What is GDPR? It’s the General Data Privacy law that is going into effect in the European Union on May 25th, 2018. Why should you care? Because you are subject to the law IF you have any EU Data Subjects on your list; in your marketing database.
What’s your exposure if you don’t pay attention?
The GDPR has teeth in it. Consider that if you get in trouble with GDPR, the initial fine is 10 million Euros, or 2% of your top line revenue. But it can go as high as 20 million Euros and 4% of top line revenue (whichever is greater). Ouch!
Here are some things that can get you in trouble and what you can do about each one:
#1. Not complying with a request from an individual to understand how their data is being held.
Solution: Make sure it’s easy for people to access this information right off of your website. Alternatively, you could offer a way for an individual to request this, and receive an email with the information, or a link to where they can find it. (And then make sure these requests don’t place people into your general marketing list).
#2. Not being able to show how and when consent was obtained.
Solution: You need an audit trail that illustrates when a lead was added to your lead database / list, and from what IP they came in from. From a consent standpoint, if the request is for a downloadable PDF, or information they desire, sending a follow-up email and tracking the clickthrough/download from that email, and which IP address that occurred from would round out the how and when – as an audit trail.
In addition to that, put a BCC on your automated fulfillment email and have it be placed into an archival folder (create an email just for the purposes of archiving these). If trouble arises, you’ll have the audit trail, AND the email that was actually delivered to the lead, fulfilling on their request.
Both Genoo and WPMktgEngine provide this information in the Activity Stream detail for a lead record. We also will show you the origination IP Address, and where in the world that IP address lives. And that BCC idea above? Easily done within either of our systems.
Note that if someone downloads an eBook on subject X, it doesn’t mean you can send them an email on subject Y. To do that, you would need to have their consent BEFORE they submit the lead capture form, so they understand what they are giving consent for. More on this later…
#3. Individuals can’t withdraw consent easily and at any time.
An Unsubscribe option to opt-out of everything will handle this one. Most marketers and systems require this currently. You’re likely covered here. But there are some systems that send sales emails from a Sales Development Rep (SDR), and these oftentimes have no opt-out… they are made to look like they’re just a query… but make no mistake, these are not CAN-SPAM compliant — even though they happen a lot. If you’re involved in this type of marketing — take notice and make changes BEFORE you get in hot water.
#4. A lead has a lack of clarity on any of these points:
a. Contact details, or name of organization is unclear. Make sure your website/microsite is super clear WHO the organization is, and how they can be contacted.
c. Where the data will be held (what country) and if it will be transferred internationally. This is likely the case if you’re using a cloud-based service like Genoo and WPMktgEngine. In this case, you want to be sure you have this information (for us, our production servers are in the USA in our cloud environment).
e. The right to access, rectification or removal of data as well as the right to withdraw consent at any time. You must have a way for people to see what information you store about them. They must be able to request deletion (the GDPR gives people the right to be forgotten). But unlike having the ability to remove certain things vs. other store facts, you could just delete the entire record, rather than providing line-item editing. It makes things easier to know that you can just remove them from your lead database. Just make sure you give them an easy way to request what they want, and that you act in a reasonable amount of time.
OK — so those are some basics of GDPR. I mentioned consent above… so let’s explore that a bit.
Consent needs to be explicitly given. No more pre-checked boxes – that is definitely out.
The GDPR says this:
“any freely given, specific, informed and
unambiguous indication of his or her wishes by which
the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal
data relating to them being processed”
So be sure you have some concise statements that outline the “consent” being agreed to when someone completes a lead capture (opt-in) form.
The gotcha for most people thinking about this is the fact that as a marketer you don’t want to add more friction to the opt-in process. It’s a pretty well known fact that double opt-in suppresses your overall opt-ins by about 50% give or take… so what’s a way to handle this consent processing?
Here’s the solution we are working on:
- Allow our customers to create “consent” agreement statements.
- If someone from an EU IP Address is completing a lead capture form, then automatically present them with the “consent” statement – which they MUST scroll through and then click “I Agree” to continue and submit the form. If they do not agree, they cannot submit the form.
- Another variation of the above is to process similarly when the email address has a domain extension from an EU country (i.e. .de = Germany, .nl = Netherlands, .es = Spain, etc).
- When the form is submitted, tie the specific consent agreed to to the lead record, and tied to the form submission within the Activity Stream (which will also hold the IP Address).
- If a form is submitted from an IP Address OUTSIDE of the EU, the form could have a checkbox, “I am an EU Data Subject” (or something like that), and if checked, does the same thing PRIOR to submitting the form.
- For everyone else, it would operate just like it always has. No additional friction at all.
One more thing, which I said when I was a panelist on the Marketing panel at Consumer Identity World conference last fall. If you’re using marketing best practices, and segmenting your list, sending the right message at the right time — you will likely NEVER run afoul of the EU GDPR law.
These best practices, and how to implement them even if you’re a marketing department of ONE, is what we teach in our Email Expert Academy program, and what our Genoo and WPMktgEngine software makes super simple.
The goal is to build authority, trust and relationship with your leads. Lead them and guide them through their buying journey rather than badger them to buy on your time frame. If you employ those strategies, you will delight the majority of your leads, and convert more of them into customers. Isn’t that what you want from your marketing?
DISCLAIMER: I am not a lawyer. Do not construe anything stated above to be a statement or interpretation of the law. Please consult your attorney.