Smart Marketers Will Adapt to GDPR’s Tighter Data Privacy In EU
Featuring Craig Weiss, COO, True Influence
We are on the verge of a revolutionary change in privacy and data protection regulations for B2B Marketers who do business in Europe.
And many U.S. companies aren’t ready.
In May 2018, the European Union will officially implement a new set of privacy and consent laws dubbed the General Data Protection Regulation (GDPR). The new policies, which were approved in 2016, touch on virtually aspect of collecting and managing personally identifiable information (PII) about consumers in EU member states.
The GDPR is broadly considered an evolution of previous EU guidelines marketers have been dealing with for a few years now. And it definitely skews toward more stringent standards enforced by some Euro markets like Germany, and away from permissive markets such as the UK.
As with all government regulations, GDPR is simultaneously expansive and somewhat nebulous about the exact tactics it expects marketers and other data collectors to adopt. (For a list of semi-specifics, ZDNet has a good overview.)
At the 20,000-foot level, GDPR:
That “billions” line item is the most eye-catching – particularly in a U.S. business climate where Equifax can respond to a massive data breach with, “Sorry about that, here’s a year of free credit monitoring.”
But B2B Marketers and their data partners must carefully evaluate all of GDPR’s requirements and adapt if they plan to do business in the EU.
And many companies will find they have some work to do.
A Higher Standard for Consent
At True Influence, we are still evaluating GDPR’s impact on how we ask for and get consumers’ opt-in consent for marketing programs. We’re not sure exactly how we are going to address this requirement, but options include a secondary opt-in device, such as a quick confirm lightbox or e-mail.
At the very least, the consent process has to make it obvious to consumers that they are opting into a marketing program – so obvious, in fact, that you can defend the consent if a consumer elects to challenge it under GDPR. If nothing else, understand that these standards and their enforcement are going to ere on the side of consumer privacy, not businesses’ marketing interests.
We’ve already had quite a bit of experience in this area with our third-party lead generation services. We deal only in high quality leads that typically are vetted via telephone, and our call scripts leave no doubt in consumers’ minds that they are going to be marketed to.
In building out these programs, we complied with the stringent Canada Anti-Spam Law (CASL), a bellwether for increasingly tight government privacy standards such as GDPR. And we’ve found success in this business. So regulation doesn’t mean the end of your marketing programs – you simply must adapt.
“B2B Marketing is not the bane of business people’s existence. There’s both a science and an art to finding people who didn’t necessary know they wanted to receive your message, but will find real value in it when they see it.”
Putting Consumers in Control of Their PII
Many observers suggest that GDPR will prompt many companies that collect behavioral data to anonymize it, stripping away PII to avoid many of the constraints and possible liabilities imposed by GDPR.
Our InsightBASE intent signal monitoring service is designed to fuel Account-Based Marketing campaigns, and so collects data at the business domain level, not about specific individuals. And we have always been highly concerned about protecting consumer’s PII.
We and other third-party data services are evaluating exactly what information GDPR allows us to share with our clients, but rest assured that meaningful marketing intelligence will be available as part of your marketing strategy.
For the record, GDPR defines two roles in collecting personal data:
Under GDPR, both controllers and processors must maintain written records of what data was collected, how it was appropriately collected, how it was used, and when it was disposed of. They also have to have a clear path for individuals (“data subjects”) to request edits or deletion of their data. Just allowing users to opt-out of your email campaigns will not be enough.
Organizations may also need to re-consider what they define as “personal information” under the very broad GDPR umbrella. Such data may include geo-location, specific device-level IP addresses and even social media activities. You may even need to start tracking some otherwise non-tracked communications, such as a recorded customer support calls.
Again, regulations like GDPR are always vague. Your team will need to develop data policies for EU prospects that comply with the spirit of the law, not just the letter of the law, which is nebulous by design.
Fines and Accountability for Breaches
GDPR does not spell out the technologies or tactics required to protect personal data – it leaves that up to your IT team. You’ll find some useful insights at CSO.com, but the best advice is to lock down user data, and then lock it down again.
The new laws, however, do spell out detailed reporting protocols and hefty penalties when breaches do occur.
Within 72 hours of a data breech, organizations must report the event to the relevant supervisory bodies and, in many cases, individuals affected by the data loss. Essentially, if a breech could negatively affect an individual in any way, you have to tell them about it, and quickly. These reports must also include a rundown of how the lost data could be used to harm an individual.
Organizations that process large volumes of personal data are required to appoint a Data Protection Officer, whose qualifications GDPR (surprise) does not spell out specifically, other than to say they should really be good at protecting data.
In my opinion, if you are big enough to fall under these regulations, you should already have a C-level position and team dedicated to protecting personal data — it’s a responsibility that must be taken seriously. As CSO notes, this might not be the best fit for a privacy officer, per say, but rather someone with a serious background in security.
And then there are the fines. Companies can be penalized not only for actual breaches when they occur, but also for unauthorized internal data transfers, failure to implement required procedures, or ignoring individuals’ requests for access to their data. And, yes, the max fine for the most serious offenses is 20 million euros or 4 percent of annual turnover from the previous year, whichever is greater.
Remember how I mentioned the UK as historically taking a lax position on data protection? The Register reports that fines levied against Brit companies in 2016 would have been 79 times greater under GDPR.
That’s serious financial accountability.
Smart Marketing Will Be Complaint Marketing
Some observers have declared that the GDPR is effectively a new global standard for data protection, given the economic power of the EU, but I think that’s taking it a bit far.
Smart B2B Marketers will need to evaluate the data they collect and use on a market-by-market basis. You can no longer afford to adopt the most lax data privacy standards, but you also can’t afford to globally adopt the most stringent, either, particularly since U.S. and particularly Latin American regulators are currently so business-friendly.
You have to react to opportunity, with the understanding that you also must stay true to the spirit of regulations like GDPR. Remember, some personal information, such as that lost in the recent Anthem breach, simply can’t be changed.
Listen, B2B Marketing is not the bane of business people’s existence. There’s both a science and an art to finding people who didn’t necessary know they wanted to receive your message, but will find real value in it when they see it.
Smart, well-designed ABM campaigns, powered by intent data services like our InsightBASE, will continue to drive business. Marketers just need to be constantly mindful of consumers’ privacy, and that’s ultimately a good thing, both from a liability and brand protection perspective for your company.