The GDPR is coming. Do you know where your data is?
While the Cambridge Analytica Facebook news is all over every news channel and sensationalized up and down, the GDPR (General Data Protection Act) has gotten relatively little attention in the mainstream.
Which is unfortunate because it’s a big deal.
It's a big deal for big businesses. It's a big deal for small businesses.
Businesses worldwide need to make changes to how they collect, store, and monitor data of all types.
So let’s talk about what the GDPR is, what communications pros need to know, and prepare you with a GDPR checklist.
What is the GDPR?
The GDPR will go into effect May 25, 2018. The European Parliament and European Council developed it to replace the 1995 Data Protection Directive.
According to the official GDPR website, it was designed to:
Harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
It’s the regulatory muscle to enforce longstanding governmental guidance about how EU member states handle data privacy.
It is an unprecedented level of regulatory overview and requires companies to ensure an extremely high-level of data protection or suffer large financial penalties.
And when we say large financial penalties, we mean LARGE.
GDPR fines are up to €20 million (about $24.5m) or four percent of your global annual turnover.
Who Does the GDPR Affect?
If you offer goods or services to influence or monitor citizens of the EU, you must follow the data privacy regulations of the GDPR.
That means all companies, in all geographies that process or hold personal data of people living in the European Union.
What Do GDPR Protections Include?
The GDPR focuses on giving consumers control of their data.
To be GDPR compliant, an organization must not only protect consumer data but also provide many simple ways for consumers to control, monitor, check, and delete any and all information about them.
There are 99 articles in the GDPR the ones that most significantly affect businesses and communicators are:
Article 5 Processing and Storing of Data
Data must be processed and storied lawfully and transparently and for the reasons CLEARLY specified and agreed to by the individual.
Data must be processed securely to prevent unlawful access (i.e., if data is lost or stolen you will be held liable and fined should it appear proper protections were not in place).
Article 6-8: Consent
Very similar to Canada’s Anti-Spam Laws, individuals must give consent. You can’t buy lists or upload contacts. Clear consent and provide an opt-in process.
Only the information needed must be collected. So only data to accomplish the task initiated and consented to by the individual.
This means we can’t just collect additional information from EU residents (demographic information, survey information, etc.) if it isn’t required for the actual execution of the task (such as signing up for an email list to get blog posts).
Article 15: Right to Access
EU citizens must be given, upon request, all personal data a company has on them and told how it is being used.
Article 17: Right to Be Forgotten
Companies must delete all data on citizens upon request.
Article 33-34: Data Breaches
Report any data or security breach within 72 hours.
Article 35: Impact Assessments
Companies must conduct data protection impact assessments to identify risks to EU citizens. Assessments must also describe how the company is addressing those risks.
Articles 37-39: Data Protection Officers
Any company that processes or stores large amounts of data on EU citizens must hire a data protection officer (DPO).
How Does the GDPR Affect Communicators?
As with other data privacy legislation, email marketing and marketing automation are the areas most affected.
However, you also need to be sensitive to GDPR when pitching EU reporters or any sales calls (if you manages sales team) to prospects who have not provided consent for you to reach out to them.
GDPR Checklist for Media Relations
If you don’t have a previous relationship with a reporter in the EU, they haven’t emailed you, or in some way contacted you as a source, you cannot email them.
Do not send an unsolicited email to an EU reporter or editor. If you want to get in touch with them, you need to use contact forms or social media channels where they have given contact consent.
If they email you first or request information from you directly, this implies consent, and you are free to respond and communicate with them.
Develop relationships with reporters for the long-term. Now not only is it bad practice and ineffective to “spray and pray” releases to reporters and publications—it’s illegal.
GDPR Checklist for What You Already Should Be Doing
Many of the email marketing regulations you should already have in place, but you will have to make a few tweaks and put in extra layers of protection and data access.
You also must have a record of their personal data which they can access and change or update.
You need to be clear on all email communications how and why you obtained the email address, who you are, and why you are emailing them.
Always provide a double opt-in.
In your opt-in process, you need to be clear about expectations and what they can expect from providing their email (example: weekly blog posts and the occasional special report).
You need to provide an opt-out on every communication.
Don’t buy lists. Don’t use lists from others. While these people have given that organization consent, they have not given it to you.
All of this is what you already should be doing. So no stress here.
GDPR Checklist for What You Might Not Already Be Doing
Some additional GDPR checklist guidelines you might not already be doing include:
You cannot collect information from anyone under 16 without parental consent. So if this is a general target for you, you will have to change your system for data collection (and probably your overall communications strategy).
If you don’t target those under the age of 16 you need to add a check-box in your opt-in to indicate if the subscriber is older than that.
You cannot require more information than is needed for the consented action of the subscriber. So if you don’t need a phone number or an address, you can’t require one. If you don’t need to know what industry they are in, you can’t ask.
