(Second in a series of articles from Arke on the practical application of the GDPR to clients who use marketing technology platforms. Read part one here.)

You’ve attracted another engaged and interested website visitor. Your visitor located your site through a search engine, clicked on an ad targeted to his interests and arrived on a page personalized to his needs.

Now he’s reaching out in search of more personal engagement from your company.

By any digital marketing standard, this is a great outcome. But hold on: As eager as you are to engage, you need to temper your enthusiasm.

Thanks to the European Union’s new legal framework for data protection, marketers now have new guidelines for the use, protection, and control of data. Known as the General Data Protection Regulation (GDPR), the legislation goes into effect May 25, 2018.

The GDPR shifts the balance of power to consumers by giving them expanded rights to modify, delete, and receive a copy of the data any organization holds on them.

Why the GDPR Matters to US Companies

What’s more, the GDPR has global reach, with the likelihood of affecting any company that handles the personal data of any European Union (EU) residents — regardless of where the company is based.

The GDPR applies to more marketers than you may think, including small US-based companies with incidental sales to EU residents.

The minute such a business captures an email address of an EU resident with an intent to communicate with him and track his response, that business becomes subject to GDPR, regardless of where the business, server, or subject is located at the time.

The new law requires marketers to take clear steps to protect the data generated by EU residents.

‘Never Trust, Always Verify’

The public internet is a Zero Trust environment. Coined by Forrester in 2009, Zero Trust underscores the need to “never trust, always verify.”

In Forrester’s words, “ensure that all resources are accessed securely regardless of location, adopt a least privilege strategy, and strictly enforce access control, and inspect and log all traffic.”

With that in mind, it’s easy to see why we should validate each data exchange before accepting the personal information a website visitor may provide. After all, any person or bot can push personal information to us. Once we have it, we’re responsible for it. So it’s best to reject fraudulent data from the start.

GDPR requires businesses to have a known, documented, and governed approach for personal information. That includes knowing:

  • How and where data gets into an information system (a term I’m using generically in these articles for simplicity’s sake)
  • Where that data flows
  • What operations it supports
  • How the data is used

GDPR: Document and Govern Data Flow

Marketing organizations use many platforms and systems. In addition, the technologies extend beyond the marketing department.

Once data is in our system, multiple things can happen. A prospect, for instance, can become a customer. At that point, his information flows beyond marketing platforms into operational systems. Your Data Protection Officer probably already requires your organization to document and govern this data flow.

How? Document your marketing systems using Business Process Model and Notation (BPMN) — a standard for business process modeling that provides graphical notation for specifying business processes in a Business Process Diagram, based on traditional flowcharting techniques.

For example, outline the processes and systems for personal information that enters your information system. Start simple. We’ll build this diagram throughout the article as we explore additional topics.

Remember, this first diagram demonstrates how we treat data flow now, before the GDPR.

Practical Application of the GDPR for Marketers: Consent and Data Governance current

GDPR Requires Consent and Verification

The GDPR upholds the concept of consent, which has long been enshrined in European data protection legislation.

But the GDPR goes farther. It is more prescriptive when it comes to the conditions for consent, eliminates some historical ambiguities, and mandates consent be given freely and specifically.

To verify consent, practical marketers in the post-GDPR era will disregard all submitted data until the people who submitted the data verify it.

Called a double opt-in process, it involves sending an email in response to the information you receive. The goal is to clearly verify the person’s intent to provide information.

As a practical matter, you need a different retention policy for this sort of data. The reason: You must delete the data unless the person who submitted it gives you permission to retain it.

Under the GDPR, your double opt-in process is limited to a single communication. You cannot send a second verification request if the person fails to respond promptly.

An updated system map might look like this:
Practical Application of the GDPR for Marketers: Consent and Data Governance current

Earn the Right to Communicate

As marketers, we need to be transparent and disclose certain information to our site visitors. We also need to make sure site visitors are intentionally providing the information.

We need to:

  • Identify our company and provide contact details
  • Explain why we are requesting personal data and also offer  a legal basis for how it will be used
  • List the recipients or categories of recipients who will receive the information
  • Explain the details of data transfers outside the EU, including how the data will be protected outside the EU boundaries
  • Be clear about the retention period or criteria for retention for the data
  • Reiterate the individual’s right to access and port data; to rectify, erase and restrict his or her personal data; to object to processing; and, if processing is based on consent, to withdraw consent
  • Alert the individual of his or her right to complain to a supervisory authority
  • Identify any statutory or contractual requirement to provide the data and the consequences of not providing the data
  • Determine if there will be any automated decision making based on the data provided. If so, then we need to explain the logic involved, the significance and consequences of the processing

GDPR Consent Policy

The consent policy must be easy to access through inclusion on the page where the website first collects personal information.

You can accomplish this by placing an “I accept” checkbox with a link to the policy. However, you cannot accept the visitors’ data until they accept the policy as you likely did before the GDPR.

Your legal team will need to provide new GDPR compliant consent language. Your consent policy needs to address a number of specifics, including retention period and data transfers outside the EU, which I’ll cover in Parts 2 and 3 of this series.

5 Practical GDPR Considerations

With all of these guidelines around obtaining and verifying consent, what’s a marketer to do?

Broadly speaking, if you did not obtain consent following the GDPR guidelines, then you need to ask your contacts to affirm consent for the use of their data.

Here are five practical considerations.

  1. Identify all the personal information in your system, how it got there, and how it’s being used.
  2. Connect the records of your users across all of your systems. For example, an individual might have a record on your website, in your marketing automation platform, and in your customer relationship management (CRM) platform. By connecting those systems, you simplify consent. You won’t have to ask the same person to consent three times.
  3. Have a clear records retention policy. Set a date to delete all records for which you have not again obtained consent to hold. Also, establish a process to delete that data. Don’t neglect your backup servers.
  4. Develop a marketing campaign to engage all the contacts you need to ask for re-consent. This campaign should drive them to a page on your website, and request their consent according to the GDPR guidelines. Do this before the GDPR becomes law on May 25. Once GDPR is in effect, you will be allowed to send these individuals only a single message requesting re-consent. Before the GDPR effective date, your re-consent campaign can have multiple touchpoints.
  5. While you only must obtain re-consent from EU residents, this can be a challenge unless you have geolocated IP address or captured country of residence in a request form. You can target your re-consent process if you have that information. If you don’t, the safe bet is to treat everyone under the GDPR guidelines.

Next Steps

Feeling overwhelmed? Don’t be. While the GDPR is ushering in significant changes for marketers, it will ultimately improve our accountability and pave the way for deeper relationships with our prospects and customers.

As we navigate this new paradigm, there will be challenges, to be sure. But with a clear strategy and a thoughtful partner, we’ll chart a path that promises to open more opportunities for us all in the long term.

For More Information

(Arke is providing these articles for informational purposes only. They are not intended to provide, and should not be relied on, for legal advice.)

Want to learn more about GDPR compliance? Email Eric Stoll for more information.

About Arke

Atlanta-based Arke develops strategies and implements digital technologies for better brand experience for your customers.