As soon as you turn your computer on, assuming you connected to the internet either by ethernet or wifi, data is siphoned by high-tech hamsters and stored into immense databanks. Before the request for a website is completed the HTTP header of your browser sends information about your system, your IP address, what browser you are using and so on. At first, it might seem not entirely scary since what effect can the size of your window have on your internet experience? However, data extraction doesn’t stop there. Websites you access are overseen by pixels, calls & messages are logged, files uploaded to the cloud are scanned, and every other action which has the internet cable attached to it leaves a personal trail - you have been here and companies are very much interested to know why.
Tech giant’s adrenaline rush of mining more & more has pushed the value so high that it is not far fetched to call data the oil of the digital world. The sheer vast amount of information at the disposal of interested parties presents the most effective, yet intrusive, ways of staying in touch.
A shining jewel such as customer data is prone to allure many an expert’s mind, right? Since the leverage power is so high, it has become the target of dexterous eyes looking to steal or misapply it. The dispute has long become hot between consumers not fully convinced that their data is used ethically at all times and businesses hiding in the shadows without putting forward a suitable transparency layer.
Numerous findings have pointed out that businesses have yet to implement the necessary infrastructure to properly handle the deletion of customer data. Thus, it’s abundantly clear that companies have focused their hand collection-wise without paying much attention to consumers’ discontent.
The irony lies in that data-driven people, experts at extracting meaning out of numbers, experience adversity in proper personal data management put forward by GDPR. However, the entire fault does not lie with them since some areas of GDPR leave much to interpretation and there are many situations where there is no clear distinct method of how it should be approached.
Privacy and Electronic Communications Directive, otherwise known as ePrivacy Directive (ePD) has done its part in acting as the watchful seer, but due to technological progress it has become obsolete and unable to account for the rise of data giants. Consequently, the European Union decided to reinforce the directive and introduced the GDPR in 2018 which is aimed to address issues of personal data privacy and security.
GDPR in layman's terms
To reference the books, then the General Data Protection Regulation (GDPR) is the late installment on digital privacy regulation. It portrays a standard covering the entirety of the EU (European Union, not the European continent) aimed at protecting online users’ data of the member states.
Compulsory updated privacy settings for products and services have been in order. Businesses are asked to carry out actions in regards to assessing privacy impacts, bolstering their documentation on data, and substantiating information related to data breaches.
Even if you disagree, keep in mind that since the document is a regulation, it is legally binding. Opting out is not a valid course of action and you are open to liabilities that in turn could lead to fines up to 20 million or 4% of your company’s global turnover! However, there is some breathing space for business people when running into GDPR issues so it’s not as if you will be emptying your bank account at all times should complaints be lodged.
More on why GDPR?
Leaving aside the aging ePD, GDPR ensures that the interests of the individuals are ahead of corporate greed. Thus they are empowered with awareness of how exactly their digital strands are used, instead of oblivious exploitation.
All types of companies are held accountable for their implementations of personal data procedures. The lack of transparency has transcended improper levels, and GDPR has been shaped to shift power back where it belongs.
Previous regulations stem from a 1980’s document, even with some updates in its timeline it failed to cover the immense sphere of social media, smartphones, AI, and other digital and online delicacies. Moreover, it had no legal implications, companies could choose to opt-out without any repercussions.
25th May, 2018 - the cornerstone of cookie policy update banners on every web-page you visit.
Data Permission, Access, Focus
GDPR makes no extensive effort in making a distinction between B2B and B2C, however, there is one sandbox where B2B marketers are allowed to play ‘not all data are person identifiable and legitimate business interest’. Below you will find the three streams marketers need to pay attention to:
Data Permission
It is forbidden to infer that someone who registered on your site is willing to be a recipient of mail adverts, therefore a proper procedure of acquiring free and unambiguous consent must be implemented. The line that explicitly states and informs users of what they are subscribing to cannot be part of any other terms. In this sense data permission is restricting out of scope interpretation.
Can you be fined for cold emailing?
If talking best practice then ideally you want to rely on opt-ins to build your database. However, if you are acting under legitimate business interest and contacting corporate emails you won’t be fined.
What if somebody introduces another person’s email?
Excluding that the user won’t be able to access your promotional materials, this situation is a favourable circumstance to describe double opt-ins. When an email is inputted into the form, the user will receive a confirmation message where he/she has to validate his/her actions. Keep in mind that double opt-in is not mandatory, and if the records show the email was entered into the system, you cannot be held liable.
Data Access
Data access is a two-fold communication layer facilitating access to all the stored data on the user enabling him/her to view it in a portable format, have it modified, or completely erased. Thus, customers and business representatives alike have more control over their digital trail, since they can check, and if discontent with the company’s practices - demand removal.
As a marketer and a data controller, it falls under your jurisdiction to provide a channel where users can inquire more about their data. If you have yet to introduce an unsubscribe link in your emails then do so right away. That is just the first step, the next one would be appointing a Data Officer to take care of GDPR requests and oversee proper practice.
