5 ways to become GDPR compliant

Posted by on

And why it doesn’t have to be a right royal pain for your business

It’s not just royal nuptials that have been dominating the thoughts and minds of Marketers in the northern hemisphere.  Unless you’ve been living under a rock for the last six months, you’ll be fully aware of the European data protection rule changes being implemented from 25 May (and the fact Harry and Meghan were tying the knot).  Yes, General Data Protection Regulation or GDPR as it’s commonly known has undergone an upgrade and the new regulations are now in effect.

What does it mean for Kiwi tech exporters though?  Working in a B2B environment, based on the other side of the planet, how will it change what we do and the way we capture and store our clients’ data? Like all regulations, they are there for the greater good and offer standards to which we should all aspire, and unlike the previous guidelines these regulations are binding.

Ultimately what you decide to do is based on where you operate and your firm’s approach to risk. The approach of a publicly listed global company will differ from a smaller private entity with a smaller geographic footprint. We’d advise you to get legal advice to be clear about your legal position.

From the research we’ve been doing on behalf of ourselves and our clients we can identify, from a marketing perspective, the key factors that need to be addressed:

  1. Track and keep records of when your contact first subscribed to receive information from you.
  2. Determine the ‘lifetime’ of the permission received from your contact and implement a process to re-capture that permission when the time has expired.
  3. If relevant, apply pop up notices on your website to advise you are using cookies to track visitors’ journeys.
  4. Review your privacy statement to advise the changes you have made and explain the process for contacts to review the data you hold on them and how they can change it.
  5. Legal team sign off.

Regardless of where you are based if you offer goods or services into the European Union and want to regularly communicate with contacts and customers based there you need to consider how you comply with these new regulations.

Data capture and storage

Those of us using an automated marketing tool like HubSpot will have the basis of this covered.  You will be easily able to review the lifecycle of contacts’ subscription and if required, supply the date and details of when and why they first gave permission to communicate with them. For those not yet working with any form of technology stack, this might be a good time to consider your options so you are equipped to manage your contacts and their communication permissions.

Lifetime of the permission granted

This is not such a black and white requirement, and depends your business’ situation.  You will need to put in place a review policy; covering any form of communication; newsletters, product launches as well as educational content. The length of that permission period is highly dependent on what kind of products your business sells into what markets.

Cookies notice

Any marketing automation will be tracking your visitor’s journey through your website; how many times they have visited and which pages they are viewing.  Many websites have had this in place for some time, but the new GDPR requires you to make this transparent to any visitor to your website and give them an option to turn it off before they continue with their visit.

Privacy statement update

Our experience getting to grips with GDPR has been quite enlightening for a number of clients who don’t know if they have a privacy statement, where it is or when it was last updated.  Best practice would suggest this also becomes part of the process determined in point 2. above and as an organisation it would be a good idea to make someone responsible that this happens.  Details of how prospects can review or amend the data you hold on them should be outlined in your privacy statement, and are in addition to the unsubscribe option you should already be offering.  Once you have made the changes your organisation requires make sure you reflect this in your privacy statement.

Legal team sign off

Each company, their target market and product or service offering is different and interpretations of GDPR will work differently across them all.  The risk, in terms of the fines incurred through non-compliance are potentially significant, so we’d suggest your seek legal advice on how you propose to comply with GDPR and maintain that compliance over time.

Like any wedding – royal or otherwise – we’d hope the compliance by both parties was longstanding and secure.

Want some help grappling with GDPR and how to apply your marketing technology? Get in touch with Concentrate to talk to one of our consultants.