The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018 and will require all companies that collect personal data of EU citizens to take many new measures to protect that data. As an inbound marketing agency we believe that increased data protection is a great thing, and can help build the relationship of trust between company and client that we work hard to establish through creation of valuable content and other aspects of our work. We are working hard to achieve GDPR compliance in our marketing agency by May 25.
The GDPR requirements are demanding, so appropriate planning has been important. We’ve listed below the steps we are taking. While we are happy to share our own process, you should not take this information as advice for your company. It is essential that you consult with a knowledgeable legal authority to be certain of the specific steps you must take to be GDPR compliant.
Here are the steps we are taking at StepUp to be GDPR compliant:
1. Getting explicit consent before collecting information, and enabling easy withdrawal of consent
For us at StepUp, the data we collect is straightforward and not sensitive. However, the GDPR requires us to make sure that when we collect leads for mailing lists, consent is simple and clear. We are implementing “opt-in” consent on all our forms so that any person who interacts with us will understand what they are signing up for, and how they can withdraw consent through a simple and easy “unsubscribe” process.
2. Putting a process in place to make sure we can (if requested by a contact):
- Confirm if and how any personal data is being used
- Provide leads with their personal data
- Transfer their personal data to another company
- Erase and forget their data
3. Making sure we are ready in the event of a data breach
In our marketing activities, we don’t collect highly sensitive information such as financial or medical data, but we need to be ready to act in the event of a data breach anyway. GDPR requires organizations to notify their supervisory authority of data breaches within 72 hours of discovery of the breach. (For organizations which do collect sensitive data, such as medtech or fintech companies, it is also necessary to notify contacts directly in the event of a data breach.)
4. Putting policies in place to make sure data protection is a core function
We are reviewing internal policies and procedures to protect the data of our leads. For example, we work with HubSpot as a marketing automation platform, because we are aware that Hubspot’s platform is already conducive to the protection of the data of all the leads we collect and store.
5. Collecting only the personal data necessary to carry out the work at hand
Every time we create a new landing page, form or conversion point, we ask ourselves, what information do we really need from these leads? We aim to be thoughtful in the collection of data rather than gathering personal information “just because.”
6. Limiting access to personal data to the people who need it to carry out the work at hand
When we assign users within our marketing automation platform and CRM, we make sure that only the people involved in each project can see the contacts. HubSpot helps us set reasonable access parameters for each member of our team.
7. Appointing a Data Protection Officer [DPO] and a representative in the EU
Under the GDPR it’s not enough to make technical changes. It’s also essential to appoint a qualified professional to handle ongoing protection issues and to systematically carry out record-keeping and monitoring functions.
8. Have an informed IT lawyer on speed dial
We know that our own in-house research is not enough, so we have our lawyer involved as a central part of our GDPR compliance. Because the directives are new, and not clear in many places, and because their implementation depends on the specific position of each organization, we view access to competent legal counsel as the most important part of our GDPR compliance – and you may want to as well.
GDPR Compliance in Your Company
We hope that your company will benefit by knowing how we have approached the changes required by the GDPR. Make sure you outline a thorough plan in advance and run it by your lawyer. Ultimately, your leads and customers will appreciate your efforts to protect their data – both those that are required by GDPR and those imposed by other authorities. Compliance keeps you on the right side of the law, protects you from financial penalties and reinforces your company’s image as thorough and innovative.
At StepUp we work with a number of companies that collect varying levels of personal data, and it’s important to us that the information we collect on behalf of our clients is gathered lawfully and protected carefully. If you’d like to work with a marketing team that puts data protection at the center of your marketing plan, reach out to our team to schedule a free consultation and strategy session to learn how our inbound marketing methodology can help you grow your business.