Following on the heels of CAN-SPAM (US) and CASL (Canada), the General Data Protection Regulation (GDPR) is the latest in a series of government regulations that promises to have a major impact on the way B2B marketers conduct business. Of these, GDPR is the most far-reaching in that it not only impacts email communication (the focus of CAN-SPAM and CASL) but also the way companies gather, store, protect, share, and utilize personal data.
The law takes effect May 25, 2018, and applies not only to companies doing business within the European Union (EU), but to any company offering goods or services to customers or businesses in Europe. In plain terms, that means if you do business in Europe, market into Europe, or simply have European contacts in your marketing database, GDPR applies to you.
The penalties for non-compliance with GDPR can be severe. Failure to comply can result in fines ranging from 10 million Euros ($12 Million US) to 4 percent of a company’s global sales, a number that could reach into the billions for large corporations.
The Web is littered with articles, Webinars, and very extensive reports about the specific, detailed requirements of GDPR and how best to achieve compliance. This is not one of those articles. Instead, here are 5 very basic steps that should be on every B2B marketer’s “to do” list before GDPR takes effect.
Important disclaimer: none of the steps outlined here are intended, individually or collectively, to guarantee or ensure 100% compliance. We recommend all marketers consult with legal counsel on how best to fully comply with GDPR.
1. Let Visitors Opt-Out of Cookie Tracking
If you use a marketing automation platform such as Marketo, that software will track anonymous visitors to your Website by capturing their IP address and other information by means of a browser cookie. According to the GDPR, any browser cookie that can identify an individual via his or her device is considered personal data and therefore subject to regulation.
2. Set Up a Subscription Center
GDPR requires consent to be “specific and granular.” While that language is open to interpretation, a prudent step, at the very minimum, is to provide prospects, customers, and subscribers the option to choose the type and/or frequency of communications they will be receiving. A subscription center, sometimes referred to as a subscriber preference page or subscription management page, can reduce unsubscribe rates from EU and non-EU leads alike by providing the individual an alternative to simply opting out completely. It can also increase engagement rates and overall email performance by allowing you to segment campaigns and other communications based on stated areas of interest.
3. Create an Opt-In Process
The opt-in process for GDPR is very similar to the requirements under CASL. If you already have a CASL compliance program in place (and you should, if you’re marketing into Canada), you’re most of the way there. Simply cloning your CASL program for EU leads and contacts will give you a great starting point for building out a GDPR program. There are, however, a few important differences to note:
CASL requires you to document the date and time of consent, IP address, the URL/form used to opt-in (or the type of offline opt-in), and an image of the form used. GDPR requires documentation of consent date, reason for processing, the way the consent was obtained, and past consent history. Like CASL, GDPR requires that any opt-in box cannot be pre-checked, that the Web page or form makes it clear exactly what the individual is opting into, and that individuals always have the option to opt-out at a later date.
4. Protect Your Data
GDPR requires that companies who collect and manage personal data protect that data from any potential misuse and exploitation. Unlike B2C companies (who routinely trade in credit card information and other financial data), many B2B marketers don’t think too often about data security, but with GDPR, those days are over.
At a minimum, evaluate who has access to your marketing automation or email marketing software and what levels of permissions they have. Establish strict and formal “roles” within the software to limit access for individuals who don’t need full, admin-type permissions. Be diligent about removing former employees and contractors. Use features like workspaces and partitions if applicable to your business – for example, if data is shared amongst different regions or business units. And finally, document any and all policies associated with data security and system access so that everyone knows the rules.
A special thank you to Anne Angele, Spear’s Senior Marketing Automation Specialist, for her contributions to this article.