CommuniGator. Your GDPR. Compliance Checklist

Transcription

1 CommuniGator Your GDPR Compliance Checklist

2 The impact of the EU GDPR on your business As of April 2016, the EU General Data Protection Regulation was adopted but it does not come into force until 25th May This new regulation will change the face of B2B marketing as we know it. So, if you are a B2B marketing practitioner, you are going to need to know what the law means and what you need to do in order to become compliant by the time the EU GDPR goes into effect. Which is where this guide comes in. Along the way, we will be giving you examples of how we are helping B2B marketers meet the new EU GDPR, so you get a better understanding of what to do next. It is worth noting that in this guide we are focusing on how the EU GDPR affects marketing. Of course, the law does affect other elements of data privacy, and we would encourage every business to determine how the new regulations affect their data. THE EU GENERAL DATA PROTECTION REGULATION IS COMING AND THERE IS NO TIME TO LOSE IN UNDERSTANDING THE CHANGE TO DATA PRIVACY LAWS. The topics we will cover to help prepare you include: 1. The transition timeline The legal jargon of the law understood...5 a. Who is affected...5 b. What is required...5 c. The penalties for not meeting the EU GDPR changes The direct effect on your business...7 a. Key aspects to consider...7 b. Knock on effects...7 c. Key benefits of the EU GDPR changes How to get your B2B data to comply with the GDPR Recap of the steps to take NOW Glossary of EU GDPR legal terms...12 MUST READ DISCLAIMER: Before we begin, please know that this guide is our informed interpretation of the EU General Data Protection Regulation, and its effect on marketing. This document is for informational purposes only and is designed to help you better understand the law and how it might affect your marketing. We are not lawyers. Nothing presented in this document is, or should be construed as legal advice. It may be necessary to consult your legal or compliance team for specific guidance in regards to adherence to the law. 2 Your GDPR Compliance Checklist

3 The transition timeline Up until now, those in the EU have been working under the Data Protection Directive. It was approved back in 1995 and sought to protect the privacy of EU citizens. It also restricted the distribution of sensitive personal data outside EU countries. But, as we know, more recently the European Commission developed the General Data Protection Regulation to standardise data protection requirements for all EU countries. It was adopted in April 2016 and will take effect on 25th May THIS GIVES ORGANISATIONS EIGHTEEN MONTHS TO ADAPT THEIR BUSINESS APPROACHES, OPERATIONS, AND SECURITY POLICIES WHEN IT COMES TO DATA PROTECTION. In order to do so, it will be crucial to understand the EU GDPR requirements. The transition timeline OCTOBER 1995 The EU enacted the Data Protection Directive to create requirements around the processing and transmission of personal data. DECEMBER 2015 EU Data Reform - New Pan European Rules Start APRIL 2016 The European Commission approved the GDPR MAY 2018 The GDPR officially goes into effect for all EU Member CommuniGator Ltd 3

4 What is the difference between the Data Protection Directive and the General Data Protection Regulation? There are a lot of changes that the GDPR has introduced to data privacy laws. But, for the purpose of this guide, we will just focus on changes for marketers and the difference between a DIRECTIVE and a REGULATION. A DIRECTIVE is binding as to the result to be achieved. The EU Member States can use any form and methods of their choosing to achieve the desired result. A REGULATION is binding in its entirety, from general application to the outcome. It is directly applicable and immediately enforceable as law. In informal terms, THE REGULATION IS A STRICTER SET OF LAWS that will force all businesses dealing with EU citizens personal data to become consistently compliant in the way they handle this data. Until the EU GDPR goes into effect You have 18 months (at the period of writing this guide) to make sure your marketing data complies with the EU GDPR changes. 1. YOU HAVE 18 MONTHS TO GET EXPLICIT CONSENT FROM IMPLIED-CONSENT SUBSCRIBERS (CUSTOMERS AND ENGAGED PROSPECTS). 2. YOU HAVE 18 MONTHS TO GET EXPLICIT CONSENT FROM AS MANY NON-ENGAGED INDIVIDUALS AS YOU CAN. 3. AFTER 25TH MAY 2018, YOU WILL NOT BE ALLOWED TO MARKET TO ANY DATA THAT HAS NOT GIVEN YOU EXPLICIT CONSENT. 4 Your GDPR Compliance Checklist

