Following on the heels of CAN-SPAM (US) and CASL (Canada), the General Data Protection Regulation (GDPR) is the latest in a series of government regulations that promises to have a major impact on the way B2B marketers conduct business. Of these, GDPR is the most far-reaching in that it not only impacts email communication (the focus of CAN-SPAM and CASL) but also the way companies gather, store, protect, share, and utilize personal data.
The law takes effect May 25, 2018, and applies not only to companies doing business within the European Union (EU), but to any company offering goods or services to customers or businesses in Europe. In plain terms, that means if you do business in Europe, market into Europe, or simply have European contacts in your marketing database, GDPR applies to you.
The penalties for non-compliance with GDPR can be severe. Failure to comply can result in fines ranging from 10 million Euros ($12 Million US) to 4 percent of a company’s global sales, a number that could reach into the billions for large corporations.
The Web is littered with articles, Webinars, and very extensive reports about the specific, detailed requirements of GDPR and how best to achieve compliance. This is not one of those articles. Instead, here are 5 very basic steps that should be on every B2B marketer’s “to do” list before GDPR takes effect.
Important disclaimer: none of the steps outlined here are intended, individually or collectively, to guarantee or ensure 100% compliance. We recommend all marketers consult with legal counsel on how best to fully comply with GDPR.
1. Let Visitors Opt-Out of Cookie Tracking
If you use a marketing automation platform such as Marketo, that software will track anonymous visitors to your Website by capturing their IP address and other information by means of a browser cookie. According to the GDPR, any browser cookie that can identify an individual via his or her device is considered personal data and therefore subject to regulation.
Every marketing automation platform handles cookie tracking a little differently, and so your options for adhering to “do not track” requests may vary. Some platforms offer the ability to automatically recognize when a visitor has his/her browser configured to disable cookie tracking. (For example, in the case of Marketo, you can set “Do Not Track” Browser Request to “Support.”) Your platform may offer the option to request all visitors from selected countries to opt-in to cookie tracking upon their first visit. In addition, you can also include a “Do Not Track” button or link on your privacy policy page.
2. Set Up a Subscription Center
GDPR requires consent to be “specific and granular.” While that language is open to interpretation, a prudent step, at the very minimum, is to provide prospects, customers, and subscribers the option to choose the type and/or frequency of communications they will be receiving. A subscription center, sometimes referred to as a subscriber preference page or subscription management page, can reduce unsubscribe rates from EU and non-EU leads alike by providing the individual an alternative to simply opting out completely. It can also increase engagement rates and overall email performance by allowing you to segment campaigns and other communications based on stated areas of interest.
3. Create an Opt-In Process
The opt-in process for GDPR is very similar to the requirements under CASL. If you already have a CASL compliance program in place (and you should, if you’re marketing into Canada), you’re most of the way there. Simply cloning your CASL program for EU leads and contacts will give you a great starting point for building out a GDPR program. There are, however, a few important differences to note:
CASL requires you to document the date and time of consent, IP address, the URL/form used to opt-in (or the type of offline opt-in), and an image of the form used. GDPR requires documentation of consent date, reason for processing, the way the consent was obtained, and past consent history. Like CASL, GDPR requires that any opt-in box cannot be pre-checked, that the Web page or form makes it clear exactly what the individual is opting into, and that individuals always have the option to opt-out at a later date.
4. Protect Your Data
GDPR requires that companies who collect and manage personal data protect that data from any potential misuse and exploitation. Unlike B2C companies (who routinely trade in credit card information and other financial data), many B2B marketers don’t think too often about data security, but with GDPR, those days are over.
At a minimum, evaluate who has access to your marketing automation or email marketing software and what levels of permissions they have. Establish strict and formal “roles” within the software to limit access for individuals who don’t need full, admin-type permissions. Be diligent about removing former employees and contractors. Use features like workspaces and partitions if applicable to your business – for example, if data is shared amongst different regions or business units. And finally, document any and all policies associated with data security and system access so that everyone knows the rules.
5. Update Your Privacy Policy
Unlike CASL, much of the language in GDPR focuses heavily on data privacy rather than digital marketing. GDPR requires that the information companies provide about how they process personal data must be concise, easily accessible, and written in clear and plain language. Review your Website’s privacy policy to ensure that it’s accurate, up-to-date, easy to understand, and covers everything required by the new regulation.
A special thank you to Anne Angele, Spear’s Senior Marketing Automation Specialist, for her contributions to this article.
Helpful post. I’m curious how you are advising clients – or more importantly – what other B2B clients are doing to mitigate the limitations of GDPR. In other words, while most companies are using a mix of inbound and outbound, modern and less-modern routes to securing net new leads, what’s replacing those routes that are no longer viable?
Great question, Karen. In brief, GDPR is having much less impact on inbound channels (e.g. AdWords, paid social, online display), since for the most part prospects are responding to those ads of their own initiative without the advertiser’s use of personal data. The main changes in the inbound realm have more to do with forms and opt-in workflows.
It’s outbound where GDPR figures to have the greatest impact. Any program or strategy – notably, ABM – that relies on first building a database of target customers and then engaging in proactive outreach to those contacts – is off the table in GDPR-controlled domains.
Many companies – our clients included – are also moving proactively and aggressively to opt-in existing European contacts before they are no longer able to email those prospects without it. Realistically, however, it’s important to acknowledge that even the most effective opt-in campaign will only succeed in gaining opt-in consent from a small percentage of the total audience.
Hope that helps!