The General Data Protection Regulation (GDPR) initiative is top of mind for most B2B marketers. Why? It requires companies to take specific actions related to updating privacy policies and website cookies. Specifically, it is a ruling intended to protect the data of citizens within the European Union. As of May 25, 2018, the GDPR specifies how businesses can collect, store and process personal data from customers, prospects and website visitors. The GDPR applies enhanced data protection standards to companies based in the EU. But U.S. companies, especially those with a strong internet and global presence, need to understand the implications of the GDPR on their marketing and data practices.
GDPR 101
Like with any government regulation, the GDPR verbiage contains extensive legal jargon. According to the document, “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.”
In layman’s terms, the GDPR prohibits companies from gathering and profiting from personal data without explicit consent, if the data relates to European subjects. This personal data includes:
- Name, address and phone number
- IP address and cookies
- Racial identity
- Religion and religious affiliation
- Health and genetic data
- Biometric data including fingerprint, facial or iris identification
- Bank details.
For most B2B marketers, the first two entries on that list are especially disconcerting since they include the basic data obtained from most lead-generation applications and programs. For companies that offer e-commerce to EU customers, financial information is of particular concern.
The cost of non-compliance
Businesses that fail to comply with GDPR face potentially costly penalties. The amounts vary based on the level of infraction, intent, history of prior infringements and data type, among other considerations. At the low end, companies can be fined two percent of their worldwide annual revenue or up to 10 million Euros, whichever is greater. At the high end, offenders are looking at fines of 4 percent, or up to 20 million Euros.
Based on this new legislation, it’s likely the days of purchased email lists and shotgun marketing emails are numbered. Experts predict that the U.S. will adopt similar policies, likely sooner rather than later. No longer will companies be able to add new addresses to email lists or send out non-targeted communications without prior and explicit consent. While the reality may be years from now, it’s important for businesses to review their data practices and determine whether the GDPR applies to their online activities. In the meantime, here are some simple do’s and don’ts:
- Do seek consent wherever possible. Asking for direct affirmative permission to contact someone via email is the most secure process under current legislation.
- Do review your website’s privacy policy and update as needed.
- Do inform website visitors about how their information is collected and used via a pop-up consent form or other application.
- Don’t email anyone who has not provided consent, has unsubscribed from a list, or has opted out in any way.
- Don’t assume that silence is consent. Unless someone explicitly agrees to being added to a list, don’t add them.
Although the GDPR is complex and challenging, it is less so if marketers simply place the customer first. With this mindset as the foundation for marketing initiatives, the GDPR moves us all closer to a customer-centric strategy. To learn more about how to develop customer-centric marketing initiatives, contact Trade Press Services today.