11 GDPR experts have come together to help you cut through the buzz and make an
honest effort to help marketers worldwide.
Cutting through the Web of Confusions – Experts Speak
Sam Hurley is a lateral-thinking digital marketer holding solid experience in both agency and client-side settings. He is Founder of the OPTIM-EYEZ platform. He has been ranked as the world’s #1 digital influencer by Webinale and #2 most influential digital marketer by Onalytica, amongst many.
Firstly, The GDPR must not be taken with a pinch of salt. This is SERIOUS stuff! And failure to comply can result in fines as large as €20 Million (or 4% of annual global revenue, whichever is greater)! Any business that has over 250 employees now needs to appoint a dedicated Data Protection Officer — just to put the magnitude of The GDPR into perspective.No matter the size of your business, here are 3 crucial steps to take:
What personal data does your company hold and/or still collect? How is/was this data gathered? Is all of it absolutely necessary to hold? Are people aware? Do people know how you’re using it?
These are all vital questions to ask — and you must know (+ visibly communicate) the answers in a simplified format. Whether it’s EU email subscribers, customer phone numbers or user cookies — EVERYTHING falls under The GDPR, wherever personal data is concerned.
You must now check in with existing email subscribers and gain their permission (again). The same with any users who have cookies placed. Notify and give them the option of changing their cookie settings.
From now, you must also double opt-in all email subscribers (whereby they receive a confirmation email that requires another click to agree to be contacted again). Don’t get me wrong, it’s not at all easy, this gave me plenty of headaches. And the bigger your business, the harder it gets. However, I’d hope everybody is ready for The GDPR, as of now!
I haven’t any evidence to show you (yet) — but are you really prepared to be the first to be fined by THAT imposing, business-busting amount of €20 Million?
You must gain expressed consent from every visitor … That means unless they click your button to accept cookies, you can’t place any cookies.
Yes, it may have cost huge corps billions to comply. It may have taken a lot of time and money for smaller biz owners to comply. But what is the awesome end result?
The GDPR is a big step in the right direction (away from information neglect and invasive marketing). Ultimately, with a view to better customer experiences, enhanced protection, and very mindful usage of ALL our collective personal data.
HALT sending marketing emails to all the non-opted-in your EU LinkedIn contacts. Remember, this is not legal under the GDPR compliance.
Neil O’Keefe is the Data & Marketing Association’s SVP of Marketing & Content. In this role, O’Keefe is responsible for Business Insights, Marketing, Digital Strategy, and Education. As a senior executive on the DMA Leadership Team, O’Keefe leads the association’s strategy of modernizing the CRM and digital infrastructure.
GDPR governs data associated with European residents and includes citizens of other countries that reside in the Europe Union - upholding the rights for individuals, which will be mainly to access data. It’s also about having inaccuracies corrected, besides erasing irrelevant information and put an end to (unsolicited) direct marketing, thus preventing automated decision-making and profiling as well. You need to ensure that your procedures protect all the rights individuals have, and that includes procedures on how you would delete personal data as well.
Make sure you check your policies and procedures well – ensure you have a plan if someone asks to have their personal data deleted. And this includes conventional data collection procedures like using paper print-outs or an unusual electronic format – revise your procedures with needed changes. Seek answers for your business like:
There is lack of awareness amongst marketers in the U.S. and non-European countries particularly for businesses who don’t have customers in the EU. GDPR is NOT just a European regulation. In fact, any company that’s collecting EU citizen’s data such as email addresses without gathering residential information may face the risk in violating the GDPR post May 25th, 2018. It is advisable that you collaborate with your legal counsel and build the systems required to make it GDPR compliant. There has been a lack of awareness here particularly for companies who don’t do business or have customers in the EU.
When GDPR takes effect on May 25, companies will need consent or a legitimate interest to process a European citizen’s data.
Take note of the two terms referred to in GDPR - ‘consent’ and ‘explicit consent’ - although the difference between the two is not very distinct given that both forms of consent must be specific, freely given, yet informed and explicit.
It also stresses on the fact that there must be a clear positive sign of agreement to personal data being processed referred to as ‘Consent’, and that cannot just be inferred from inactivity, no-response or pre-ticked boxes. If you have been relying on individuals’ consent to process their data, make sure it meets the GDPR standards; or else alter your consent mechanisms or find an alternative way to secure consent.