Data Focus
Oftentimes businesses engage in collecting data outside their scope of activity either for “just in case“ situations or for selling it to other companies. While it is indeed important for crafting personalized ads, extracting a visitor’s car engine power is not contributing any value to their newsletter subscription. However, if you are able to justify the need for such parameters in what you stockpile, GDPR will forgive you.
Otherwise, stray away from needless data able to bring accountability in time. GDPR fines can come raining down on you before an internal investigation has been announced.
When you go above the rules
Your business is at the mercy of data watchdogs and furious users that can escalate matters to class action suits. Despite coming into force for a little more than 2 years companies are still getting fined for their poor data handling. Some suffer more than others depending on the impact.
Not all the fines are made public, but an up-to-date compiled list of fines can be easily accessed online. If you want to get a glimpse of the magnitude they can reach, have a look at the cases below.
British Airways - 204.6M euros
Information Commissioner’s Office (ICO.), the UK’s independent authority, intended to fine British Airways & Marriott International quoting Art. 32 GDPR, insufficient measures in place to uphold the security of processed data. British Airways’ site redirected customers to a fraudulent website that collected all sorts of login information, payment options, booking details. In total, almost 500,000 customers were victims of this incident, believed to have begun in June 2018.
Marriott International - 110.4M euros
In Marriott International’s case, approximately 339 million guest records were compromised. The vulnerability was traced back to improper due diligence of an acquisition made by Marriott on Starwood hotels group, the latter’s systems lacking in security. As such, Marriott has failed to uphold its legal duty to ensure the security of valuable customer data.
Google fined 50M euros
French Data Protection Authority (CNIL) imposed a fine on the basis of complaints from two organisations “None Of Your Business” and “La Quadrature du Net” filed immediately after GDPR became applicable. The quoted articles are lack of transparency (Art.5), insufficient information (Art. 13/14), lack of legal basis (Art. 6), ambiguous and non-specific collection of consent (Art. 4).
So the empowered data authorities spare no resource to investigate and bring to light any company wrongdoing. The lesson here is to take GDPR seriously and not treat it as smokes and mirrors. It doesn’t take long for a simple request to transform into a complaint lodged with the authorities.
B2B should pay attention
Customers inside the European Union carry the sharp blade of GDPR on their waist. For marketers, things are mostly the same with some tricks added into the mix.
Email Marketing
Lead generation keeps the B2B engine running, and running low on fuel often precipitates the end business ventures. There are multiple ways to convert prospects, and one reliable method is to obtain their details followed by an opt-in. Remember, users’ signing up for a demo does not imply that they agree to receive additional news from you.
It is forbidden to acquire B2C user lists and send them unsolicited emails. However, B2B benefits from “legitimate business interest” which enables people to cold-mail in an attempt to offer services. At most, it can be a one-time or two-time thing, after that you are going to be flagged as spam by recipients if they show no interest.
The proper and legal method is to always push for an opt-in, instead of emailing users till they decide to opt-out
Marketing Automation
Any reputable business employs different marketing automation software due to the difficulty of managing big user databases. Since these types of tools process data you must comply with GDPR and set it up.
Many businesses are fined on the grounds of emailing users who have already unsubscribed. Or, they have made the opt-out process too complicated in an attempt to dissuade users from actually going through with it. Any feedback in relation to why the customer chose to unsubscribe is optional and under no way obligatory, otherwise, you are in direct contempt.
For mass mailing, you must take caution that every inbox in your CRM database has given permission to be marketed to. If a user opts out then immediately update the CRM and cease any further marketing proposals - no retargeting, no “let’s get in touch”, no “have you forgotten about us”. Scheduling in advance is not a valid excuse to be exempt from this rule.
Going forward with GDPR in mind
GDPR is not going away any time soon so if you haven’t fully adjusted your systems to comply with the regulation now isn’t the time to hesitate. Now it might occur to you that GDPR has shaken a nest of wasps and ruined how businesses were going about their way. In spite of what might look like oppressive fines and intimidating data authorities this fresh take on data privacy is proving to be quite the opportunity. Leveraging the power of consumers and becoming akin to a lighthouse for troubled ships is a good interpretation when welcoming GDPR.
For the people, by the people
Succeeding under GDPR is no easy task as marketers are compelled to do more since the value of customers’ attention has reached new levels. Yet that shouldn’t dissuade you from planning your marketing strategies. It just means that the bounty is much more fruitful. Users are turning away from non-compliant businesses, therefore obedience pays off in the long run.
People -> Data -> Transparency
Has GDPR been successful in forcing a transparency layer? Yes, it devised an easy way for customers to get a hold of where their digital footprint has been in their absence. A simple request form imposes direct compliance from companies. Yet is this complexity helpful? Transparent businesses will always enjoy the loyalty of their customers as long as they never go back on their words. People understand that customized experiences come at the sacrifice of sharing data, but having a say is important. You will earn more loyalty as users rejoice of your transparent ways, or be scorned for aggressive data siphoning.
