Bloody hell!! Fines of 4% of global turnover, or €20m. Should I be panicking?
Well, no. It’s certainly a challenge, but not as bad as many are making out – at least for B2B marketers.
A bit like Y2K, and a whole host of security FUD, it suits some tech vendors to scare the pants off people, but the truth of the matter is that you don’t really have too much to worry about if you start now.
By the way, this has got nothing to do with Brexit. Due to become law in May 2018, GDPR may be an EU piece of legislation, but the expectation is that it will become the accepted global standard. Its most far-reaching implications are for B2C marketers peddling their wares to private individuals but, for B2B marketers, if you’re legal now in terms of the Data Protection Act, the chances are that you’ll be legal this time next year.
That said, you are going to have to get your house in order, and be able to show that you’ve done so. While all the details of GDPR have yet to be confirmed, it seems that with a bit of work and a few new processes, you won’t need to change too much.
The key point for B2B marketing activities in the UK is that it’s enough to give individuals the option to opt-out – this is sufficient to establish consent.
Nothing new there. (But don’t forget that requirements in other countries are already more onerous – that won’t change either).
So, as long as your data complies with the current DPA, the key thing you have to do to prepare for GDPR is to make sure that, if someone contacts you to ask if you hold any personal data on them, you are able to confirm within 30 days what that is, where it came from, and why you’re holding it. The individual has the right to object, correct any errors and, if they choose, insist that their data be removed. If you’re using a reputable marketing tool, you should be able to set up preference centres for them, if you haven’t done so already – that should do the trick.
The other thing you should do is put yourselves in a position to demonstrate that you have thought about how personal data is protected, from start to finish, should there ever be a breach. Decide on your policies, make sure you share those policies with the rest of your organisation, and minute your decisions for all to see.
The really thorny issue for me is in the grey area of social media. Our view here is that, if you are collecting personally identifiable data from publicly available social media sources, you’re fine. You’re also fine if you use that publicly available data to contact someone about a B2B service – that is also fine. Unless they ask to opt out.
If they do opt out then they can ask to have all data on them removed – no matter how it is sourced or where you store it – unless that data is anonymised. The problem here is that the request for opt-out and deletion is at an organisational level, and in so many B2B organisations the sales function and the marketing function may both hold ‘social data’ independently of each other. Sure, CRM systems house telephone numbers etc – but how many hold the more detailed information found in social media (personal preferences, work history, likes, dislikes, hobbies)? The more you hold, the more likely it is that you’re crossing over into personal territory, which opens up a whole new can of worms. By next May it may be clearer but, right now, I’m not sure where we sit on this.
If in doubt, it helps to consider the ultimate goal of data protection legislation: the lawmakers’ intention is that they want the individual to be in control of who holds what data about them. Whether that’s for marketing or any other purposes, the data is only on loan – you don’t own it.
Frankly, the best advice I can give for the time being is to look at the Information Commissioner’s Office booklet: 12 steps to Take Now. (As mud goes, it’s pretty clear.)
Alternatively, the closest I have found to simple authoritative guides are a couple of blogs. One, from TechTarget deals specifically with B2B situations; the other, from Semafone, the contact centre software specialists, looks more broadly at the implications if you work in B2C. Click on the links for a bit of sensible clarity.
So, don’t panic. Just get to it.
Important note: I am not a lawyer. I am a marketer (and my opinions are my own!) My summary here is based on information from a broad range of sources, including the DMA, documentation from leading lawyers and a host of other sources. There are obligations within GDPR applying to staff information and other such areas which I’ve not dealt with, and wouldn’t dream to offer advice on.