GDPR Compliance Checklist for Digital Marketers

October 18, 2017

If you haven’t heard about the new GDPR Regulation, then this post is for you.

Seriously, GDPR is big; it’s a game-changer, and you need to act on it. Preferably now.

So we've put together this GDPR Compliance Checklist for Digital Marketers.

First things first, this new Act comes into being as of 25th May 2018, and affects any digital and email marketers in the EU. Needless to say, it cannot be ignored. The impact is going to be huge. Start making preparations now.

What is GDPR?

Brought in to replace the original Data Protection Act of 1998, GDPR is designed to protect consumers and businesses alike, by standardising the collection and sharing of data. Going forward, consumer data will only be able to be used for the purpose in which it was acquired for. The way in which you distribute customer data is changing, regardless of where in the world the data is stored and processed. Each and every one of the EU’s 500 million citizens will be affected.

The official definition of GDPR is:

“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”.

Personal data relates to anything that makes a person identifiable, even characteristics as granular as political affiliation. IP address is now also considered personally identifiable data.

We live in a world where first and third party data drives digital, as revolutionised by social media and smartphones. But the new regulation will completely transform the rules for marketers.

Who is it going to affect?

The legislation will affect anyone that uses personal data for marketing purposes. Whether it is email marketing, or social advertising, you will be affected.

Those that will be hit considerably harder will be those people that use third party data e.g. renting email lists. Essentially, you will no longer be able to use these, as you personally haven’t sought opt-in from the people on the list. And you also cannot prove that they have given you permission to contact them.

Furthermore then, it is going to be the owners of these third party lists that will also suffer. Unless they can re-permission their lists, the lists are going to be redundant. You need to be able to prove you have a direct relationship with the person you are looking to contact. Otherwise, you cannot contact them, and additionally, must not hold their data. Data must always be processed lawfully, and for a specific purpose. Once that purpose has been fulfilled, then the data in question should be removed.

Additionally if an individual wishes for his data to be removed from your database, and it is no longer being used for the purpose in which it was acquired, then they have the right to do so. This is what is commonly referred to as “the right to be forgotten”.

More specifically, GDPR applies to ‘controllers’ and ‘processors’ of data. Even if either are based outside of the EU, as long as they are dealing with data that belongs to EU residents, then they are still liable to GDPR.

The actual collecting of lead data via companies such as Google and Facebook are likely to be unaffected by GDPR, primarily because they already have direct relationships with customers. Such networks are therefore likely to benefit hugely from the legislation, given marketers may see a reduction in size of their own first party data, and will therefore be more reliant on social networks to reach consumers.

So what will change?

You will doubtless have seen the occasional scare-mongering article, detailing brands and knee-jerk reactions to the legislation, with some brands even going so far as to completely delete their email database. When actually, all that is required is to get your house in order.

If you currently have opt-in consent for your database, it is still unlikely to be enough. Even if you have previously been contacting an individual, you will need to get their consent all over again. AND have a record of doing so. This is the main issue - having a record of a user saying that they are happy to receive your marketing messages, when they gave consent, and how.

And you have to say HOW their data will be used. Even if someone has handed you their business card and said “please contact me”, this is not enough. Even verbal agreement will not stand up in the face of GDPR. Consent has to be demonstrable, and recorded.

Without getting explicit consent from these users, the only alternative is that you have a database of user data, that is completely redundant. This is a situation that no business wants, and would be catastrophic.

What about Brexit?

There’s no way around it - the legislation will be happening, irrespective of Brexit. At the point that GDPR comes in, the UK will still be part of the EU. We already know that the UK won’t be leaving for at least another two years. The UK Government has already confirmed that the changes will still go ahead.

Potentially they might revisit the regulations once Brexit has been completed, but there is little point in pre-empting that possibility! GDPR is happening, and businesses have to get in line.

What about retargeting through custom audiences?

You might argue that as the data is pre-hashed prior to uploading to Facebook, that it isn’t identifiable. However, this doesn’t stop it being personal data - as once the upload reaches Facebook, it is still being matched to someone’s personal data on Facebook. In essence, you are still trying to single them out and reach them with advertising.

Prior to GDPR coming in, you could potentially run your re-permissioning clean-up as an ad campaign. With Facebook lead ads, you could simplify this process, and in addition, enrich your data with additional questions. Treat re-permissioning as a chance to enrich your database.

How does GDPR affect retargeting through Facebook Custom Audiences, LinkedIn Matched Audiences or Google Customer Match?

By utilising Driftrock's audience syncing solutions, you can ensure you are the right side of GDPR compliance. Our software can sync your CRM lists and segments, every three hours. So anytime someone unsubscribes from your CRM, they will be removed from your custom audience on Facebook, LinkedIn or Google Matched Audiences. Find out more about our GDPR Solutions for Digital Marketing.

What are the consequences of non-conformance?

Seriously - you don’t even want to consider trying to get away with it. Sanctions around failure to comply with GDPR are fines of anything up to €20 million, or 4% of your annual global turnover.

Also bear in mind, as GDPR becomes mainstream, consumers are going to become increasingly aware of it, thus knowing their rights, their ability to lodge a complaint and the potential for claiming compensation. You don’t want to be on the wrong end of that - it simply isn’t worth the risk to the reputation of your brand.

Think about PPI - no-one had heard of that ten years ago. Now it is a large part of consumer consciousness, as is their potential for recompense.

If you have any doubts around any part of your data and the way in which you collected it in the first place (i.e. it’s unclear whether permission was sought), then rather than aiming to get re-permission, it may be safer all round if you just delete it.

What is the best way to get re-permission?

First off, you need to be prepared for people not responding to your re-permission request. There is a good chance that you are going to be slashing the size of your contacts database through this exercise. Potentially, it is going to be carnage for marketers. And if you don’t get re-permission, then the next option is to delete that user’s data. It’s the far safest option, so as to avoid any sanctions.

You of course have the option of not contacting any EU customers ever again, as the legislation only affects the EU. But that is unlikely to be a sensible option for most EU businesses.

Before you seek re-permissioning, it’s worth asking yourself a few questions first, to be sure first that you want to flag up the fact that you hold someone’s personal data. Even if you hold details for someone who has downloaded a PDF from your site, it cannot be assumed that this means they have agreed to be added to your email list.

  • Should you ever have had this data in the first place?
  • Where did you source the data from? Is it first or third party? 
  • Why do you have the data? 
  • Do you have explicit permission to market to an individual?

If by the end of these questions, you can still say you hold the data legitimately, then it is time to decide how exactly you are going to seek re-permission. In addition, as mentioned earlier, you can treat it as an opportunity to get additional information from contacts, such as canvassing opinions, and enriching the data you hold on them. e.g. what is your favourite car?

The key takeaway from this is that you at least can demonstrate that you have taken steps to prepare for GDPR. It is not enough to simply say, we planned this and that - there have to be genuine attempts made at cleaning up your data. Besides, can you really afford to take a hit on 4% of your turnover? Thought not.

So now is your chance to build yourself a database of contacts that WANT to be contacted, and have told you HOW they’d like to be contacted, and WHAT they would like to be contacted about. Build yourself a database of people that want to be contacted by you, and discover exactly how they want to be contacted.

It’s time to get your data in line.

Want to know how Driftrock can keep you on the right side of GDPR with our CRM audience automation tools? Find out more about Driftrock's GDPR Regulation solutions: