**Disclaimer: We are not attorneys and this should not be considered legal advice. Please speak to your legal counsel to learn how GDPR effects you and your business.
The General Data Protection Regulation (GDPR) is a new regulation that protects the data and privacy of European Union citizens. This applies to companies that collect data regardless if they conduct business in Europe or have locations based in the EU. The new GDPR law applies to ALL citizens of the EU, regardless of their physical location. That means that GDPR compliance should be a top priority, especially if you understand that you can be penalized up to 4% of your company’s global annual revenue for non-compliance.
A recent report by Crowd Research, which surveyed more than 531 IT cyber security and compliance professionals, shows that 60% of these companies are likely to miss the GDPR deadline. We’re almost a month out from the official implementation of GDPR, which is May 25th, 2018. If you’re still wrapping your head around all of this craziness, don’t worry. We’ve broken down the most important pieces for you to know so that you can get up to speed quickly and be ready to implement compliance measures to your website.
According to GDPR, you must have a lawful basis for processing personal data (any piece of information relating to a user’s public, professional, or private life.) The main three lawful basis are: Performance of Contract, Consent, and Legitimate Interest.
- Performance of Contract – Customer or visitor that comes to your website has agreed to allow the use of their data. For example, if they opt-in to receiving emails about product updates, you are allowed to use their data to do so.
- Consent – The customer or visitor must freely give consent regardless of how the information was obtained. For example, you can’t require a customer to give consent in order to recieve something. It must be clear and concise. One way to achieve this is by adding a required check-box to your form. Given consent must be proven, tracked/recorded in your marketing automation system/CRM or form submission emailed results, and can be retracted by the customer at any time.
- Legitimate Interest – If you have retained an existing customer (meaning you have already sold a product or service to them), then there is legitimate interest regarding the products and/or services you offer. For B2B, you are allowed to send marketing emails to a non-customer sourced from somewhere else, so long as it is a product or service they would need and you can prove that you have some form of permission to email them (see CAN-SPAM compliance for more information).
Email Opt-In & Unsubscribes
Aside from giving the customer/visitor clear and concise consent, they must have the option to choose what exactly they would like to opt-in for. If you offer newsletters, product updates, and promotional emails they should have the option to opt-in for each type of newsletter or only one type of newsletter (for example: product updates only). If they chose to unsubscribe from any or all of them, you must anonymize their data. This means removing any personal data that could be tied to a specific subject. If they have unsubscribed, but then re-subscribe, then their data has to be treated as if it were a brand new person. Much of this work can be handled by your email software system, marketing automation system, or sales CRM system – depending on which technology you use to send marketing emails to your cutomers and prospects.
Data Subject Rights
Every EU citizen has the right to access their data, change any piece of information they wish, and the right to be forgotten, also known as permanent deletion. If someone wants to be deleted, you must delete any and every access to that data and anonymize it. By anonymizing, you can still keep the data such as the location and any pages they visited on their website. However, you must remove more identifiable information like their first name, last name, email, address, social media profiles, and any interactions you have had with them.This does not apply if your customer has a legal contract for your services.
It’s best to setup an internal process for deleting data. For example, designate an email address just for deletion inquiries. And, assign an employee or agency to track that information so that reports can be pulled at a moment’s notice to verify GDPR compliance.
Yes, this could mean a huge overhaul – especially for companies who don’t already have a strong validation and tracking system for their contacts and email lists. Aside from everything listed above, make sure to check your current contact database to see if those contacts were obtained in compliance with GDPR and CAN-SPAM. Make sure to track, relabel, and segment those lists by how they consented to receive information or by legitimate interest (such as they asked for a sales proposal or physically bought a product from you).
If you use a marketing automation platform like HubSpot, read their literature to learn more about the tools or resources designed to help with GDPR compliance. If you work with an agency, make sure they are up-to-speed on GDPR and have verified your website, marketing automation system, sales CRM, and/or email software system. While software systems cannot force you to be compliant, they can provide the tools and resources to enable and simplify this process. And, as always, consult with your legal counsel if you have any additional questions regarding how this new regulation specifically pertains to you and your business.