Note: Consent has to be verifiable and controllers must be able to demonstrate that consent was given in case of a dispute. This makes it indispensable for marketers to review the systems you currently have for recording consent so as to ensure you they have an effective audit trail. Remember, it’s more power to individuals as they generally have stronger rights, where you rely on consent to process their data.
Kath is a thought leader and industry veteran of 18 years and an international conference speaker, and trainer besides being a regular author and expert contributor. She is recognised as one of the UK’s leading Email Marketers and devotes her time to developing customer-centric ecommerce journeys using a holistic, multi-channel approach.
Email is only a small part of the GDPR – however, it’s a very important part as it’s the consumer-facing element of GDPR. Think of it like the store-front, where you are advertising your wares – in this case, whether you are GDPR compliant – with your subscribe & data-capture forms. Aside from these forms providing the essential doorway to being on our list (and benefiting from our wonderful sale offers, advice, new products etc.), they also are very clearly stating whether we’re GDPR compliant or not. If you’re already obeying PECR (or any related legislation per the country you reside in/or mail to) providing transparency, and recording consent, then only a few minor adaptions will be required (including some ‘behind the scenes’ documentation, including the business case for using legitimate interest if you’re calling upon it).
Think very carefully about these data collection points and test what works best – both for your consumer and your brand. Don’t begrudge having to do this – the fact that email is a permission channel is one of the reasons why year on year it delivers the highest ROI – so make the most of these opportunities!
GDPR has nothing to do with how often you send your emails to your consumers, or whether they open the email or click through the email, or whether they’re inactive. GDPR is all about how you handle and process the data.
Once you realise this, this knowledge will feed into my previous comment about data collection points. Not every form needs a (unchecked) tick-box, nor do you explicitly need to ask for permission to process their data – this is innately accepted (using legitimate interest) that when someone subscribes, you will be processing their data.
This may be too late for some unfortunately, but there seem to be a lot of cowboy consultants who have been mis-advising brands to re-permission their entire list. This is a huge mistake and a fallacy, one I’ve seen too many brands fall for in the past few months. Once you’ve gone down this route, there is no undoing it.
Another mistake is also to believe the mis-advice that the only way to ‘prove’ permission is by using double optin. Most definitely, this is one of your options, but it is not a legal requirement. This is a business decision that your company needs to make. But please be aware that if you go from being single opt-in to double opt-in, your subscribe rate will be lower, so make plans to commence this with other acquisition activities, otherwise you may find yourself short of sales and revenue – both in the short term and long term.
Every form does not have to have an unchecked tick-box with legalese saying that the consumer agrees to you processing their data. If you decide to go down this route, then this is a business decision – not a legal requirement – but, again, be aware that this type of language could actually be deemed to be non-GDPR compliant, as it’s confusing and not at all transparent to the consumer. Stay focused on the consumer, that’s what GDPR is all about.
Matthew is a Certified International Privacy Professional (Canada) with nearly two decades of experience in email marketing. He actively shares his expertise on industry trends, serving as director at large of the Coalition Against Unsolicited Commercial Email (CAUCE), the incoming Vice-Chair of the Email Experience Council (EEC), and senior administrator of the Email Marketing Gurus (LinkedIn) group.
GDPR has one core mission: Data protection. The key goal of GDPR is to put control of user data back in the hands of the user. Keep this in mind when building your solutions and your marketing programs to stay focused on how you plan on using the data, and help you communicate with your clients and subscribers. Always ask yourself these questions:
Review all your processes, paying special attention to consent models and unsubscribe practices, and update accordingly to ensure you're GDPR compliant. Of course, I am not an attorney, so please consult one if you have any questions or concerns.
Confirmed opt-in is the only way to achieve consent under GDPR. It’s a simple and responsible way to prove you have consent, but if that’s not your preferred path, GDPR has several different ways you can gain consent (Article 6) from an individual to use or process their data. Just be sure you’ve taken the time to understand what those are, how your organization fits within each of those methods and that you have documented your decisions in a logical and easy-to-understand way.
