Updated: May 26, 2020
The General Data Protection Regulation is here
If you’re involved with inbound marketing or content strategy for your organisation, you’re about to face some strict new rules from the European Union. Whether the UK is in the EU or out, markers based here will soon feel the force of Europe’s latest data privacy regulation.
The General Data Protection Regulation (GDPR) will impact marketers and content creators around the world. The regulation will apply to any entity that comes into contact with the personal data of EU residents.
As of 25th May 2018, the Information Commissioner’s Office (ICO) will begin penalising rule breakers. Once the regulation is in force, a careless oversight or error could result in stiff fines, potentially as much as four percent of your organisation’s global annual revenue.
The Brexit question and the GDPR
In January 2017 the Prime Minister announced that decision to adopt the rules of the GDPR, even as we exit the EU. The announcement means that, whether the UK ultimately leaves the EU or not, the government has decided that the rules of the GDPR will become law for UK citizens.
If you’re a marketer facing the prospect of this draconian regulation, you’re not alone; any brand that wants to be a player in the EU or UK market will have to work with it, regardless of the industry.
In fact, the regulation is an issue for marketers around the globe. The European Union has more than half a billion residents and a GDP of around £15 trillion. So the choices are either stay out of Europe entirely or work with the new rules.
The EU wants to be the champion of consumer privacy
This law intends to rebalance power in favour of the individual, which is a worthy goal. Unfortunately, the results so far have been ambiguous at best: Annoying disclosure banners that do little more than state the obvious.
The GDPR will undoubtedly place a burden of constraints and added costs on any entity that
wants to work with data from EU residents in any way. So, will the regulation have real authority or will it remind users of its inherent uselessness, like the Cookie Law?
The broad scope of the GDPR and its power to impose steep fines appear to give it real teeth. If you want to market and sell into the EU from now on, you’re going to have to join in wholeheartedly.
Harmonising Inbound Marketing and Content Strategies with the GDPR
Inbound and content marketing methodologies are so powerful that, when you make an objective assessment, they’ll likely prove to be worth the additional effort. The GDPR applies to you under any of the following conditions:
Any part of your corporate entity maintains a presence in the EU
You offer goods and services for sale to EU residents
You store, transmit, or process data about EU residents
Your company provides infrastructure and platforms that collect, store or process data about EU residents
The GDPR’s scope includes any organisation that monitors and retains data about the behaviour of residents whether or not your company is an EU entity. Additionally, it doesn’t matter if you connect with the data directly.
If you provide infrastructure and platforms as a vendor to third-party service providers, you too fall within the bounds of the regulation. Datacentres and service providers that host services on behalf of other entities fall under the new rules by default.
GDPR assessment planning and documentation
Once you establish that you intend to collect data about EU residents, you need to prepare to work under the rules of the GDPR starting now. Marketing Automation service provider Hubspot suggests implementing a GDPR roadmap in four sections:
Assessment – An initial phase to audit your information management systems to determine what data you hold versus what you need. You’ll need to clarify where you store the data and what security measures you have in place.
Project plan – Your plan will detail the roadmap to implement GDPR compliance in time for the deadline. This phase will be where you decide whether you need an Impact Assessment and Data Privacy Officer. Take the leadership role to generate buy-in from all of your teams and partners.
Design procedures and controls – Create the standard operating procedures that lay out how you will gather, hold and dispose of data. Define and how you’ll respond to security breaches and implement training for the organisation’s personnel.
Assemble documentation – Compile and distribute the documentation to support your plan and policies. Prepare contracts and policies for third-party vendors.
The GDPR and marketing automation
In the new EU context, marketing automation providers like Hubspot, Marketo, and InfusionSoft and others provide will excellent support for marketing campaigns. These companies have had to go through the same preparations; they bring their powerful resources to the challenges of the GDPR, to the benefit of all.
Marketing automation helps you apply consistent standards in the way you transfer, store, and process affected data. However, the automations that process data under the regulation can create unintentional violations.
GDPR moves the content strategy goal posts
The costs and limitations of GDPR compliance will extend to marketing automation tools. While suitably qualified vendors can help you enforce standards, the value of the data itself diminishes because of the new rules.
To remain compliant, activities that have traditionally multiplied the value of data, like Capturing IPs from reverse tracking, automated data management, and lead scoring, now require explicit opt-in permissions from the subjects. Data disposal requirements eliminate any residual value, which makes lead reactivation much more difficult.
As a marketer, the right automation services can help you find the value in the data and remain in compliance. The new constraints on data collected from EU residents do diminish its usefulness somewhat. However, the EU market is vast and diverse. Subscribing to marketing automation services will still help you generate the most return on investment from within EU borders.
Summary Of UK And GDPR Compliance Requirements
The GDPR builds on the existing EU Data Protection Directive. Implementation of the new privacy rule in the UK came as part of the 2016 revision to the United Kingdom Data Protection Act of 1988. The regulation brings together the Directive with the new requirements in one streamlined framework as follows:
Multi-member state businesses can nominate one Data Protection Agency to be their Supervising Authority (In the UK, the ICO)
Abide by all data access rights such as data portability and the right to be forgotten
Depending on processes and data volume Data Controllers and Data Processors have a mandate to appoint a Data Protection Officer
All Data Controllers must design their systems around the appropriate procedures, policies, training, and record keeping policies
All residents now have the right to opt-in, withhold consent for additional data uses, and withdraw their data
Data Controllers must report breaches to their Supervising Authority within seventy-two hours
The GDPR applies whether you transfer, store, or process the data of UK and EU residents within the region or from any other point in the world. At the time of writing, there is still time to prepare and update your data retention policies and security procedures. So, if you want to market to consumers and businesses in the UK and EU, it’s time to reckon with the strict data privacy standards of the GDPR.
TRAC Marketing is a UK-based company that provides marketing automation consulting and solutions for small businesses. Speak to our marketing automation consultants today to learn more about putting marketing automation to work in your company.