The countdown to the General Data Protection Regulation (GDPR) compliancy deadline is on. In T-minus 35 days, any company that has business relations with residents in the European Union is required to be GDPR-compliant — all in an effort to give EU citizens more control over their personal data.
Ahead of the big deadline, Demand Gen Report reached out to a variety of industry experts and B2B marketers to learn their last-minute tips on preparing for GDPR and what to expect when it comes to enforcement. Plus, hear first-hand what these companies are doing to establish compliancy for GDPR.
Whether you’re a leader or laggard, read on to better prepare yourself for the May 25 deadline.
Stephanie Kidder, CMO, Azalead
While GDPR is just weeks away now, it’s never too late to take the first steps (and a demonstrated effort to become compliant, even if incomplete, may help in the worst-case scenario of an audit). If you are engaged with suppliers of marketing automation tools, a quick first step should be to ensure they are complaint. Under GDPR, liability extends to suppliers. So, if you are using a tool or a vendor that is not compliant — and many are not — you’re liable, too.
To get your internal house in order, there are some basic issues outlined in the regulation. Of course, the devil is in the details and some of these are more complex and time consuming than others. But review this checklist to get an understanding of what you need to do:
- Purge all existing data that is not strictly necessary;
- Ensure data collection is limited to what is allowed by law;
- Have in place adequate security and consent measures;
- Have mechanisms in place to delete or return personal data on request and/or contract end;
- Keep comprehensive records of data processing activities; and
- Cooperate with regulators and data controllers, and provide access rights to systems, premises and records.
As an ABM supplier with its roots in Europe, Azalead has always built its marketing platform to be compliant with strict data privacy regulations. In fact, the marketing approaches we enable are 100% GDPR-compliant. Azalead does not collect any information relating to an identified or identifiable natural person as defined by GDPR.
As far as enforcement, it is likely the authorities would first focus on large B2C companies who use marketing techniques that would present obvious concerns – heavy users of personal email data, for example. There are still a lot of potential loop holes and ambiguity in GDPR as we know it today, and we expect a new ePrivacy regulation from the EU later this year that will provide more clarity on certain issues. For now, it’s better to be safe than sorry and at least take some high-level steps toward compliance.
Jamie Walker, Head of Marketing, Synthio
Data accuracy is top of mind for all marketers now. If it’s not, I’d suggest starting there and then focusing on creative tactics to put in place for last-minute, opt-in campaigns.
We’ve been aggressively working on gathering consent with our opt-in campaigns. Our biggest goal was making sure we were casting a wide net and gathering consent from all targets within our Ideal Customer Profile (ICP).
I believe the EU will start to enforce the new law immediately. This has been in play for a long time. The marketers I’ve spoken to who reside in the EU are ready for this law to pass because it will help reduce the noise that we all are facing in the B2B space. There is a tone that must be set. Because of that I feel the enforcement will not be taken lightly.
Peter Gillett, CEO, Zuant
Here are seven final things B2B businesses do to prepare for GDPR:
- Appoint a Data Protection Officer to focus on this area and be a source of information training within your organization;
- Make sure privacy notices meet the “transparency” challenge;
- Assess the impact ‘opt-in’ would have on your CRM database(s); ensure that they can store proof of consent and multiple permissions;
- Test and optimize data collection statements, and consider a web-based Preference Center to communicate more intelligently with information your customers and prospects want;
- Review contracts with processors;
- Check whether the type(s) of profiling your organization conducts will need explicit consent; and
- Prepare to fulfil the new rights of natural persons, i.e. requests for information and the right to be forgotten.
In addition, to the above, we at Zuant Mobile need to take this one step further than most companies as we are storing information on a whole array of devices that will not be online all the time. Fully auditable data trails for all data activity will now ensure proof of GDPR compliance for all contacts. A clever data evaporation process will ensure data doesn’t stick around on devices longer than it should.
Annika Svensson, Head of Marketing, Vendemore
Preparing for May 25th, we at Vendemore have secured that our data and thus our services are GDPR compliant. As we advise our clients, we have looked both at our external data providers, as well as our own data to ensure that we don’t store personally identifiable information.
We also believe it is important to be prepared to continue the efforts after May 25th. We all need to continue to manage new practices.
When it comes to enforcement of the regulation, we expect that the EU will enforce GDPR through local authorities. It will, however, take some time to see the results from the first reviews.
