This is a 2-part blog, where part 1 explains (in plain English) what your firm needs to know about GDPR compliance, and part 2 explains what your firm needs to do about it if you’re marketing to the EU and have chosen consent as your lawful basis.
Read Part 1 here: What GDPR compliance means for US B2B firms marketing to the EU
Disclaimer: This blog aims to give you a general overview of the most important elements of GDPR in regard to marketing to individuals in the EU. It is not legal advice. If you would like legal information or advice on how GDPR applies to your specific circumstances then you should consult a legal professional.
I’ve chosen consent as my lawful basis for processing data, what changes do I need to make to my marketing and lead generation strategy in order to comply?
At current, the US and UK do not explicitly define consent with regard to data protection for individuals who are in the EU.
In a nutshell, this means that pre-ticked boxes and inactivity will no longer constitute as consent when it comes to collecting a lead’s information.
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement…” (Source: Official Journal of the European Union, Legislative Acts)
And if you want to use a prospect’s data for multiple purposes (e.g. to email, call, mail etc), then consent will need to be given for all of them.
This will likely have a large impact on how your firm markets to the EU as, under GDPR, you will need to be very specific about what you will do with an individual’s data.
In order to ensure you comply with the new definition of consent, I recommend taking a close look at the following 7 key elements of your marketing initiatives:
1. Opt-in processes: unambiguous opt-in processes will be a minimum requirement.
For valid consent to be given, the individual needs to actively and affirmatively specify they are happy for you to process their personal information in the way you have outlined.
Bundling different types of opt-in consents together or asking a prospect to check a box if they don’t want to receive marketing messages won’t suffice.
To protect your firm against opt-in grey areas, we recommend adopting a double opt-in policy.
Double opt-ins work by first asking the individual to give their contact details and then confirming the information they provide, and the consent they’ve given, is correct.
E.g. if an individual inputs their email address to sign up to a newsletter (first opt-in), they would then be required to click a link that is emailed to them, to activate their signup (second opt-in).
2. Outlining data intent: you will need to be transparent about what you will be using your contacts’ personal data for.
You will have to outline clearly what your firm will be using an individual’s personal data for. E.g. whether it’s to send information about your services, invitations to your events or if you plan sell it to 3rd parties.
3. 3rd party marketing data: if your firm is supplying and/or buying 3rd party data you will be responsible for ensuring it was collected in a legitimate way.
When GDPR comes into effect, all individuals will legally be entitled to access information about their data, including how it was obtained.
So, if your firm is buying and/or supplying 3rd party data, then you will be responsible for ensuring that the individual was aware, and confirmed they were happy for their personal data to be collected and shared with specified third parties.
4. Pre-ticked consent boxes: you can no longer use default pre-checked consent boxes.
As of May 25th, “they didn’t say they didn’t want to receive communications” will no longer fly.
Firms will need to be able to demonstrate that individuals took clear and affirmative action when giving consent.
This means soft opt-ins (where an individual gives their personal information, such as their email address, for one reason and then the business uses it for another purpose) will also be outside of new regulations.
5. Withheld services: you will be required to provide clients with a service regardless of whether they are willing to give you their personal data or not.
Gated content—content which is released in exchange for personal data—can still be used, however, the provision of personal data can only be compulsory if it’s necessary to fulfill an obligation e.g sending a download to an email address.
You cannot then refuse the content if the individual doesn’t want their data to be processed for the non-immediate need (e.g. to be contacted for anything other than the downloaded content).
6. Record keeping: your firm will need to keep a record of exactly how you are collecting data, what data you’re collecting and how you’re storing it. It will also be responsible for destroying the data when it is no longer ‘necessary’.
Under GDPR, all personal data collection processes will have to be ‘provable’, which is why you need to keep a record of what you are doing with it and how you obtained it.
However, firms will only be allowed to keep personal data for as long as it is ‘necessary’. Which means that once your firm no longer requires an individual’s data, it should be destroyed.
- Clear and affirmative action: Implied consent is no longer good enough when it comes to Cookies (e.g. by browsing this site, you agree to the use of our cookies). Individuals must be given a choice as to whether or not they are happy for tracking Cookies to collect their data.
- Opt-out options: Under GDPR, the European Commission makes it clear that it should be as easy to opt out of Cookies as it is to opt in. Whilst browsing a site, ‘Cookie opt-out’ options should always be visible. Your firm will need to specify all the ways the Cookies will be used and allow them to opt in or out of each one.
Having a water-tight and transparent consent document available for individuals to view will mean that if you ever run into a discrepancy, you will have provable evidence to support your right to processing their data.
To summarize, you will need to include the following information in your consent document:
• Identity and contact details of the firm’s data controller
• The lawful basis for the processing
• Retention period (how long the data will be stored for)
• The right to lodge a complaint with a supervisory authority
• The right to withdraw consent at any time
*Just remember: the above blog only applies if you’ve chosen consent your lawful basis for processing data.
Your next steps…
Firms embracing GDPR now will not only benefit from being ahead of the curve, but they will also have a competitive advantage when the new regulations come into effect.
After all, firms that demonstrate an understanding of, and respect for, personal data usage and processing will be preferential choices when it comes to service selection.
Although May 2018 seems a while off, preparations for GDPR will likely take a significant amount of time to put in place. That’s why JTN has already started putting the wheels in motion for its clients.
We’re offering free one-to-one consultations for firms in the U.S. who want to know how they should be preparing for GDPR with regard to marketing to the EU.
This offer is only available in 2017. If you’d like to take up the opportunity, send an email to firstname.lastname@example.org or give us a call on (UK) +44 20 7099 5535 / (US) +1 877 465 7740 to schedule a convenient time.