Privacy is probably one of the least appealing topics in marketing. But this one’s a doozy. On May 25, 2018, any company that is not compliance with the European Union’s new opt-in regulations is at risk of a fine of up to 20 million euros, or 4% of their global topline revenue. Yipes! Most B2B marketers have customers worldwide. The General Data Protection Regulation is something we cannot ignore.
The interesting thing about this new regulation is, it’s not about marketing per se. They are not just focused on prospecting, like the CAN-SPAM and Do Not Call regulations in the U.S. It’s about consumer control of their data, and their comfort that it’s being protected.
Linnette J. Attai, whose consultancy PlayWell, LLC, specializes in compliance, explains that the consumer is the data “subject,” and the firm with whom he does business is the data “controller.” The controller decides how the data will be used and protected, and may be supported by a “processor,” like an agency or data services provider. The controller must be able to demonstrate that the subject has agreed to the controller’s data usage and storage plans.
The data elements likely to be at issue include a name, a photo, an email address, bank details, posts on social media, medical information, or a computer IP address.
As business sellers, we may be in somewhat better shape than our consumer marketing counterparts. First of all, an existing business relationship implies consent on the part of the customer. Furthermore, the reg requires businesses to buy only from firms who are compliant. So your existing customers are probably already hounding you to amend their contracts to include GDPR language, says Attai. And if a new contact at the existing account gets involved in the relationship, they may be covered under your existing contracts. Or you could provide the required notices, ask that person to check a box on an online form, and be done with it.
But for a “net new” account, it’s murkier. In the course of business with a new customer—for example, in your contract—you need to gather their agreement as to how you will use their information. But apparently it does not always mean that you must get GDPR compliance in advance to make cold contact with prospects. Most EU prospecting data—email and direct mail lists—already include opt-in permissions. Look for prospecting data that was opted in under GDPR specifications.
GDPR also specifies various technical elements, like security levels, auditability, cross-border data transfer, and procedures for reporting data breaches. B2B firms are going to need help determining how to comply.
One helpful resource is Pauline Murphy, managing director of 1 Stop Data Limited, in the UK. She specializes in B2B prospecting, and operates a multi-language call center in Ireland that calls into the EU and the Middle East. Alongside lead generation and data hygiene calling, she offers GDPR compliance services. Seems like a nifty solution to me, since you get both a demonstrable compliance along with an extra marketing touch, plus a chance to update your customer records and add new contact names.
So, what should we all be doing? That’s the funny thing. Since the regs are new, no one is entirely sure what exactly needs to be done. But most experts advise that you take steps, and don’t dawdle. If the regulators want to make an example of a company next May, let’s not let it be yours. Get started with http://www.eugdpr.org/ and https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/.