5 The legal jargon of the law understood Now that you are aware of when the new regulations come into place, you must ask yourself whether the legislation applies to your organisation. For some organisations, the changes coming into place will not make a difference. For others, it will change the fundamental elements of their marketing. WHO IS AFFECTED? So, the EU GDPR applies to you if: 1. Your organisation is based in the EU? 2. Your ESP is based in the EU 3. Your organisation processes EU resident s personally identifiable information DOES THIS APPLY TO THE UK EVEN THOUGH THEY ARE LEAVING THE EU? Despite the UK s decision to leave the EU on the 23rd June 2016, businesses in the UK will still be expected to comply to the EU GDPR. If for no other reason than Article 50 has yet to be triggered, UK organisations who wish to continue trading with the EU Member States after Article 50 will have to have equivalent legislation in place. Effectively, the EU GDPR will apply in some way, shape or form to the majority of UK businesses. WHAT THE EU GDPR MEANS FOR MARKETERS Now you know when the law comes into effect and whether or not it applies to you, you need to know what the changes mean for your data. Since marketers will be impacted heavily, we are going to focus on what the GDPR means for them. The main focus of the GDPR, at least for B2B marketers, is that your subscribers must give you EXPLICIT The legal definition of consent is this: freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data. What that means is your subscribers must complete a compliant opt-in form that says they wish to receive future marketing communications from your organisation. Implied consent (i.e. a customer who already has a relationship with your organisation or an engaged subscriber who hasn t opted-out of your communications) does not count as explicit consent. THEREFORE, YOU NEED TO MAKE SURE ALL YOUR MARKETING DATA THAT YOU ARE CURRENTLY ING, CUSTOMERS, ENGAGED SUBSCRIBERS AND NON- ENGAGED ALIKE, ALL OPT-IN TO YOUR COMMUNICATIONS IN ORDER TO GIVE YOU EXPLICIT CONTENT. CommuniGator Ltd 5

6 PENALTIES FOR MARKETING TO DATA THAT HAS NOT GIVEN THEIR EXPLICIT CONSENT From 25th May 2018, any business that markets to personal data that has not given their consent will face a fine up to 20 million or 4% of their global annual turnover whichever of the two is higher. Now that goes for B2B marketing too, as personal data is defined as any factor that could be used to identify an individual. This includes genetic, mental, cultural, economic and social identity. Therefore, an individual s business address is considered personal data. In order to avoid these strict penalties, it is going to be important to keep records of the subscribers who have opted-in to your communications. One of the most important elements that the EU GDPR makes explicitly clear is that your consent has to be provable. By keeping a record of your opted-in subscribers, you will be able to provide the proof of consent you need to. You can find an introductory glossary to the main terms you will find in the EU GDPR at the back of this guide. It should help give you a deeper understanding of the legal jargon within the EU General Data Protection Regulation. 6 Your GDPR Compliance Checklist

7 The direct effect of the EU GDPR on your business By now, you will have determined if your business is affected by the data privacy law changes and what the law means for your marketing. Before we get into how to make sure your business practices comply with the law changes (which we cover in the next section), we wanted to discuss the direct and knock-on effects of the EU GDPR changes. First up, the key aspects to consider 1: THE OPT-IN PROCESS The change from opt-out or soft opt-in to explicit opt-in will mean that none of your current data will be able to be marketed to unless they opt-in to receive your marketing communications. Silence or inactivity from an subscriber will not count as consent. Nor will a pre-checked box or implied consent. The opt-in consent must be an affirmative action that the subscriber actively takes. There must also be something in place that will determine that the subscriber that is consenting to receive your marketing communications is who they say they are. Hence why some marketers are calling this a double opt-in process. This can be done in a number of ways, including a recaptcha form, or a follow-up asking them to confirm their role in the consent process. While this will make your opt-in process more convoluted, it is essential in order to comply with the new EU GDPR rules. In order to make sure your consent message is compliant, we suggest getting your legal team to check the messaging you use. Best practice would suggest that you make your consent message as clear as possible. 2: THE CONTROLS YOU WILL NEED TO PUT IN PLACE Organisations who: Are public authorities Engage in large-scale systematic monitoring of personal data Engage in large-scale processing of sensitive personal data Will need to appoint a Data Protection Officer. While you may not require a DPO, the GDPR makes it clear that you need to establish strong controls around personal data and take steps to protect it. Our recommendation is that you hold any personal data you collect in one secure place, with the proper protocols. This will allow you to streamline your compliance efforts. You must also only retain data for as long as it is relevant. This means you are not allowed to keep personal information for longer than is necessary when it comes to processing the personal data your business handles. This is a storage limitation principle which the ICO can advise you on in more detail. 3: THE TRANSPARENCY THE EU GDPR EXPECTS Given that the EU GDPR has been designed to give EU citizens control of their personal data, the new regulation requires that businesses have transparent and easily accessible policies with regard to the processing of personal data and the exercise of data subjects rights. These include (but aren t limited to): The Right to be Forgotten Subject Access Right Right to Data Portability (All terms are explained in the glossary at the end of this guide.) We suspect that continuous monitoring of your data to make sure it complies with the new data privacy laws will become more and more critical. CommuniGator Ltd 7

