactively Notify
Create a clear privacy policy and regularly update it with information regarding what types of data are collected, how they are stored and used. Additionally, be sure to include contact information for your company. A great example of a privacy policy can be seen at Expedia.com.
When you make changes to how your data is used or add/modify collection methods, it’s a great time to review your privacy policy and make any necessary updates. Once updated, it’s important to notify your list contacts who are affected by the policy changes.
Following is an example Privacy Policy Update Email from Nordstrom:
5. Data Breach Plan of Action
5. Data Breach Plan of ActionGDPR requires that organizations report data breaches within 72 hours of becoming aware of the breach. This doesn’t give companies a lot of time to craft and deliver a communication to it’s list. Therefore, it’s best to create a data breach plan in advance.
Here are some best practices for communicating a data breach:
- Ensure all employees on how to respond in the event of a data breach and how to communicate with customers.
- Create a social media response plan of action and ensure that appropriate staffing is available or have a third-party social media marketing or reputation management company ready to help in such event.
- Publish as much information about the breach and the data compromised as quickly as possible on the website or a microsite where you can direct customers for updated information.
- Notify the parties who are affected by the data breach by phone, email, postal mail or any other appropriate method.
- Communicate that your company takes the data breach seriously and are working diligently to mitigate the damage.
- Inform affected parties that they should report any suspicious activity regarding use of their personal data to the business and appropriate authorities.
- Be as transparent as possible and engage your PR team or firm to speak with the media or issue a press release about the breach.
- Provide clear instructions on how to reach your customer service team for questions, how to file a complaint or get assistance.
- Help customers who have been negatively affected by the data breach.
- Update media and affected parties to ensure a plan of action for preventing a similar data breach in the future.
- Communicate with marketing, IT and GDPR team to ensure future compliance.
Contact us for more information about compliance with GDPR rules, or to schedule an audit of your data security measures.
