GDPR, or the General Data Protection Regulation for anyone with users in Europe, becomes effective today. It has the unfortunate combination of being EXTREMELY IMPORTANT while DIFFICULT TO UNDERSTAND.
Most conversion experts, e-mail marketers, and general online marketers will not have time to wade through the legalese, but will still need to get out of the blast zone.
This article is meant to be a starting point for those marketers.
It will not replace your legal team’s advice – you should definitely get together with your information security and legal teams to finalize the strategy. But this should point you in the right direction, and help you out if you want to get details about GDPR in plain language.
Data minimization – no “greedy marketer” syndrome
One of the chief reasons the EU is implementing GDPR is how data is being collected by marketers. When you ask for information just about anywhere in the world, you can ask for a disproportionate amount of information in return. Your conversion rate will probably tank because of that, but there’s no legal reason you can’t do it.
GDPR changes that.
Here’s the relevant part of article 5, on principles relating to processing of personal data.
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
What this means is that you have even more reasons to only collect the data you need.
- You need that email address to forward the user the PDF he or she asked for
- You want the phone number, company they work for, size of company, and physical address to build their profile within your marketing automation system
Those extra things you want? They are not fair game anymore if you have users in Europe.
You need to be explicit about what you’ll use the data for, and collect only the data you need from the user.
Opt-in consent – no default subscriptions
Some marketers play these consent games with visitors:
- Users can opt-out when filling out a form, but the opt-in tick box is pre-checked
- Users are automatically opted in, and users have to manually notify the company that they don’t want to opt in to a particular program
- Language in the opt-in program is vague enough that users may be signing up for multiple things without realizing it
All of these games will put organizations at risk of non-compliance. Here are the relevant parts of article 7, conditions for consent:
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
What this means for you is that if you have users in Europe, those consent games are no longer viable.
You have to be clear about what users are opting in to. If you want them to opt in to your newsletter AND you want to show them product promos, you’ll want them to consent to both things separately, and you’ll need to explicitly state that.
Remember these four things:
- Consent should be actively given
- Users should be informed about what they are signing up for in clear language
- Silence and pre-checked boxes don’t count as consent
- Consent for one activity does not apply as consent for other activities
Withdrawal of consent – no making visitors jump through hoops
Another thing you need to work on is giving users the option to opt out of your programs. Article 7 continues:
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
If you have e-mail blasts in the form of product promotions or newsletters, those should always have clear ways for people to opt out of your programs. And those should be in plain sight.
It used to be better from a conversion standpoint to only have people in your database who WANT to be there. Now, that’s better from a legal perspective, too.
Technology stack – no security, no names
If you’ve been playing fast and loose with anything containing personally identifiable information, you better beef up your technology stack quickly. That means you can’t have sensitive customer information and profile-building without provisions for pseudonymization or related technologies.
Excel files floating around in the company with actual names and sensitive information should have always been a no-no, but now you have more reasons to keep that from happening.
Article 25, data protection by design and by default, has provisions that are pretty tough on companies with light security:
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
Bottom line, if you want to house personally identifiable information, you need to pony up to keep that information secure.
GDPR Compliance: A Complex Beast
Avoid getting hit with penalties. If you’re behind on GDPR compliance work, you need to, at bare minimum, do …
- an audit of how much data you collect and whether you need to do any data minimization,
- a run-through of your how you turn personal data into anonymous data, and
- a review of how explicit you are about getting consent to use visitor data