8 Knock on effects from the EU GDPR 1: COOKIE CONSENT WILL CHANGE Due to the transparency required by the new Data Protection Regulation and the important factor that you cannot assume consent, we predict that cookie consent will be part of the EU GDPR changes. Many websites will have to turn website cookies that track visitor behaviour off by default, and then only start tracking after website visitors have explicitly agreed. 2: PURCHASE DATA LISTS WILL DIMINISH IN QUALITY As far as we are aware, purchased data lists will still exist in the post EU GDPR business realm. However, due to the necessary compliances, these lists will be filled with people that have given the right for lots of businesses to contact them. These data subjects are often bribed into giving consent and, as such, perform rather poorly. Instead of relying on these new, generic lists, we would recommend purchasing targeted lists now and working on opting-in as much as data as possible before May : CONTROLLED ACCESS WILL TAKE PRECEDENT Given the strict penalties that businesses could face, if they do not meet the new data privacy regulations, robust controls will need to be put in place to ensure that businesses are complying at all times. Therefore, it is going to be essential that businesses establish strong, multi-factor authentication for the data they are opting into their marketing. Key benefits of the EU GDPR changes Given the length of time marketing has been around, we are not exactly surprised at the changes brought in by the General Data Protection Regulation. Opt-out data typically performs at low engagement rates. It ranges around 5.6%, only growing to 26.15% with engagement, depending on how successful the business is at nurturing the subscribers with the right information. Compare this to the industry standard of 37.19% for opt-in data, which rises to 48.23% engagement when engaging on a sales-ready basis, and B2B marketers should see an improvement in their marketing. Of course, in order to do that, they must have data left to market to come May Your GDPR Compliance Checklist

9 How to get your B2B data to comply with the GDPR Before you get started with opting-in your data, let us first consider what your opt-in statement / consent message is going to say. THE SPECIFICS OF YOUR OPT-IN STATEMENT As we previously mentioned in this guide, you must receive explicit consent from your subscribers via an opt-in form. Here is what you need to know about your opt-in statement MUST include in order to be compliant with the EU GDPR guidelines. As we know the definition of consent is: freely given, specific and informed statement that agrees to the processing of their personal data. Therefore, your opt-in statement MUST: Clearly indicate that they will be receiving continuous marketing communications from you by opting-in. Give the identity of the business that will have access to their personal data (this includes any third parties that will have access) and a way to contact them about their data. Have an unsubscribe/opt-out message that has no negative connotations attached (i.e. a cost). Take an affirmative action from the subscriber in order to qualify. E.g. Consent from a pre-checked box, silence or inactivity is not adequate enough to constitute consent in the new EU GDPR legislation. You may wish to run your official wording of your opt-in messages past your legal and compliance teams. KEEPING TRACK OF YOUR DATA COMPLIANCE Once you have your opt-in message decided, you must then create the system necessary to hold a provable record of your opted-in data. For example, we have done this by creating a GDPR compliant statement that in un-editable by anyone but the controller in our business. When a data subject has engaged with our material (for example through a form fill), they will be sent this message asking them to opt-in to our communications. The CTA on this will send them through to a confirmation action page with a recaptcha. The contact will need to complete the recaptcha form in order for the data subject to receive the information they initially engaged for. The information from the recaptcha form will be fed back to us, allowing us to record and store against the opt-in data marker. This means we have the date, IP address and compliance statement of the data subject in our records until such time that it is no longer needed. CommuniGator Ltd 9

10 START THE OPT-IN PROCESS WITH YOUR ENGAGED DATA As we have mentioned (several times now, just to drill the message home), implied consent will not be enough. So, you must first make sure to invite your customers and engaged prospects/subscribers to opt-in to continue to receive your communications. The earlier you begin this process, the more data you will get to agree to opt-in & have left to market to come For customers, we encourage you to include the messaging on contracts and invoices moving forward, as well as keeping an electronic copy for your provable records. As soon as they are aware that they will not be able to receive essential communications from you to continue their working relationship with you, they will be more inclined to opt-in to your messages. For our engaged subscribers, we saw a 5% engagement rate from a simple message inviting them to opt-in to future communications. We then saw a 43% click-through rate when opted-in data was sent personalised content. Compare this to the 1.8% click-through rate from a data list that had not yet opted-in, and we can already see the positive impact of the opt-in messaging process. As best practice, we would encourage you to send follow up s to subscribers who ignore your opt-in statements. Make it clear that they will be missing out on essential communications if they do not opt-in to your messaging. IMPROVE THE OPT-IN PROCESS FOR NEW DATA SUBJECTS Of course, you don t just want your engaged data to opt-in to your messaging. You also want non-engaged as well as website visitors and new prospects. In order to achieve this, consider gating your digital resources (such as whitepapers and guides) to optimise your list building process. By using cookies once they have given their explicit consent, you can keep a record and allow them to speed through the gating process in the future, ensuring they do not have to give their explicit consent more than once. This can also be achieved in other aspects of your marketing, for example, your event marketing. By using this opt-in technique to, say, give attendees the access to event slides or videos they want, you increase your opted-in data list even further. You can get your event attendees to comply with your opt-in process either online or physically as long as their consent is recorded. REACH OUT TO THE NON-OPTED IN COMMUNITY Until the EU GDPR comes into effect, we are using targeted purchased data lists that focus on our killer values to draw the right audiences who would be interested in opting-in to our communications. By regularly ing the non-opted in community with relevant material and asking them to opt-in we have seen a 1.8% click-through rate. From here, it is a matter of continuing to build the value of what we offer these contact lists in order to show them the benefit of opting-in for future marketing communications. 10 Your GDPR Compliance Checklist

