The other week, I was asked to lead a discussion with the Houston Marketo User Group on how GDPR will affect B2B marketing. …well, to be honest, two other people were asked first, but they couldn’t make it, so the user group was stuck with me.
In any case, I thought a post on the most poignant points of the discussion would be useful to Integrate’s blog audience. So here they are.
6 Lawful Bases for Processing Data, and One to Rule Them All
(I recently forced my girlfriend to watch Lord of The Rings.)
There are 6 “Lawful Bases” by which organizations can acquire and process personal data in the European Union. The two that matter most to marketers are consent and legitimate interest (the other four bases will rarely, if ever, affect marketing efforts). Further, legitimate interest will only apply to very specific cases, and even then, its use gets pretty cloudy.
Thus, obtaining consent should be the primary legal basis by which marketers use personal data. This largely means requiring contacts to opt into a specific use of their personal info.
The GDPR states that consent should be given by:
"clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement."
Silence, pre-ticked/checked boxes or inactivity should not therefore constitute consent.
Further, notice that an oral agreement to consent does comply with GDPR; however, you must be able to document compliance, which is difficult to do with an oral statement. You can pretty easily record an electronic opt-in. But documenting an oral statement is more difficult – that’s why it’s recommended to send confirmation emails after orally capturing personal contact information during a trade show or by a sale rep. We’ll get into that below…
How Acquiring Consent Will Affect the Major Areas of Lead Gen
So, now you understand consent. How will obtaining consent affect the typical ways in which you generate leads for your database?
You’ll want to make sure you take inventory of all forms on your owned website and landing pages. Then audit the language used with each form to ensure it all complies with GDPR consent rules; this means specific opt-ins for each use of personal data. No pre-checked boxes. Also, your strategy should include adding a mandatory country field to each form to help you segment EU contacts. This will be important for a number of reasons beyond consent, such as deleting data after it expires, which likely means after 24 months, though this hasn’t yet been clarified.
With events, it’s going to be very easy for you and sales to get oral consent. The challenge is in proving consent through documentation, which won’t be easy. Your best bet for compliance and showing consent is sending out an opt-in confirmation email to contacts that were generated at events. If the event has a country field, great. But in general, I think it’s going to be best to get in the practice of confirming oral consent across the board, for all new contacts. This can be done as part of the follow-up.
Third-party lead gen
This pertains to any external channel that’s generating leads for your team. If a third party is generating leads on your behalf, you’re still liable for their non-compliance. So, it’s crucial that you start having discussions with all your lead providers; inquire into their GDPR preparedness, ask when they’ll be ready, and then have legal write up an agreement to be signed by the third party, stating that they’re GDPR-compliant. This should be done as soon as possible to ensure you’re prepared, but certainly in advance of the launch of any campaign with them. It will also be imperative to thoroughly review the language, forms, landing pages, etc. – anything they’re using to generate leads for you – and make sure consent language conforms. Lastly, make sure the way they send you the data is complaint; Excel spreadsheets are non-compliant, encrypted lead files are acceptable, secure connection the best.
How sales must approach obtaining consent is similar to your new approach to events. You’ll want to talk to your sales reps about (and eventually train them on) how they should acquire personal data and upload it to your database, because that data can easily be taken by marketing and used to engage contacts that didn’t consent to marketing communications. To be compliant, you’ll also need to set up some process by which after a sales rep records a new contact, a confirmation email is sent to the contact allowing them to opt-in to specific uses of their private data.
Channel partners are separate legal entities, which means if you plan to share leads with another company, you must state on the lead form the channel partner’s name and require the contact to consent to you sharing their personal data with that partner for any of the specific uses entailed.
A Final Note
There’s no doubt that GDPR can threaten organizations that aren’t prepared for it. A lack of compliance may result in penalties that could cripple your company. However, smart marketing teams are facing GDPR with a different vigor: Not simply to avoid the fallout of non-compliance with the new regulation, but to prepare their organizations for the inevitable transformation from old batch-and-blast practices to complete permission-based marketing. This is the right move because GDPR isn’t the “end all, be all” of data privacy regulations. The number of countries with data privacy and electronic marketing regulations in place is continuously growing. GDPR is simply one, albeit huge, wave among a rapidly developing set of data privacy regulations. More regulations are sure to follow around the world. It’s wise to see GDPR as an opportunity to develop more precise, efficient demand generation practices, rather than simply creating quick-fix patches that will only apply to this specific EU regulation.