Do not think you can simply stop doing business with people in the EU. Data is like water. It will find a way into your systems, and simply hiding from it or thinking it won’t happen is a risk you must assume you will need to address. With 500+ million residents in the EU, there is a great chance you will be impacted, financially or otherwise, by the consequences of trying to avoid dealing with the EU.
Erik brings with him 20 years of experience in performance-based advertising and digital marketing solutions across Retail, Sports/Entertainment, Financial, CPG, B2B, SaaS verticals. Besides being the CMO of Aweber, he provides strategic direction on marketing growth strategies as an advisor for agencies, start-ups, entrepreneurs, technology and non-profit associations.
At first glance, the GDPR may seem scary, but it’s actually straightforward. Not only that, it’s also a good thing for email marketers. It all boils down to doing the right thing with the personal data you collect from subscribers. In other words, only send emails to people who’ve given you permission to do so for the purpose you told them.
At a high level, organizations need to establish a subject matter expert that can be responsible for all things GDPR - including preparing for the launch date, monitoring the industry and communicating any noteworthy updates internally. A task force or committee is great, but there should be one true owner, that does not have to be a lawyer, just someone that can proactively monitor and distribute updates. Other suggestions on preparing for GDPR, both near and long term:
As per GDPR, it all rests on whether you can prove consent from your subscribers or have other lawful grounds for processing the data you have acquired. So, in case you are depending on consent to determine lawfulness, then ask yourself these 3 questions first:
Checkboxes on your signup forms are not required and are completely optional. GDPR states that you need to clearly communicate how you will be processing subscribers’ personal data. This can be done by simply adding a clarifying sentence in your form that is transparent on what data will be sent to the subscriber.
Data processors and data controllers share responsibility for complying with the GDPR requirements. As marketer or brand collecting email addresses, you are still considered the data controller. You, the marketer, maintain control over how you segment, manage and effectively use that data. Your Email Service Provider (ESP) is simply the processor of that data at your request.
EU officials indicate that fines would likely be a last resort. In fact, a quote from the UK’s Information Commissioner, Elizabeth Denham, reads “The GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow”.
Dennis Dayman has 20+ years of experience combating spam, security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations and technical solutions. He is a longstanding member of several boards, advisory committees; besides being a partner, mentor, and frequent investor in start-ups.
The way GDPR is portrayed in the press is scary. It looks like a burden for businesses. I, however, think GDPR can prove to be useful for your business. Here’s why.
It might seem daunting, but the right planning can make your organization GDPR compliant — and not to forget, improve your business in the process. GDPR works as a reminder to businesses that the data they have is simply on loan — not owned — and organizations have a responsibility to look after it.
It’s not just a matter of confidentiality; it’s about integrity, accuracy, and availability — and it’s just ETHICAL business practice.
According to Article 3 of the GDPR, if you collect personal data or behavioral information from someone in an EU country, your company must abide by the GDPR. Consequently, any organization collecting data on individuals, sharing data or selling products and services within the EU will be subject to GDPR guidelines. Every organization collects data, and if you live, work, employ people or carry out business within the European Economic Area (EEA), there is no way around the GDPR. I’ve watched numerous businesses shut down their businesses there, assuming that doing so would eliminate the need of being GDPR-compliant.
When GDPR takes effect on May 25, companies will need consent or a legitimate interest to process a European citizen’s data.
Procrastinating is the biggest mistake. This is mainly because company owners have no clue who should be allocated the responsibility of owning GDPR compliance. When it is allocated to a person/department, it is bound to get delayed as the individuals are often engaged in fulfilling their day-to-day obligations.
Electronic direct marketing is a pressing issue from the past E.U. Directive - e.g. Sending emails to people without their consent; spam; unsolicited SMS. It is tough to get right under the new GDPR as it is governed by a range of laws and regulations (e.g. PECR / ePrivacy). It is bound to get more complex with the arrival of GDPR and the updated ePrivacy regulations.
Next mistake is being unable to prove that you have consent for all the data that you have collected. Introspect all the ways you have gathered individual data — through a website or from a payment data card or at checkout at a retail store. Even assuming you have managed to find all of this data the trick will be demonstrating there is consent to each corresponding piece.
