Overview of The General Data Protection Regulation (GDPR)
Although the European Union has a reputation of being very stringent with its digital privacy regulations, the latest GDPR Regulation is a very good thing for marketers because it forces companies to be transparent and compliant in their methods for generating leads and protecting consumer privacy. The reach of digital marketing extends far and wide, and for many companies global reach across the internet means an opportunity to reach consumers both near and far…much farther than what was possible with traditional marketing in years past. Companies both large and small in the United States are deeply impacted by the forthcoming May, 2018 regulation, including the controversial “right to be forgotten” which requires search engines to remove links from searches for an individual’s name at their request. Here is a little background: In 2016, the EU passed the General Data Protection Regulation (GDPR), which serves as a one-stop shop for digital privacy rules and replaces various national laws and directives. This change impacts digital marketers because it increases the level of regulation on May 25, 2018, which means there will be a hefty fine on companies who are not in compliance. This is a good thing because it aims to eliminate all those spammers working off of the data circulating online. Think of it as being similar to the old “do not call” lists that aimed to eliminate the robo-calls, except for email.
As digital marketing is intimately involved in the collection and use of customer information, most commonly collecting email addresses, some digital marketers may be worried about their email campaigns meeting the new requirements and how it will affect their marketing efforts. Fortunately, the automation platforms we use here at LaunchDM are all in compliance. We are a HubSpot Certified Partner, which means our own practices as well as the marketing we do for our clients are in compliance as well.
HubSpot has been working tirelessly to finalize a number of features which will mean its platform is up to code with the GDPR. Here is a list of the different regulations, in plain language, and the solutions that have been implemented for each.
Lawful Basis of Processing
The GDPR requires a “lawful basis” for all uses of a customer’s data which must be attributed to each use. These legal reasons could be that the customer has signed a contract with you, has consented to the use of his or her information, or that the customer has a probable “legitimate interest” in your content (e.g. has made a previous purchase and you want to send him or her a list of related products). HubSpot will be adding a new attribute to track lawful basis. It will be editable manually or via automation. In addition, users will be able to track and audit the history of lawful basis throughout a customer journey.
Consent
Consent is one type of lawful basis recognized by the GDPR. Consent requires that customers be given notice as to what they are opting into and that their consent be made affirmatively (i.e. pre-checked boxes do not automatically constitute consent).
We have rolled out a number of features to make collecting, tracking, and managing consent easier than it was before. As the three most common ways of client acquisition are through the forms on your website, live chat or “messages” conversations, and meeting features (such as when you schedule an appointment and add it to your gmail calendar), these three tools have been updated to provide proper, compliant notice to our customers, and to record their consent when it is granted. These tools will even store a copy of the notice provided to customers, information about the consent provided, and a timestamp of the interaction. Our subscription preferences page supports opt-in preferences as well as opt-out preferences.
Withdrawal of Consent (Opt-out)
Under the GDPR, consumers must be able to see what they have consented to previously and also be able to withdraw that consent at any time. The page which displays these options must be easy to read, easy to use, and provide up-to-date information about what the customer has consented to. While this feature is already present on our subscription preferences pages, we are also adding the ability to include unsubscribe links in 1:1 emails.
Cookies
It is required that customers be advised that cookies are being used to track them, and they must provide consent to being so tracked. We have updated the default language for enabling cookies on our HubSpot-hosted websites to reflect the nature of affirmative opt-ins. In addition, there will be a feature that makes sure the cookie-consent message is displayed in the correct language based on a customer’s location.
Deletion
Customers have the right to demand that all personal data about them be deleted, and the GDPR requires the permanent removal of this content. Companies have 30 days to meet these requests. Our HubSpot portal has a tool that allows for a GDPR-compliant, permanent deletion of a customer’s data.
Access / Portability
Customers also have the right to demand a copy of all personal data that a company has about them, with “personal” defined as anything identifiable including a name or email address. The controller of that data will then need to provide a copy, sometimes in a machine-readable format. HubSpot allows users to grant such a request by exporting the customer’s contact record into a CSV, XLS, or similar machine-readable format. Tasks, notes, calls, and other engagement data which are not included in the contact record export can be accessed using the CRM engagements API.
Security Measures
The GDPR’s most wide-reaching component is its data protection safeguards, including encryption in transit and at rest, access controls, and data psuedonymization/anonymization. HubSpot is already in the process of strengthening its security across the board and going beyond the industry standard practices for encryption. It will also be improving its authentication, authorization, and auditing systems before the May, 2018 deadline.
As the GDPR implementation date approaches, there has been a flurry of doomsday articles suggesting that the strengthening of customer privacy will end marketing as we know it. However sensational these articles have been and however stringent the GDPR may seem, it actually changes very little about day-to-day marketing operations for those of us who offer transparency and do it according to the rules.
In fact, if anything, the new regulations should improve average lead quality by helping to eliminate spammers and allowing customers a variety of ways to opt-in and opt-out of content they do not wish to receive. This raises the bar for good quality marketing!
Perhaps the only marketers that may see a change are those that use less-than-ethical practices. In fact, because of the requirement for a lawful basis of information processing, it is now illegal to use purchased lists of customer data to generate leads. Our customers can rest assured, this new information does not impact our digital campaigns or content marketing strategies at all because we have always done things ethically! If you have any questions at all, please don’t hesitate to give us a call. If you would like to schedule a free 15-minute telephone consultation, click below to get started!