Disclaimer: We are not lawyers, and this should not be construed as legal advice. This post is intended for informational purposes only. You must consult your own legal adviser to understand your own / your organization’s obligations and responsibilities regarding GDPR.
Now that we have that scary business out of the way, let’s talk GDPR – the General Data Privacy Regulation, which comes into effect on May 25, 2018. Specifically, this regulation deals with how organizations obtain, store, manage, and/or process the personal data of citizens of the European Union (EU). Even if you are a US-based marketer, who does not do business outside the US, if you have any EU citizens in your database, you must pay attention to GDPR. Since marketers collect data through opt-in forms (most typically) and other means, you are subject to this new regulation.
But seriously, what could happen if you don’t pay attention?
You could get bitten. If you get in trouble with GDPR, the fines could put you out of business. The initial fine alone is 10 million Euros, or 2% of your top-line revenue (NOT your net income!!!), and it can go as high as 20 million Euros and 4% of your top-line revenue, whichever is greater. That’s how serious this is.
The really super-tough thing is that “personal data” as referenced in the GDPR could be as simple as an email address. From the site referenced above, personal data is defined as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” In other words, don’t brush this off by thinking “I don’t collect credit card info or social security numbers or dates of birth, so I’m okay.” If you collect ANY information from EU citizens, you are subject to this regulation.
There are some specific cautions that US-based marketers must address:
- You must be able to show how and when consent was obtained.
- If an EU citizen requests to understand how their data is being held, or what data you are holding about him or her, you must comply.
- An EU citizen must be able to withdraw consent as easily as he or she gave it.
- Who you are – the entity that is collecting the information – and information about how/where data is stored and how it is used must be crystal clear.
There’s MUCH more to GDPR than those five items, so again, consult your own attorney. For the purposes of this informational blog post, however, for US-based marketers, those are some of the most important points to consider. Now let’s break down how you address each one.
Obtaining Consent for GDPR (and being able to show it)
Establish an audit trail that illustrates how and when a lead was added to your lead database or your email list, and from what IP address. If an EU citizen opts-in by filling out a lead capture form (opt-in form) on your website in order to get access to a downloadable PDF, it is critical that you deliver the PDF via email AND be able to track when the document is downloaded. DO NOT collect the form data and immediately present the requested information, as that would likely not satisfy the consent requirement. (Think about it – anyone can put any email address into an online form, right?) The form-fill PLUS the actual tracked download of the file is much more likely to keep you out of GDPR hot water.
In addition, we have added the capability to add a blind-carbon-copy (BCC) recipient to emails sent from Genoo, explicitly for the purpose of GDPR compliance tracking. Create an archival inbox in your internal email system (like firstname.lastname@example.org) and add that to the fulfillment email (the email that delivers the requested download or information). We’ve made this simple with Genoo. If you select that an email is a fulfillment email, the BCC box appears right under it. We also provide all of the tracking information right in the Activity Stream detail for each individual lead. We’re showing the origination IP address and where that IP address lives.
We are working on allowing our customers to create explicit “consent agreement” statements that can live on lead capture forms (opt-in forms), which would be automatically presented with an “I agree” checkbox in certain circumstances. You will need to consult your attorney about what will be required in your concise consent agreement. And yes, pre-checked boxes are definitely out, as is burying GDPR language in your already lengthy Terms document.
Show What You’re Storing and How You’re Storing It
Make sure it’s easy for people to access this information right off of your website. Or, you could offer a way for an individual to request this information, and receive an email with the information, or a link to where they can find it. And, of course, make sure that such requests don’t automatically add the requester into your general email list. Right now, in Genoo, you can export a lead record to a CSV or PDF file if needed, and attach that file to your response to such a request.
You must also be crystal clear about how and where you are storing information. All of Genoo’s production servers are in the US in our cloud environment. If you are using a cloud-based marketing automaton service that has production servers in other countries, you’ll need to be explicit about the possibility that lead data could be transferred internationally as well.
Provide Clarity About the Data You’re Collecting
The GDPR has specific requirements about clarity, including the following:
- Who are you, and how can you be contacted? Your website MUST be absolutely clear about WHO your organization is and HOW the organization can be contacted. That’s a good idea in any case, but GDPR makes it critical.
- As mentioned above, you must include information about about where data will be held (in what country) and whether it will be transferred internationally – which is likely the case if you’re using any cloud-based services with production servers in other countries).
- The right to see what you have stored and to request rectification or deletion must be provided. As mentioned above, you can provide the complete lead record to an individual who requests it. While any individual can opt-out or unsubscribe to any email at any time (and this is required already by US CAN-SPAM law), you may also need to DELETE the entire lead record from your database, which may require an internal policy change. Most email marketing systems actually RETAIN information about opted-out leads to ensure that they don’t get re-uploaded and mailed to again).
Random Other Important Notes
If you ever purchase an email list and start emailing to it, you’re going to want to strip out any obvious EU email addresses before you ever send a single email. You may also want to put a purchased list through an email cleansing service. GDPR is going to change the list-selling business. If you DO purchase a list, and the provider says “cross my heart there are no EU citizens on this list,” get some contract language around THEM covering the fines if they’ve made a mistake. Then hope they do it. Scary, right? To be honest, even downloading your LinkedIn contacts, uploading to your marketing system, and emailing them could cause you some trouble. BE CAREFUL.
If you send out sales development emails (SDR emails), a lot of times those emails aren’t even CAN-SPAM compliant, and they CERTAINLY won’t be GDPR compliant. I personally get 20+ unsolicited emails a day, and I bet you get a lot of them also. Sometimes they don’t even acknowledge the existence of a law, and other times they say something like “don’t want me to email you again? Reply with ‘no thanks’ in the subject line.” Soooo not CAN-SPAM compliant! If you’re involved in this sort of marketing – and any unsolicited email like these sales emails is actually marketing – get yourself compliant before you get in trouble, whether with GDPR or with the good ol’ FTC.
As marketers, we don’t want to add friction to the opt-in process. In the US, we aren’t required to do double-opt-in (thank heavens, as that can suppress your opt-ins by about 50% give or take). US law is an opt-out law, where other countries are an opt-in law. That said, having an easy way to identify EU data subjects and provide them with the consent agreement they need and you with the audit trail you need is critical as you move forward with your email marketing or any other mechanism you use to collect and utilize data.
The Bottom Line
GDPR is an important change that marketers, even US-based marketers pursuing a US-based clientele, MUST pay attention to. When I was a panelist on the marketing panel at Consumer Identity World last fall (2017), we agreed that, if you are using marketing best practices, segmenting your list, and sending the right message to leads at the right time, you will likely never run afoul of GDPR.
These best practices and how to implement them, even if you are a marketing department of one or a business owner who also wears the marketing hat, is what we teach in our Email Expert Academy program and what our software makes easy to implement. Your goal is to build trust, authority, and relationships with your leads. Lead them on their journey to solve their problem, address their challenge, or optimize their opportunity. Don’t badger people to buy when they’re not ready to buy; simply nudge them in the direction of a decision with great content that’s offered in response to their interests. That’s what turns visitors into leads and leads into customers, and I know that’s what you want from your marketing efforts.
Here’s the disclaimer one more time: We are not lawyers, and this should not be construed as legal advice. This post is intended for informational purposes only. You must consult your own legal adviser to understand your own / your organization’s obligations and responsibilities regarding GDPR.