If you want to collect this information, you’ll need to have a valid reason why (such as an industry-specific email that supplies information specific and helpful to those in that industry) and explain that upon opt-in. Bonus: this will help you send more targeted information anyway, so all the better.
The right to be erased means that you need to be able to erase ALL existence of the individual should they request.
Erase the personal data of your users when a service/agreement comes to an end, or they revoke their consent.
Make sure your sales teams are aware of regulations and cannot “cold email” or call prospects without prior consent. (Or add those prospects to ongoing email lists).
Evaluate your current email lists. Where did you get them? How did you obtain consent? Do you have a record of that consent? Can all subscribers access and change/delete their data?
Create a plan for the holes identified from your audit.
Are Your Current Lists Compliant?
To make sure you are fully in compliance you either need to set-up a second opt-in process for anyone who says they are an EU resident and keep them on a segmented list, or update your protocol for everyone.
Data protection isn’t a topic that’s going away soon. It’s always better to over-prepare. So we’d suggest the latter.
If you haven’t followed the regulations in your current opt-in process, you must also go through a re-opt-in with your current list to make sure all current data is up to GDPR standards and all.
Email Best Practices Equals GDPR Compliance
As communicators, we want to send the most useful, relevant information possible to our email subscribers. We don’t want them to see us as spam, but a trusted source.
If anything, GDPR forces you to stay committed to that goal.
The GDPR compliance will not only protect data privacy but also help you build a more engaged and targeted list.
A list that receives your emails because they want them, not because you bought, tricked, or insta-added them to your database.
"Inspired By" GDPR Checklist
If your ultimate goal is to maintain the integrity of your data and the quality of your list consider adding the following protocols to your email marketing strategy.
I like to call these the “inspired by" GDPR checklist items.
Non-Engagement Auto Unenroll
If you’ve ever signed up for any of the HubSpot email lists you might have also been kicked off.
Hubspot has a system that if you don’t engage with their email over a consistent period of time, they unenroll you (and send you a nice note to say “see ya, you can re-enroll here if you want).
This allows them to:
Continue to get consent.
Re-engage you if you are really interested.
Keep possible “spam” rankings low from people who forgot they subscribed.
Just because someone gave you consent once doesn't mean they want you to have it forever.
This system helps them keep, and write the most specific content for, the people who really want to be there.
The business with the biggest email list doesn't succeed.
The business with the most engaged list that converts succeeds.
The size of the list isn’t the goal, the quality is. Put a strategy in place the works to build a quality list, not just a list. GDPR compliance comes along with this.
Specificity in Content and Lists
Just because someone subscribed to your blog, doesn’t mean they also give consent to receive product updates or other emails that aren’t blog posts.
These GDPR checklist items focus on specificity and targeted content.
Be extremely clear on what they’ll receive.
Remind them often why they signed up and what they should expect to receive.
If anything changes, let them know and give them the option to change their preferences.
Think about including separate opt-ins or checkboxes, so they can choose all the things and areas they want you to communicate with them about.
The more targeted and specific to their needs to better. If you don’t segment your lists and continue to re-access interests through lead flow and email click-throughs, you need to examine how you can make that part of your strategy.
GDPR Checklist Resources and Questions
Feel overwhelmed? So did I. So I went to two GDPR experts to help get some clarity on what communicators should know about GDPR.
Compliance guru, Tom Fox and GDPR expert Jonathan Armstrong, sat down with me to review the following:
What are the top three areas where most businesses’ data protocols are currently not GDPR compliant?
Communicators deal with databases and email lists a lot. If they already have residents of the EU in their database, do they need to get them to re-opt-in, in order to be GDPR compliant?
Are communications agency owners liable if they are in charge of their client’s email lists or databases, and those databases aren’t GDPR compliant?
Article 5 says only data needed for the consented exchange is collected. Theoretically, to sign-up to download an eBook the only info really needed is an email address. Often in situations like this, we will collect additional demographic, interest, or industry information in order to create segment lists and further communicate (with content or offers specific to them). Is that no longer OK?
Along those same lines, if they sign-up to download an eBook and then a few months later we send them a blog post they might be interested or something else, is that against GDPR? How specific do we need to be upon sign-up about anything we might send them in the future?
Article 5 also says we can only keep the data for the amount of time needed. What type of timelines or guidelines should we use to know how long is too long to keep an email?
How would you respond to Americans who think the GDPR won’t affect them?
Anything else communicators should know?
This interview will clear up a lot of your questions and give you a ton to think about.
You’ll learn a lot about GDPR compliance and data privacy and protection. But the key takeaways should help you examine how you use data as part of your communications strategy.
GDPR is an opportunity to make sure you, your organization, and/or your clients use data in a strategic and effective way.
No tactic in absence of a strategy is effective. And more data isn’t necessarily better.
GDPR compliance forces smart communications. It’s good for our industry and it’s good for your communications strategy.
A version of this article was originally published on Spin Sucks