On the 25 May 2018, the General Data Protection Regulation (GDPR) replaces the existing Data Protection Act (DPA). New regulations under the GDPR are intended to strengthen and unify data protection while protecting individuals residing in the EU. The GDPR expects companies to understand the risks they create when handling and using data while building a culture of privacy.
The good news is, if you’re already following principles stated within the DPA, transition should be easy.
But be warned. The GDPR offers no grace period. And fines are set to reach up to 4% of a company’s annual turnover.
Some of the GDPR’s principles have left B2B marketers befuddled. Below, we aim to iron out some of these ambiguities so you're equipped with the knowledge to transition.
What does GDPR mean for B2B marketers?
Since there's been no specification between B2B and B2C data within the GDPR, many B2B marketers thought they had gotten off lightly, with no need for significant changes to their exisitng practices.
However, the PECR (Privacy and Electronic Communications Regulation) details a need for stricter rules in consent and data breaching relating to electronic communications. And many of the key points outlined within the PECR apply to both B2B and B2C businesses.
For B2B marketing data more specifically, there's a focus on ‘soft opt-ins’ consent and new data breach rules.
With regards to marketing communications, the PECR allows for soft opt-ins during ‘negotiations of sale’, but demands this contact be limited to the ‘context of the sale of a product or service’. And this now applies to instant and social messaging, VOIP, web-based email and the Internet of Things (IoT). You can read more about these new ePrivacy regulations here.
The GDPR has strict rules concerning individuals' rights, so you might be wondering as a B2B marketer, do these rules differentiate between sole traders and limited companies? For example, are sole traders classed as individuals?
Well, yes, according to the Data Protection Network. You can only contact them if they have:
- Bought from you
- Consented to your communications
- Not opted-out from communications
With employees of limited companies and PLCs, you do not need prior consent/opt-in from the individual, so you can send marketing email/text as long as you provide an easy way to opt-out, as stated by the Marketing Association.
New demands for consent are high, but if individuals are given the option to opt-out, this is considered sufficient enough to establish consent.
B2B marketers should also be prepared for new customer rights, new data breach rules, and updates to privacy notices. And procedures will need to be in place to detect, report and investigate data breaches.
Data officers and data controllers have the responsibility of ensuring personal information is kept safe and secure. Examples of a breach include the loss, theft, leak or alteration of personal data. You can read more about data breaches here.
You will also need to ensure you are transparent in your communications, and all privacy notices are updated to be jargon free and uncomplicated.
Customers should be able to access information stating who you are, what information you hold, and what you plan to do with their data. They should also be able to complain and seize ownership of their data with ease if they are unhappy about the usages.
Another component that will apply to B2B marketers is the new cookie consent policy. Rather than requiring individual websites to include a cookie banner, cookie consent should be simplified with a simple opt-in/opt out message via the user’s browser settings.
We’ve put together this checklist to help you prepare
Step One: Data Map
Complete your information audit, and revise data security and storage policies. Consider all data your business collects, processes and stores. You must be able to prove you have obtained consent from all individuals listed in your database.
You could be required to build a new, more rigorous database, which might take time. So we suggest thinking about this sooner rather than later.
Step Two: Reliable Management System
Begin building or tweaking your data management system, ensuring it tracks engagement and honours ‘opt-outs’. Make sure you have the tools for multi-user collaboration, and that individuals have the right to correct erroneous information. You should also heavily test this before relying on it post-GDPR.
Step Three: Awareness
Start raising awareness within the company and amongst stakeholders. All employees need to know what to expect when faced with a data breach. Nominate a team member as the port of call for GDPR compliance issues and for answering questions and helping other team members. Start to think about recruitment if you feel this will be necessary for future levels of data control.
Step Four: Review and Refine
Review cookie policies and opt-in methods. Ensure all text and communications relating to data are clear and transparent, and opt-ins abide by best practice tick boxes (ticking to opt -in rather than opt-out). Remember, this applies to all communications, including instant and social messaging.
Step Five: Training
Build reviewing techniques that will drive you towards GDPR compliance. Develop and implement a training programme for staff, along with regular reviews of data protection and handling activities. You'll need all departments to be aware of best data practices, whether that be HR, Legal, or Finance.
Step Six: Test
Begin monitoring and reporting using your new data management system to ensure it is rigorous and robust enough to deal with upcoming changes. You should be ready for commencement now.
GDPR and HubSpot
For all of our customers who, by definition are using HubSpot, the answers pertaining to GDPR and use of the platform can be found in this useful ungated PDF. And for further information on security and the privacy shield programme, you can find out more here.
These are the steps we have taken here at Equinet to prepare for GDPR. Of course, the scale of these preparations will differ depending on the industry or size of your business. If you have the stamina, you can read the full GDPR text here.