What is GDPR?
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union, it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation is into effect since May 25, 2018.
Since the law took effect, all companies operating in Europe need clearly granted permission before they can collect, save, and use data regarding personal information. If sales and marketing do not take action, but rather wait, the risk of degradation becomes enormous. Learn all about it in this practical guide to the GDPR!
The B2B marketer as ‘data processor’ or ‘data controller’
The GDPR regulation recognizes different roles in dealing with data, the so-called ‘data processors’ and ‘data controllers’. As a marketer, your position is within at least one of these roles, and possibly even both. Whatever systems and processes you use to approach your leads; your database, CRM, email software or newly acquired marketing automation platform, they all fall under the privacy regulation. This means that you must have your business and contacts in order.
GDPR principles and recommended practices
Some key principles of the GDPR to keep in mind during the implementation of your B2B marketing strategy and activities:
- Permission: Within 72 hours, you will have to prove that the contact gave his permission (an opt-in).
- Opt-in renewal: When a contact has not shown any activity for 24 months, you need to renew this opt-in in order to continue using this person’s contact information. If you don’t, you are have no permission to use or save this data.
- Processes in order: Do you work with external parties who generate leads for you and/or work with your data? Then the rules also apply to them and you need to be able to prove that all processes meet the new GDPR.
General Data Protection Regulation tips
1. Everything starts with mapping your database; who is in there, what do we know of them exactly? Are they active or ‘asleep’? And does the current given permission suffice? This audit clarifies how much your data is worth in the light of the regulation and what opportunities there are. Are the contacts in your database really (potential) buyers?
2. Map who delivers leads and how they do that currently. Do your sales colleagues add names and information to the database themselves? Are you buying lists with contact information? Determine starting points per lead generation channel and take the lead. Try to make sure that you as a company gather and save as much data as possible. This makes you less dependent on external processes.
3. Critically review your current ‘customer processes’ regarding the regulation. Do the given opt-ins suffice? And where do you save this information? Preferably, you keep everything at one central spot, in one system. In addition, make sure you can track the given opt-ins and undertake action when you need to renew it.
4. Actively share and gather knowledge within your own organisation. What do your Sales colleagues know of the new regulation? What do your colleagues from Customer Service, Operations, and other departments know? A good plan is starting with the departments that have direct customer contact. They can help you sharpen your processes in order to meet the new rules in a smart manner. Test these processes with Legal when no clear guidelines are available.
5. Together with your team or an external party, create an action plan based on the audit results of your database, the lead generation channels you use, and the processes that you want to improve. For example, start with a campaign aimed at the ‘sleepers’ in your database. Activate and inspire them with your best performing (gated) content. Or test a new onboarding campaign on newly provided contacts.
Questions about GDPR
In this practical guide, we are answering some of the most frequently asked questions in regards to the GDPR.
Is the obligation of opt-out also applicable to print marketing?
The specific rules for e-marketing and telephone marketing focuses on in the e-Privacy Regulation. The GDPR regulates general the rules for the use of personal information for direct marketing purposes. The definition direct marketing contains the name addressed print marketing. When personal information is processed for this type of direct marketing purposes, a right of objection must be offered at any time or an opt-out against the associated processing of personal information.
To what extent does the GDPR count for offline orders and visits and the processing of personal information in a CRM-system?
There are specific rules for sending commercial electronic communication and thus for sending an electronic newsletter. If these are sent to a so-called ‘current customer’, to offer an opt-out with the use of the e-mail address will suffice. It has to opt-out in every subsequent electronic message (so in every sent electronic newsletter).It is important to note that, the processing of personal information for direct marketing purposes (in combination with collecting personal information originating from an offline order and processing this information in a CRM-database) is subject to the criteria of the GDPR.
Is it correct that you do not need permission to process personal information as long as the associated party is aware that the information is going to be processed?
Based on the GDPR, the processing of personal information has to be able to be based on a foundation. Just like the Dutch Law for the protection of personal information (Wet bescherming persoonsgegevens). There are six possible foundations. The permission of the person involved is one of them.
Another one is the processing of information is necessary for the justified interest of the responsible person or a third person. Except when the privacy interests of the person involved (for example the customer) is more important.
The processing of personal information for direct marketing purposes can be based on the justified interest (as appears from the explanation of the GDPR). But an opt-out (or a right to object against the information processing) has to be offered. There is per se no need for permission for the use of personal information for direct marketing purposes.