For the latest information on Privacy Compliance, read our new blog post, “Why Compliance is a Huge Opportunity for Marketers“
The most significant regulatory change in online marketing is right around the corner: are you making the email mistake? Too many marketers are assuming that GDPR compliance solely relates to their email marketing. In reality, the scope is the regulation is much broader.
To help you understand the implications, let’s take a broader look at the regulation. Before going further, we will note that this article is not legal advice. For such advice, consult a qualified legal professional.
What Is GDPR?
General Data Protection Regulation (GDPR) is a new regulation in the European Union related to data protection and privacy. The regulation creates new rights and responsibilities for marketers and customers. For example, your contacts now have the right to be forgotten – wholly erased from your company’s records. Your contacts also have the right to request a copy of all information you have on them. These new expectations may become industry best practices over time as other countries are looking for ways to improve data privacy.
Why GDPR Covers More Than Email Marketing
Focusing your GDPR compliance on email marketing makes sense in a certain direction. Email marketing systems are one of the most visible marketing platforms. Marketers may incorrectly assume that GDPR is like Canada’s CASL (i.e., Canada’s Anti-Spam Law) which took effect in 2014 or the earlier CAN-SPAM (2003) legislation in the United States. GDPR takes a broader view that goes beyond email. For example, GDPR introduces the “right to be forgotten.” To meet that requirement, you would have to identify all data related to an individual and then destroy it. If that obligation is missed, you may be the subject of a complaint and investigation.
GDPR is about processing personal data. And the definition of both “processing” and “personal” data are very broad.
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
One way to look at this, is information related to a person goes into a computer… it’s being processed! This law goes WAY beyond just email marketing.
More clues about GDPR enforcement can be found in the recent track record of EU authorities. Consider the EU’s Information Commissioner’s Office (ICO) as an example. From April 2017 to April 2018, the ICO has taken twenty-two enforcement actions related to marketing. These enforcement actions have covered automated text messages, “nuisance calls,” email marketing and other marketing activities. Firms subject to these enforcement actions suffer both a monetary loss and reputational damage. Attempting to evade regulations by adopting newer communication tools (e.g., Facebook messenger bots) is not a smart move.
That said, email marketing is not the be all and end all of GDPR compliance. To inform your GDPR compliance planning, you need to think more broadly. To jump-start your thinking, we have identified some of the most common non-email marketing assets in the next section.
What Else Is In Scope for GDPR?
GDPR does not provide a list of specific marketing systems or technologies, so there is no official list to check. Instead, you need to review GDPR and conduct a data audit. Here are some of the most common data sources and systems that cover GDPR.
- Website Analytics. Google Analytics has notified its users about GDPR requirements. Check your website analytics platform to see what relevant data you may have on customers. After all, “anonymous” data points like IP addresses and cookies may be enough to identify individuals when combined with other data sources.
- Marketing Automation Software Platforms. You probably have GDPR relevant data in the Oracle Marketing Cloud. If you use Eloqua, check out our GDPR Eloqua Compliance Apps.
- Customer Relationship Management (CRM). Your CRM database will have a significant amount of customer data generated through automatic and manual processes. Fortunately, your CRM is already searchable by contact, so this will be easier to manage.
- Customer Service Databases. Customer service and customer success activities may be managed apart from CRM. Even though this system does not relate to marketing, your customers may ask for a copy of all data about them and this system would be in scope.
- Company Data Backups. Your backup data sources probably contain customer data. The question is: do you have a full, up to date listing of all data backups that include GDPR relevant data? Further, do you have a records retention policy that is applied to backups and other data? These are important considerations to keep in mind.
- Third Party Marketing Service Providers. If you work with third-party consultants or providers to assist with lead generation, sales or marketing, you need to monitor those relationships. Review the reporting and audit rights aspects of your agreements to see if they need to be amended to cover GDPR.
As you can see, identifying all of your applicable data sources is a major undertaking. To make sure you recognize all assets related to GDPR, you will need to conduct a data audit. GDPR compliance is much more than email marketing and changing your landing pages.