A new personal protection law called General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. GDPR affects any business that offers products and services to, or collects personal information from, residents in the European Union (EU). GDPR was proposed by the European Commission to create stronger data protection laws for people residing in the EU including how personal information is collected, stored and used.

Will My Business be Impacted by GDPR?

Yes. All businesses are impacted by this change, whether they are in the EU or have customers and subscribers located in the EU. It is a common practice for businesses to use personal data collected from online forms or newsletter signups to send digital marketing communications to site visitors.

Once GDPR is in effect, however, businesses must gain consent prior to using a customer’s personal information for email marketing purposes. They will also be required to delete a user’s personal data upon request.  GDPR also requires that users are provided with a clear privacy policy statement in explaining how their information will be collected and used.

10 Steps to Help You Prepare for GDPR

1. Make yourself aware of GDPR requirements and notify your marketing team of the changes
2. Designate someone on your team to oversee GDPR compliance
3. Contact your marketing automation providers to ask what steps they have taken to prepare for GDPR
4. Perform an audit of all your mailing lists and all personal data that has been collected by your company, including user location
5. Implement a process to request (or re-request) consent from all current subscribers
6. Add an opt-in checkbox to all your web-based forms to gain user consent, including parental consent if your business markets to minors
7. Provide an easy way for users to not only opt out of communications (e.g. “unsubscribe” links), but request that their personal data is removed from your database
8. Establish a reliable process for tracking when personal data was received, when the user provided consent and if/when the user withdrew consent
9. Review your current privacy policy to make sure it has a clear statement regarding how personal data is used and update it to reflect GDPR requirements
10. Have policies in place to keep user data secure

Want to learn more about how U.S. consumers feel about data privacy? Check out this consumer privacy infographic from TrustArc. The statistics might surprise you.

Gaining Consent Prior to Collecting and Using Personal Information

To be in compliance with GDPR requirements, an opt-in checkbox should be added to any web-based form that requires a subscriber to enter their personal information. This includes forms used for downloading content, signing up for a newsletter, or requesting information about products and services.

Companies that market to minors should consider adding age verification or parental consent options to their forms. It is important to know that your checkbox must be one where a user physically selects the box to provide consent. It is not acceptable to use pre-checked boxes or any other method that might be easily overlooked or cause confusion.

GDPR also affects marketing automation programs, so you should immediately contact your email marketing provider to ask what steps they have taken to become GDPR compliant.

Providing Users with An Easy Opt-Out Process

Another important part of GDPR compliance is that you must provide subscribers with a clear and easy way to withdraw their consent and have their personal information removed from your communications database. This withdrawal of consent is similar to current laws requiring the inclusion of an “unsubscribe” option on all email communications, but also requires that all personal data is fully removed from your database.

Check your current unsubscribe process to make sure it includes clear directions on how to opt out of receiving future communications.  It is also a good idea to perform an audit of your current email list to see if any EU users have opted out of receiving communications.

Managing Subscriber Consent

GDPR requires businesses to have a process for effectively managing subscriber information, including was has opted in and out of receiving communications. Using a CRM system to manage and store personal data is a more reliable and effective solution than relying on spreadsheets. You also need to include a process to permanently deleting personal data in the following situations:

• when a user provides personal information but does not give consent to receive future communications
• upon receipt of a request to have information deleted
• when subscribers unsubscribe from receiving communications

Updating Your Privacy Policy and Making It Accessible

Your privacy policy should be updated to include information about GDPR and how personal data is used. The information should be presented in a clear, concise manner and include how data is collected, how its used, and how users can opt out of communications or request their personal data is deleted. Read more about GDPR privacy policies by reading the Updating Your Privacy Policy for GDPR blog post from Ecreative.

Act Now to Avoid Issues and Potential Penalties

Businesses that fail to comply with GDPR can be subjected to penalties, even if they are not located in the EU. By taking these important steps, you can prepare your business for GDPR and help prevent issues once the law takes effect. Read this GDPR for Marketing blog post by SuperOffice for additional information about preparing for GDPR.

Ecreative is here to help. We are a Minneapolis-based digital marketing agency that serves industrial B2B clients nationwide. We can help you navigate the often complex world of privacy policies and data collection regulations. Schedule your free consultation today to get started!