Word of advice from Global Database for marketing under GDPR
Curate your email database. The user’s demand to be unsubscribed from your services is to be respected and immediately acted upon. You are saving yourself the hassle of being banned from automated mail services such as MailChimp and having your inbox being made unusable.
Appoint data officers and put them to work. Scrutinize the current infrastructure of collecting personal data and amend any inconsistencies as soon as you find them. Implement an easy channel for users to request, view, and exercise their right to be forgotten regarding personal data. You might have to purge a lot of contacts, however, it will only benefit you in the long run, allowing you to drive more focus towards accurate KPIs and engaged users.
Greenlight for content marketing strategy. People are always on the lookout for valuable experience, tools that might help them to power start a business of their own or extract more efficiency. You get to share successful wisdom pieces thus compelling audience interest to look in your direction. Prospects can then be nurtured through the proper channels at their own pace where they feel safe and their concerns are addressed.
Pop-ups on your website
If your website doesn’t have a cookie policy pop-up on load then you are doing it wrong. Additionally, you can segment what users are interested in by providing different checkboxes for company news, blog posts, product and service promotions & discounts. Also, a link to your privacy policy is well desired to provide immediate information on how shared data is used.
Improvise on sales techniques
Apart from devising content marketing strategies, account-based marketing might be up your alley. By connecting yourself to Global Database’s stream of data, ABM can become a feasible option for your business while also enforcing further degrees of personalisation.
CRM
Having customer data spread over numerous silos will only negatively affect your ability to properly comply with GDPR. Consider ditching excel spreadsheets in favour of a CRM system. It enables you to quickly import, export, and delete any user data thus providing a quick compliance cycle and customer satisfaction. Moreover, you can easily integrate Global Database with CRMs of your choice and have data flowing in.
[[form]]
Chatbots
While all other means are recorded and stored, chatbots allow you to quickly address a visitor without reminding yourself of GDPR. You’re not processing any data here so try your best to communicate to all the inquiries a customer might have.
Neat privacy statement
Businesses should always strive to make their privacy statement as concise as when they ask about your credit card details to purchase their services. Purposefully using hard to navigate articulations or hiding important third-party affiliations in the depths of the dictionary is a short term gain and low reward high-risk move. Be transparent in your actions if you want customers to share data with you.
The 2020 GDPR Update
On 12 November 2020, the European Commission published two sets of documents:
-
The draft of the new standard contractual clauses for transfers of personal data from the European Union to third countries (the “SCCs”)
-
The draft of standard contractual clauses that can be used by controllers engaging processors located in the European Union (“Article 28 Clauses”)
Key takeaways pertaining to the draft implementing decision and the SCCs are briefly described as follows.
The new SCCs are taking into account the complexity of modern processing chains and look to reiterate and reinforce the previous legal requirements introduced by GDPR. New modular provisions have been appended and should be selected based on the involved parties’ status (1) controller-to-controller (2) controller-to-processor (3) processor-to-processor (4) processor-to-controller chiefly where EU processor combines personal data received from third-country controllers with personal data collected in the EU.
In particular, the new SCCs underline the duty of data exporters and importers to conduct an in-depth assessment to conclude if the third-country data importer is up to the standards of the European Commission, can offer and guarantee the level of data protection stipulated in the GDPR and the new SCCs. Also, controllers or processors may choose to embed the SCCs into a broader contract or come up with additional conditions or safeguards, provided they don’t go against the fundamental rights and freedoms. Moreover, data subjects must be provided with a copy of the SCCs if requested and informed of any change in regards to purpose and identity of any third party involved in the data chain.
Alongside the new SCCs, the draft standard contractual clauses between controllers and processors located in the European Union encompasses provisions that a controller can impose on the processor to satisfy contractual requirements that the controller is obliged to uphold based on Article 28 GDPR.
The Article 28 Clauses will not be compulsory therefore businesses can continue to use custom agreements to appease the requirements of Article 28 GDPR.
Global Database Can Help You Stay GDPR Compliant
Conducting business activities can become exhausting under all the regulations set in place, and wiring a transfer out of your budget to pay off issues that have escalated due to insufficient attention doesn’t lighten the mood. The sooner you decide to deal with existing issues the better is your long-term output.
A leading B2B database, such as Global Database, can help you develop your business reach while paying your respects to GDPR. Data accessible with our company intelligence platform is collected from official sources and goes through a scrutinizing check ensuring high deliverability.
Having access to company profiles, business credit reports, key-decision makers’ corporate intel, financial history, and implemented technology can elevate your content marketing strategy as well as bolster efforts for your account-based marketing to take off. Moreover, due to ease of CRM integration no matter the size of your business you can fully route Global Database’s extensive datasets into your preferred CRM.
To sum up...
GDPR might feel like an imposing barrier to your previous marketing strategies, and the shift could have brought more expenses for you. Whatever your view on such necessities, you will have to adapt. While security and privacy don’t always go hand in hand, customers will offer their loyalty to those who can find a suitable balance.