In general, this is a good direction and we hope that the regulator will develop guidance and tune practices for ways of working along the way. In a year from now, we believe GDPR will have become common practice.
Ed King, Founder & CEO, Openprise
If full GDPR compliance is not achievable by the deadline of May 25th, then focus on obtaining consent for existing database contacts, as you are not allowed to contact them for permission after that time. Conduct a database inventory to identify EU data subjects and request opt-in. If you do not have the time or tools to identify EU data subjects, then you should re-opt-in your entire database.
Openprise prepared for GDPR by creating and updating policies for privacy, data retention, third-party management and data handling. We inventoried EU data subjects and requested opt-in. Openprise also implemented privacy language and cookie banners for landing pages, as well as a data subject request process. We asked partners and vendors to sign a data processing agreement.
James Kessinger, Chief Marketing Officer, Hushly
The most prudent thing to do if you haven’t done anything yet is sit down with your legal counsel and define or redefine your privacy policy, so that you have “opt-in” language included in that. Also, be specific regarding circumstances you want to communicate with people about and by which means.
Second, get your rules of engagement defined for treating new contacts and existing contacts from various countries (not just the EU). Segment your contact data accordingly and purge older data where you have not had contact with someone for some period of time or where you know you don’t have double opt-in permissions to have further communications with a person.
Next, look at your martech stack to determine which vendors you are relying on to hold any of your customers’ data or perform some sort of communication on your behalf. Make sure you understand their privacy policy and if they are at odds with your own.
Finally, if you haven’t already, stop buying lists. You don’t want to run the risk of getting some EU citizen.
I think enforcement will be gradual with some smaller cases at first and more than likely one or two landmark cases that test the limits and help establish some definition and legal precedence.
Caitlin Culbert, Marketo Practice Director, The Pedowitz Group
Depending on the size of your business, engage legal representatives to help determine how much if any risk you want to take on. How are you choosing to interpret the law, and what decisions is that driving in your organization? How large or small is your exposure? What changes to data collection are you making? What changes to your forms are you making; have you implemented a double-opt in? What changes have you made to your use of inferred data? How are you addressing the use of all the public domain email addresses where establishing the country of residence of the recipient is difficult or impossible?
We have identified all the public domain email addresses, and based on the country or inferred country, we are excluding them from our email campaigns until we obtain the double opt-in. We are adding double opt-in to our forms for visitors from outside the U.S. and Canada. We will be changing our website to alert visitors about our use of cookies.
David Raab, Founder, CDP Institute
Alas, many B2B businesses are just starting to look seriously at GDPR. At best, they only have time left for short-term fixes. One easy change is to review your privacy statement and terms of service to ensure they comply. Then, of course, you’ll need to change the underlying processes to match the revisions. This could well mean a halt in much of the data sharing until you’ve secured proper consent. This can be limited to data related to EU persons, so you might put some filters on data-sharing programs to block transmission of those records, without disrupting the rest of your operations.
We never shared data with unaffiliated organizations, so we didn’t really need to change much beyond clarifying our privacy policy. Our CRM vendor deployed some features such as an option for users to review and erase their data, so we are compliant in those areas. We are currently reviewing our opt-in emails and may change some language to include more explicit consent.
One very interesting question is whether GDPR will end up creating a global standard. There’s much less government appetite for privacy enforcement in the U.S. and much more business resistance. But it will be considerably easier for many big companies to apply the same rules globally and some U.S. consumers may be attracted by firms that commit to GDPR-compliant practices.
Brian Hession, President and Founder, Oceanos
Businesses should audit their data and isolate contacts residing in the 28 European Union countries and their associated territories. This is straightforward, but stakeholders should recognize that postal addresses, especially if sourced from third parties, often contain a company’s headquarter address.
With GDPR, you need to understand where the person resides. This requires an overlay of self-reported location data. It’s not uncommon to uncover that up to 4% of records with a U.S. postal address align with a person that resides internationally. This is a hidden risk facing organizations that seek to comply with GDPR in good faith.
Here at Oceanos, we’ve rolled out a complimentary GDPR data screen to help our clients identify contacts residing in the affected geographies. Since there is a lot of confusion with some of the law’s basic terms — such as “data subject” — it’s likely enforcement will be focused on EU organizations first.