GDPR: What you need to know for your company

General Data Protection Regulation, wait, what?

The GDPR is a European law, which came into effect on May 25th, 2018. Since that day, you probably have read dozens of articles about it, received dozens of emails from websites you have been visiting regularly or just once in your life. But why?

Well, this regulation sets a legal framework for companies which collect and/or process personal information of residents in the European Union. As an individual, it reinforces the protection of all your personal information spread across multiple websites & services. As a company, it forces you to treat with scrutiny all the information collected, across your entire ecosystem about ALL your customers (active, prospects, and even your inactive and lost clients), suppliers, personnel, …

Are You GDPR-ready?

How can you make sure your company is ready for it? Thankfully, the European Commission has made a guide. With these 7 easy steps, we can all be GDPR superheroes!

1. ADAPT: Make sure that you know for each of your contacts why you collected their data and on which legal basis you will use them. Depending on the “profile” and purpose of the collected data, you may have or not have certain rights.
2. COMMUNICATE: Communicate with transparency to all of your ecosystem (Clients, prospects, partners, suppliers, etc.) about the data you may have on them, and the reason for it.
3. ERASE: Don’t store data from previous business relationships. Delete it when it is no longer necessary.
4. SECURE: Protect your clients’ personal files as if they were yours.
5. DOCUMENT: Explain in a short document why you have specific data, about whom, who can access it, what type of personal information,… This document can be requested by your national data protection authority.
6. CONFIRM: If you are working with a third party for the processing of personal information, make sure they are GDPR compliant before you sign anything.
7. ENTOURAGE: Depending on your core business, you may or may not need a Data Protection Officer. Hiring an external consultant or naming an internal expert could be considered.

If you want to read the whole guide about the 7 steps, written by the European Commission, you can Click here.

Tips for GDPR-compliant marketing actions

Since May 25th, 2018 it is compulsory for marketers to take the guidelines of this new privacy legislation into account. Keep in mind your new rights and duties to collect, process and delete customers personal information. We would like to give some tips to make sure your marketing actions are GDPR-compliant:

1. Ask for explicit subscribe actions on all your forms

You now must ask your leads to explicitly confirm if they want to be kept in the loop, i.e.you have to add several checkboxes to your contact forms with explicit text. Here are some possible phrases you can use:

• Yes, I would like to receive marketing communications about [Company] services and events. I can unsubscribe at any time.
  • Give people the chance to specify what types of communications they want to receive eg.: I want to receive information on …
• My contact information, including email, may be shared with the sponsors of this event/asset for the purpose of following up on my interests.
  • Give people the chance to specify which contact details you can use.
• I have read and agreed to the Privacy Policy.
• I agree to the Terms and Privacy policy

Do not fill in these fields automatically. Your prospect must be able to select it himself. It’s the only way to collect data and be compliant with the data protection regulation.

The GDPR gives individuals the right to ask for their personal file in order to update it or even delete it. Therefore, your database should easily be accessible. Why not send an email to your contacts who already opted in to your communications asking them to verify their information and giving them the possibility to add extra information or to delete their profile?

We hear you think, why would that be positive for me as a marketeer. It is the ideal way to have qualitative data. Yes, it will give your prospects and clients the opportunity to opt out, but do you really want to put time and money in people who are not even positively interested in your communication?

3. Make changes to your privacy statement

As part of the new rules, companies have to produce an appropriate privacy statement. You probably already have one on your website, but one of the GDPR rules includes that you make this policy as clear as possible. Make sure that your privacy statement follows these guidelines:

• Make it concise and transparent
• Make sure everyone can easily access it
• Use a plain and clear language
• Don’t ask anything in return for downloading the privacy statement

What does a good privacy statement look like? Include this information:

• How you collect personal data
• What you do with it and how you will make sure that it is secure
• Let people know if other parties will have access to their information
• Make clear whether you use cookies or not
• Add a contact person who is responsible for changes to data or questions about it

This is not a new guideline, but this remains a really important one. When you send a newsletter or direct mail, you have to give your recipients the possibility to unsubscribe. It doesn’t matter where you put this opt-out, it just has to be there.Once someone has unsubscribed from your mailings, you cannot send them a newsletter again. If you haven’t done it yet, make it clear in your emails how your contacts can:

• Opt out on this specific kind of communication
• Unsubscribe for all kind of commercial messages
• Contact you for more information about their personal files