Remember, however many years ago, when you heard about the coworker who got a desktop? And how they (probably) had to hire movers to help them move the computer in because it was such a large piece of equipment? The excitement around that technology was colossal, and little did we know, the internet would soon take over.
Studies now show that more than four billion people around the world use the internet. We don’t need to explain the internet’s impact on everyday life – information is constantly accessible, and we enter our personal data without thinking twice because it’s so convenient.
You’ve heard of the General Data Protection Regulation (GDPR) that the European Union launched on May 25, 2018. We outlined this new legislation below, along with the implications for businesses like you.
What is GDPR?
In early 2016, this legislation was adopted to better enforce data handling and compliance for European citizens. The regulation gives users control over their personal data and requires organizations to prioritize that data’s protection.
What do you mean when you say ‘personal data?’ We are talking about names, locations, bank / credit card information, photos, social networking activity, medical information, computer IP addresses and more.
This legislation allows users to control their information and will change how businesses collect, store and use this data. Under GDPR, individuals have:
- The right to opt-in – Individuals must give explicit consent to organizations to collect and store their data.
- The right to know and access – Users can ask organizations about their stored personal data and how it is being used internally. Organizations are required to respond and deliver the user’s specific requests within a month.
- The right to be forgotten – Customers can request that organizations cease use of their personal data and delete all stored information.
- The right to be notified – If there is a data breach that compromises the security of users’ information, organizations are required to notify individuals and authorities within 72 hours.
Individuals must give consent for organizations to collect, process and store their information, and companies must be transparent about what that data will be used for (and they must be able to prove that a certain individual agreed to a certain action). The GDPR will be closely monitored, and noncompliance can result in large fines.
Does GDPR Apply to My Organization?
All companies selling to or storing information about citizens in Europe must comply. But, what about U.S. companies that do not work directly with the EU? Any U.S. company with a web presence and marketing strategy will be subject to the GDPR. Companies that control or process data are affected by this legislation, even if no European data is held.
For example, if you have a live website accessible to people abroad, you are required to comply. It is recommended that all companies and organizations that work with personal data take action to remain within the law.
Ok, now to the good stuff. Here are the specific implications for your business.
What Does the GDPR Mean for My Business?
You need to start thinking about your business’s sales and marketing strategies. Review this information, determine a plan of action, and do not hesitate to reach out with any questions or concerns.
This is how you, the business, manage opt-ins. Customers need to physically confirm that they are okay with your business storing their personal data – you can’t assume that they are okay with it. Organizations must then be able to prove that consent was given – there must be an audit trail tracing back to when the contact opted-in and how they did it. Most customer relationship management software (CRM), like HubSpot, will do this automatically.
Your consent policy should clearly state how you process personal data and how you acquire customer consent. When a user opts-in to your business using their data, the consent process should be specific, clear and transparent. A simple pre-checked box is a no-go – individuals will have to explicitly consent.
Map, Clean and Protect Your Data
First, make sure you understand the types of personal data you are collecting and how sensitive it is to the user. Map where that data comes from and document what you do with it – where does it live, who has access to it and if there are any potential security risks to the data.
No need to keep more information than necessary – remove any data that isn’t being used. You should also ensure that your systems collect, process and store data in a secure manner to prevent any data breaches.
When you collect users’ data, you need to legally justify the processing of that data. If you need to know a web visitor’s company size, do you need to know their age or how many pets they have? Stick to the relevant info. You, the business, need to let your users know what data you are collecting and how you are using it.
Plan How You Handle Personal Data
How will individuals legally give consent? What if the user wants to delete their data? Are you sure it will be deleted properly? What happens if there is a data breach? Make sure you have specific processes in place, not only for legal reasoning, but so your customers feel safe with their data in your hands.
Email Marketing and Facebook Targeting
Does the GDPR affect my business’s specific targeting and marketing communications? Yes, it does, especially when it comes to certain digital marketing strategies. But don’t be stressed.
Facebook Ad Targeting
On Facebook, you can target advertisements to people based on a variety of things: their age group, interests, if they have kids, own a home, and more. Businesses of all sizes use this tool because of the accuracy in user interest, and it’s a cost-effective way to increase company awareness and drive web traffic.
For Facebook ad targeting, Facebook is responsible for user data – they target ads based on specific user information. So, in this case, Facebook complies with GDPR and businesses can continue to use the Facebook tool as they were before.
Facebook Lead Ads
For Facebook Lead Ads, the business controls and processes the data. Facebook AND businesses are both responsible for the data collected, but the businesses are responsible for managing the opt-in / opt-out component.
For email communications, it’s crucial that businesses provide a clear opt-in option for users. If a user enters their email to download a whitepaper, businesses cannot add that email to the contact list. Businesses should add a box when a user requests the whitepaper asking if they would like to receive emails from the business. If that box is ticked, then the business can add them to email communications. Email subscribers must also have an easy way to unsubscribe or update communication preferences.
Businesses must keep a detailed record of when a user opted, how they did and what they opted-in to. Email service providers (ESP) like HubSpot and MailChimp, will track this. With home-grown email marketing systems, the business will be responsible for providing the digital paper trail.
So, there you have it – GDPR in a nutshell. Check your consent practices, give individuals control over their data and be transparent with these users. Companies who value individual’s privacy beyond legal compliance build trust and retain more loyal customers. Get organized behind the scenes and be the company that respects personal data. We want a thriving, trustworthy, mutually-beneficial internet environment for users and businesses.