Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.
If you’re a marketer, we expect you’ve heard about the General Data Privacy Regulation (GDPR) coming into force on 25 May 2018. The legislation will have a big impact on the way marketers approach their work and how organizations obtain, store, manage or process the personal data of EU citizens. This post will give some specific examples of what will change, how we’re thinking about it at HubSpot and the wider industry.
To start, we want to highlight research carried out by the HubSpot team, and unfortunately it’s not good news. Just 36% of marketers have heard of GDPR, while 15% of companies have done nothing, and are at risk of non-compliance. We would go as far to say there’s a worrying lack of action, and most companies are not ready for the GDPR. However, we’re optimistic this blog post will act as a conversation starter and inspire action within the industry.
There are two important parts of the Regulation that we want to highlight. First up, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you. Secondly, the potential penalties for falling foul of GDPR are going to be severe. Depending on the type of violation, companies will incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater). These big penalties show that the regulators mean business and companies cannot afford to ignore the legislation.
On a more upbeat note, we think the legislation is a positive step. It’s an opportunity for good marketers to continue doing positive work in a way that puts people and their concerns at the forefront. It also means marketers will have to work harder to earn attention and gain the right to communicate with people on an ongoing basis.
But hard work won’t be enough: marketers will be forced to up their game and become more creative if they want to succeed. Again, we don’t see that as a bad outcome at all. Anything that gives more power to consumers and makes marketers get better is to be welcomed.
But those companies which have put their own needs ahead of consumers and indulged in shady or outbound tactics are in for a shock. Their world is going to change dramatically as the GDPR will hasten the demise of marketing tactics like buying lists, cold emailing and spam.
Not only are these tactics outdated, they provide a poor experience for the recipient and they’re becoming less and less effective by the day. Inbound marketing has always been the antithesis to these tactics -- it puts the consumer first and attracts them with valuable content. But now, via regulation, others are going to have to adapt their marketing playbook.
What impact will the GDPR have on my marketing activities?
You may be asking yourself, “where should I start with GDPR?”. There’s a lot to digest when it comes to the new Regulation so, to help you out, we’ve created a dedicated GDPR web page with a tonne of information about the GDPR, including what it is, why it came about, a glossary of terms and the most important of the changes the GDPR brings to EU data privacy legislation.
With that covered, we're now going to work our way through the inbound marketing methodology and look at the GDPR principles you should consider at the various stages of the inbound marketing methodology:
Stage 1 - Data Collection
The GDPR was designed to ensure that there will be more transparency between the organizations who collect and control the data (the ‘Data Controllers’) and the individuals whose personal data is being collected (the ‘Data Subjects’). This means that any organization which attracts people to its website and wants to collect data via a form must communicate clearly to that person what the data is going to be used for. The individual will need to give their consent to that use and the consent needs to be clear, in plain English and "informed, specific, unambiguous, and revocable". Data subjects also need to be told about their right to withdraw consent.
Example: Meet Amy Meyer. She lives in Germany, has a passion for interior design, and we’re going to use her as an example throughout this post. If Amy downloads an ebook from The Paint Company to research what colours she can combine for the decoration of her new house, The Paint Company will need to make sure that they explain to Amy how they’re going to use her data.
For instance, if The Paint Company is planning to track Amy’s usage of its website, wants to send her more information via email, or is planning to share it with their affiliates outside the EU, they need to communicate that clearly and Amy needs to consent to that use. It won’t be sufficient for The Paint Company to pre-tick the box on a form to send information to Amy by email, as ‘opt-out consent’ will no longer be permitted under the GDPR.
Importantly, if The Paint Company decides they want to use Amy’s data for a new purpose at any point during the relationship, they’ll need consent from Amy to use the data for that new purpose. So while it’s clearly important to be transparent at the time of collection, it’s important that organizations remain open and transparent throughout the marketing process, and in terms of how it manages personal data after the relationship has ended.
When an organization is collecting data from an individual in order to convert a website visitor into a lead, they must remember that, under the GDPR, they are only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection. Data collected by the organization which is deemed unnecessary or excessive will constitute a breach of the GDPR.
Example: The Paint Company created a landing page for prospects like Amy to download an ebook on living room colour schemes. Before Amy can download the ebook, she will need to complete the fields created by The Paint Company. It’s reasonable that they might want to collect her name, email address and even details about the project Amy is about to undertake. However, if they were to attempt to collect information about Amy’s family (for example, if she is married or how many children she has) or her health, this would be excessive as that data should not be required by a painting and decorating company.
Stage 2 - Data Storage and Processing
Purpose and Usage Limitation
organizations can only use the data collected and stored by them for specified, explicit, and legitimate purposes. They’re not allowed to use it in any way that would be incompatible with the intended purpose for which it was collected. Also, if they plan to transfer or share the data with another company, they need to ensure they have consent from the person to do so.
Example: After Amy Meyer has downloaded the ebook from The Paint Company, Amy decides that she wants to enroll in an online course to learn more about painting and decorating. If the online course is being run by a third party training company on behalf of The Paint Company, they, The Paint Company will need to ensure that the training company have Amy’s consent to use the data. In addition, the training company will not be able to use the data for any other purpose other than the purposes Amy consented to.