Ryan Phelan has over 17 years of online marketing experience from companies like Acxiom, Sears, BlueHornet and Responsys. Ryan, a respected thought leader and nationally distinguished speaker is responsible for the Adestra's marketing efforts in the U.S. Ryan serves as Chairman Emeritus. EEC Advisory Board, and member of the board of directors for the ESPC.
This calls for companies/ businesses to challenge their attitudes toward data transparency and control over customer data. Again, this may require you to bring a revolution in your corporate culture as well.
So, it’s sparkle clear, GDPR isn’t about just quoting, ”customer is at the center of advertising and marketing”, but actually putting them at the heart of your business. This will comprise listening to direct customer feedback, and this should involve participation from C-level executives in your Company and pass the learnings down the organization. This makes it important for respective teams to contemplate the customer control, authorization and transparency aspects of the associations you have with your customers.
The major reason for all this frustration and confusion with regards to GDPR is because we are not accustomed to offering such kind of transparency to our customers. Have you ever experienced any permission or ceding control while dealing with brand equity? Obviously not! It’s always the company that controls the interaction.
GDPR is bound to make a huge difference to businesses, but its primary goal is transparency as far as customer data is concerned. It will certainly influence the way we take care of data, communicate with our customers and treat them. Thus, GDPR will contribute extensively to our brand equity.
Companies can either blame the law or embrace it, showing customers how they are entitled to share or withhold their permissions and data. It’s for sure that Companies that become gateways to customer permissions rather than roadblocks, will thrive under GDPR.
It is also recommended Companies must update their customers about the changes and the control they are being granted. Moreover, ensure that the message you convey is authentic, summarize the existing brand equity and clarify the steps undertaken.
Founder and CEO of SendinBlue with a passion for helping SMBs grow with powerful and cost-effective marketing tools, allowing them to rise up and beat the giants.
The guiding principle behind the GDPR is the idea that companies need to implement better security measures around their customers’ personal data and provide more transparency on how they manage and process this data. People should have more control over how their personal information is used and be able to make an informed choice when providing consent to this processing without having to worry about data breaches or mishandling.
With this in mind, companies need to look inward and refine their processes around gathering and managing sensitive customer data. The goal is to provide as much security and transparency as possible for customers throughout their entire relationship with your business. This means providing clear opt-ins for specific types of data processing like sending emails or tracking on-site behavior and making it easy to opt-out or change these preferences at any time. It also means ensuring that every step of your data processing pipeline is secure, as well as updating privacy policies and user agreements to reflect the new responsibilities under the GDPR and making this information readily accessible to customers.
One of the biggest myths about the GDPR is that only the business processing a customer’s data directly needs to be in compliance with the GDPR. In the regulation, this party is known as the controller, and it’s true that they hold much of the responsibility regarding GDPR compliance. But, if the controller is using a third-party platform to process or store customer data, this processor must also be GDPR-compliant.
For example, if you use an email marketing tool for your business, you must make sure that this tool is also adhering to GDPR requirements. These tools share a portion of the responsibility for keeping customer data secure and accessible in the chain of processing. That’s why it’s essential to look into all of your third-party software providers and make sure they’re complying with the GDPR requirements in how they process data on your behalf.
The number one mistake that businesses should avoid is ignoring the importance of consent. Even seemingly innocuous tactics like passive opt-ins (in which the opt-in checkbox for a subscription is pre-checked and customers must uncheck it if they aren’t interested) or catch-all opt-ins (in which customers subscribe to receiving “any marketing communications” without clear information on frequency, content, or targeting) are explicitly stated to be improper opt-in methods that do not constitute consent under the GDPR.
Businesses need to be completely forthright when asking for consent for personal data processing and maintain proof of receiving this consent. This means you must ensure your marketing tools allow you to keep these records of consent and eliminate any marketing sleight of hand techniques that limit the ability of customers to choose how their data is processed. Not only do these tactics risk violating the law, but they also diminish customer trust in your business and will hurt your brand in the long run. Instead, businesses should use the new GDPR requirements as an opportunity to create better relationships with customers based on trust and transparency.
John Thies is the CEO and Co-Founder of Email on Acid, a service that gives email marketers a preview of how their emails are displayed in the most popular email clients and mobile devices. His career passion is helping marketers send perfect emails. John also serves as the CEO of Cause for Awareness, a non-profit that empowers other non-profit organizations with digital marketing resources.
