GDPR – What is it?
The General Data Protection Regulation is a regulation that impacts all forms of direct and digital marketing that uses personal data relating to EU citizens. The UK currently relies on the Data Protection Act 1998, and, despite Brexit, this will be replaced by the new legislation from 25th May 2018. This essentially means that companies will need to be more transparent with what they do with personal data.
Will it affect me? How?
Yes. 100%. The GDPR will bring about a lot of changes and challenges for organisations and their marketing and sales methods. Here are the key principles that will affect you:
1. Marketing lists and databases
Customers and prospects need to provide unambiguous permission to use their personal information. The GDPR states that consent means any “freely given, specific, informed and unambiguous indication” of the data subject’s wishes by which he or she signifies agreement to the processing of personal data. This means it will be harder to obtain consent and consent requests need to be clear and separate from any other text with pre ticked boxes no longer being acceptable.
2. Right to access
Data subjects now have the right to know exactly what personal information is being used and exactly what for. They can also request access to all the data you hold, electronically or in print format. And you must do so without delay and without charge.
3. Right to erasure
This simply means that data processors will need to remove subject’s details from their databases on request and ensure no further communication.
4. Privacy by design
This principle outlines that privacy, data protection and the new legislation needs to be at the forefront of organisation’s actions. The legislation needs to shape what the company does and can no longer be considered after actions have taken place.
5. Portability of data
The data subject will have the right to have their personal data transferred from one controller to another.
6. Data protection officers
Some organisations will need to appoint a data protection officer in cases where the data processing is carried out by a public authority or body.
7. Personal data breach
The data controller must now notify of any personal data breaches within 72 hours. The notification must include the nature of the breach, number of data subjects, categories of data and proposed mitigation.
If a data breach occurs or the GDPR has not been complied with, companies could be faced with a penalty of 4% of global turnover or $20 million, depending on which is larger.
Are CRMs ready?
Yes, sort of. But that’s not the end of it as HubSpot will likely only provide technical compliance. You will still need to correctly word all permissions, audit your data and such like. That said, HubSpot have got a lot of resources to help understand and implement the legislation into your organisation. They have stated that:
“during the implementation period, we are evaluating any additional requirements or restrictions imposed by the GDPR and will take any action necessary to ensure that we handle customer data in compliance with applicable law by the 2018 deadline.”
It’s not all as ominous as it sounds as the new legislation will force organisations to head towards a more inbound marketing approach. This is what HubSpot are all about. Their preach of pull-marketing coincides with the main principles and aims of the new regulations, so it will mostly be business as usual for them and companies using this strategy.
What do I need to do next?
Quite a lot.
The most important thing is to start preparing now. There are a lot of ways organisations need to prepare for the legislation. Making decision makers and key people in your company aware of the changing law is key- everyone needs to understand the impact it will have to them and their approach.
Review your current systems and privacy notices and put a plan in place for making any necessary changes in time for the GDPR implementation. This includes reviewing how you seek and obtain consent, your data breach procedures and your data processing methods.
These things only scratch the surface of what needs to be done in preparation and organisations shouldn’t underestimate the time it takes to implement these new regulations.
I don’t have time for all of this!
You need to make time.
This law is not like the farcical ‘Cookie’ consent law that was never enforced. GDPR is the real deal and will be enforced by the ICO.
Catalyst is a HubSpot Gold Certified agency Partner, meaning we process huge amounts of data for our customers. To continue to do so, and do so responsibly and in accordance with the GDPR, we have extensive knowledge of GDPR and guidance for firms seeking to market themselves (with and without HubSpot) and process data after GDPR’s is enforced in May 2018. Your legal teams will follow a brief of ‘stop – don’t expose yourself to risk’ – yet the business must carry on marketing itself.
Many organisations will find it hard to find time for this big change and this is where we can help. We are an Account Based Marketing agency that not only helps you target high value accounts and the key decision makers within them. But we also work with you to keep you compliant and competitive post GDPR.
At the time of writing over 80% of our staff (and growing) are GDPR certified with the Institute of Direct and Digital Marketing (IDM) lead by Joe Birkedale, Managing Director who sits on the GDPR steering committee at the UK’s largest independant finance company.
Can your current agency say that?