Once data is collected, the organization needs to ensure it is stored in a secure manner and in accordance with the Security provisions of the GDPR. This means they must use “appropriate technical and organizational security measures” to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration. Depending on the type of data collected and the ways it is being used, companies may need to consider encrypting the data, using pseudonymization or anonymization methods to protect it or segregating the data from other data in their systems.
Example: Now that Amy Meyer’s data is stored in The Paint Company’s systems, it is the responsibility of The Paint Company to ensure it is kept safe and secure. Before collecting the data, The Paint Company should have assessed the types of data they planned to collect and work with their security team to ensure that it meets the standards of the GDPR.
These standards will differ depending on the kinds of data collected (for instance, security standards will be higher for sensitive data, biometric data or data about children) and how they’ll use that data. Only employees who need to access that data for the intended purpose have access to it and contracts with any vendors touching that data contain the relevant security protections.
People will now be able to ask organizations at any time to correct or update their data if the information is no longer accurate.
Example: Amy Meyer has bought some paint from The Paint Company and has also signed up to their loyalty program to receive discounts and new design ideas via email. Amy has moved to a new email service provider and wants The Paint Company to update her data so she receives emails to her new email address.
The organization is responsible for ensuring they comply with their obligations under the GDPR. Not only will they need to keep records to prove compliance (for instance, records of consent for all of the data collected), they’ll also need to ensure they have policies in place governing the collection and use of that data.
They may need to appoint a data protection officer (DPO) and they’ll also need to ensure they implement a ‘Privacy by Design/Default’ policy, to ensure they’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals. Controllers will have to ensure their vendor contracts are updated so that they include the necessary provisions to protect the data being processed by those vendors on their behalf.
Example: The Paint Company decides to run a marketing campaign targeting people like Amy, offering a place at an interior design webinar run by a third party training company. Before running the campaign, The Paint Company will need to ensure their system has the capability to not only obtain Amy’s and the other participant’s consent to all uses of their data (including sharing it with the third party), but also to record that consent. They will also need policies about how they will use that data, and ensure the contract with the training company includes the necessary provisions required in Processor contracts under Article 28 of the GDPR.
Stage 3 - End of the Relationship
organizations may only hold on to personal data for as long as is necessary to fulfill the intended purpose of collection. So if the relationship is terminated for any reason, they need to ensure they have a data retention policy in place which outlines how long they will retain that individual’s data for and the business justification for holding on to the data for that specified period.
In drafting their retention policies, organizations will need to consider whether there is any law or regulation which obliges them to hold on to some of that data for specified periods. For example, they may need to retain some financial data for auditing purposes by law. While this is permitted, it should be outlined clearly in their retention policy and made clear to Amy. Again, the principle of transparency is important, even at this stage in the relationship.
Example: After ordering supplies from The Paint Company and decorating her home, Amy no longer requires the services of The Paint Company and closes her account with them. The Paint Company will need to ensure they comply with their own data retention policy if they want to hold on to any of Amy’s data after her account is closed.
If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organization.
Example: After ordering supplies from The Paint Company, Amy has now found out about a competitor that is offering better products and wants her data to be deleted from The Paint Company’s database. She sends an email to request the deletion and the company follows up quickly with the confirmation of her deletion. The company should ensure that Amy’s data is also removed from it’s vendor’s databases.
Why Marketers Should Welcome the GDPR
There’s lots that organizations must do to ensure they comply with the GDPR, but we welcome it. In fact, we see three big changes coming that will boost the marketing industry:
1) People’s attention will be treated with the respect it deserves.
For marketers to succeed when the GDPR comes into force, they’re going to have to focus on providing even more value to customers. This means the job of a marketer is going to get more difficult. They will have to work hard (really hard) to attract consumers and earn the right to speak with people. But they should -- attention is a valuable commodity, and in truth it’s been abused by marketers over the years.
2) Greater transparency between people and the companies that hold their data.
If the GDPR is successful it will provide greater transparency and control to EU citizens over how their data is being used by organizations. Transparency is key. Today, few people see the benefits of sharing data, but they often do because they want to use a service or product. Forcing companies that collect data to become transparent means they will need to communicate and provide value to the person. We expect greater communication and transparency around data collection will lead to better understanding about why people should share data.
3) A higher bar for marketers has been set.
Let’s not fool ourselves -- the GDPR is going to (forcibly) raise the bar for marketers. Tactics which don’t have GDPR-compliant consent mechanisms built in will be consigned to the history books. This means marketers will need fresh thinking and have to innovate. The end result is that to succeed in this new reality and comply with the GDPR, we’re going to see better, more creative and thoughtful marketing.
We see the GDPR as a watershed moment for the marketing industry. It’s rightly causing many organizations to rethink how they approach marketing, but it’s also a huge opportunity for businesses to articulate the importance of people sharing their data and how it leads to greater personalization, better products and services, and a more efficient data economy. For too long businesses have remained silent on this issue. A discussion is long overdue and we’re excited to help shape it.
Originally published Nov 21, 2017 6:00:00 AM, updated May 10 2018