Incorporate privacy by design into your culture and standard operating procedures. GDPR requires privacy and data protection controls to be incorporated into any new or existing systems or processes that involve EU resident personal data. Ensure that communications and training programs address this as a part of your culture initiatives.
Organizations should begin training marketers, as well as anyone else who deals with EU citizens’ personal data, on how to comply with GDPR. It may prevent data breaches or, at the very least, help organizations identify potential problems sooner rather than later.
Encryption of Personal Identifiable Information (PII) is a requirement for GDPR. Not true. It is not a requirement and encryption is only mentioned 4 times in the 261 pages of the GDPR guidelines. The caveat is that if the PII information is not encrypted and there is a breach, you have a regulatory requirement to inform the Data Subject(s). If the PII information is encrypted and there is a breach, you do not have to notify the impacted Data Subject(s).
Marketers don’t own customer data. They borrow it to provide personalized and relevant content that engages and delivers a unique experience. Knowing that you, as a marketer, don’t own your customers data is key to better understanding the GDPR requirements.
Think about GDPR and customer data like how you deposit money into a bank. First, you need to find a bank that you trust and allow (consent) them to hold your money. Later when you make a deposit, you know it’s safe and secure (encrypted), you can review the bank statements (see what data they have) and request to close the account (remove all personal information). The bank doesn’t own your money you do.
So, don’t be disappointed when a customer asks you to remove all their information from your system. It wasn’t your data to begin with.
Raquel Herrera enjoys hosting webinars, public speaking and crafting practical and compelling content like this guide. Her passion for what she does, has helped Benchmark be positioned as the #1 email marketing tool in six European countries and it continues to grow.
The same rules for all companies – regardless of where they are established. GDPR is open to interpretation and varied based on the company or industry. Steps to follow will differ, based on your industry.
Dela Quist is CEO of Alchemy Worx a leading email marketing agency. He is a highly experienced expert email marketer with a strong background in digital media and advertising. Touchstone is a suite of software products based on a unified proprietary infrastructure - that records and analyzes previous campaign data and provides insights at a subscriber level.
With regard to GDPR legitimate Email Marketers/Marketing are in a very fortunate place. We ALREADY have permission! Make sure your clients are compliant with EU Data Directive and tend to adhere to best practices. Having said that my concerns regarding GDPR are the words “& beyond” – more on that later. There is nothing within the legislation to concern email marketers unduly best practice today in email is compliant and your focus as always should be sending the best emails that you can to everyone on your list. Keep testing and optimizing and always look at the data.
The biggest and most costly (to anyone who believes it) is the idea that GDPR means you have to completely re-permission your list and stop sending to anyone who has not opened an email in 3, 6, 9 12, whatever, months. The idea that not opening an email for 6 months indicates your dislike for a brand and cost you inbox placement is and always was nonsense.
The problem with re-engagement or re-permissioning emails is what to do about the 80%+ of recipients who do not open it and /or they do fail to select either yes or no? Stop mailing them or try again. If you try again you probably should not have wasted your time. Every email you send is a re-engagement opportunity. Use it wisely.
Most brands are so busy worrying about compliance they have spent very little time thinking about the implications of GDPR moving forward.
On May 25th most of us will or should be compliant with all the green checks shown above. What almost no-one is thinking about is the big RED cross. Have you actually considered how you are going to respond to a subscriber who accuses you of a GDPR breach 6 months ago and demands – as will be their right that you provide them with all data relating to your interactions with them.
In my opinion the biggest mistake you can make is failing to have all your email campaign data easily available to you. How long would it take you or your team to say precisely what emails were sent on Oct 9th 2017 and whether that individual could have been on a list that breached GDPR? If the answer is more than 10 minutes you have a long way to go. It is one of the reasons that my team have developed a free archiving tool to help solve this problem.
Disclaimer: The information provided here are only for better understanding of the different regulations collectively implemented as GDPR. This is just for knowledge sharing purpose only and is not to be considered as legal advice. The insights shared by the industry experts in this infographic are of their own. You are requested to consult an attorney before implementations to avoid any legal hassles. By reading this article you indemnify EmailMonks of any legal implications and cannot hold it responsible for any action pertaining to the information shared in this article.