11 Recap of the steps to take NOW To recap, here are the steps you need to take when making sure your marketing is in compliance with the upcoming EU GDPR regulations. Remember, you will not be allowed to market to any data that does not meet these regulations in just eighteen months! 1. DETERMINE IF YOU WILL BE AFFECTED BY THE EU GDPR 2. DETERMINE HOW YOU WILL BE AFFECTED BY THE NEW REGULATIONS 3. UNDERSTAND THE PENALTIES 4. PLAN ACCORDING TO THE TIMELINE 5. ESTABLISH WHICH CONTROLS YOU WILL NEED IN PLACE FOR YOUR OPT-IN PROCESS 6. THE SPECIFICS OF YOUR OPT-IN STATEMENT 7. CHECK YOUR PRIVACY & COOKIE CONSENT POLICIES ARE TRANSPARENT IN THEIR COMPLIANCE 8. GET EXPLICIT CONSENT FROM THOSE WITH IMPLIED CONSENT (I.E. YOUR CUSTOMERS AND ENGAGED DATA CONTACTS) 9. GET AS MUCH OF YOUR DATA AS POSSIBLE TO OPT-IN TO YOUR FUTURE COMMUNICATIONS 10. PURCHASE TARGETED DATA LISTS & GET AS MANY OF THEM TO OPT-IN AS POSSIBLE B2B marketing is evolving, and you need to be willing to evolve with it if you want to continue marketing after 25th May Use the points in this guide to make sure you are as prepared for the EU General Data Protection Regulation changes as you possibly can be. CommuniGator Ltd 11

12 Glossary of Legal Terms You ll Find in The GDPR CONSENT: Freely given, specific, informed statement that agrees to the processing of their personal data. PERSONAL DATA: Any information related to a person or Data Subject that can be used to identify the person. DATA SUBJECT: A natural person whose personal data is processed by a controller or processor. GENETIC DATA: Data concerning the characteristics of an individual which give unique information about the health or physiology of the individual. BIOMETRIC DATA: Any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their identification. RIGHT TO BE FORGOTTEN: Also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data. SUBJECT ACCESS RIGHT: Also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them. PROCESSING: Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc. DATA PORTABILITY: This is the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller. PERSONAL DATA BREACH: A breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data. PRIVACY BY DESIGN: A principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. DATA PROTECTION OFFICER: An expert on data privacy who works independently to make sure organisations are adhering to the GDPR. DATA CONTROLLER: The entity that determines the purposes, conditions and ways in which we process personal data. DATA PROCESSOR: The entity that processes data on behalf of the Data Controller. 12 Your GDPR Compliance Checklist

13 About CommuniGator CommuniGator is one of the leading marketing automation software providers in the UK. Established in 2005, we ve gone through a period of evolution as the marketing landscape has changed. The core platform functionality caters to marketing with automated welcome series, a HTML editor for designing your s, templates, responsive design, dynamic groups based on behaviour, integration with the leading CRM platforms, an event management suite, robust reporting and so the list goes on. On the marketing automation side we re able to track prospect activity across the web pages they visit on your website and the content they consume and take action against. This means you can build up a really detailed profile of who has done what. To read all the juicy details of what the platform offers and how we can help your business jump on over to our website: Give us a call: +44 (0) This document and it s contents are proprietary to CommuniGator or its licensors. No part of this document may be copied, reproduced or transmitted to any third party in any form without CommuniGator s prior written consent. Our products and services include: MarketingAutomation I GatorMail I GatorLeads I GatorEvents I GatorDocs GatorSurvey I GatorSocial I GatorData I CRM Integration I Managed Services