On May 25th of 2018, the General Data Protection Regulation (GDPR) will completely reshape how marketers gather, use, and manage the personal data of their European customers and subscribers. With fines ranging up to €20 million or 4% of worldwide annual revenue (whichever is higher), the E.U. couldn’t be more clear about enforcing GDPR compliance.
If your company does business in Europe — even if that just means sending marketing emails to E.U. residents — you need to be ready when the GDPR takes effect. The goal of the GDPR is to better protect personally identifiable information (PII), which includes any kind of data that can be used to identify, contact, or locate an individual. This means that even the most basic marketing data — names, emails, and physical addresses — are very much protected by the GDPR. You can still gather and use this data, but it must be collected with “freely given, specific, informed and unambiguous consent” (Article 4). Anyone whose data you’ve collected also now has the right to withdraw their consent at any time.
As marketers, complying with the GDPR means rethinking some fundamental assumptions. One great example is content marketing. It’s standard procedure to generate leads by offering free content in exchange for an email address, for instance, which is then automatically subscribed to a newsletter. If that person is in the U.S., no problem. But if they’re in the E.U., your company is now in violation of the GDPR.
Here are 8 essential things to consider as you prepare for the GDPR deadline.
Add (and rethink) your checkboxes. To comply with the new rules, E.U. residents need to give clear consent before their email address is added to your newsletter list. This can be as simple as adding an empty check box for users who have an I.P address that indicates they are in the E.U. All that box needs to say is “Subscribe to our newsletter.” Under GDPR rules, this box can’t be pre-filled, and filling it in can’t be a requirement to access the content.
That said, you still have plenty of options for getting people to opt-into your newsletter. This can be as simple as putting in a little animated red arrow pointing at the check box. You can even include an additional offer for subscribing.
Find opportunities for customer opt-ins. Make sure when someone becomes a customer, they opt-in. Every business has its own methods for onboarding new customers, but there’s almost always a good opportunity to have them opt-in during that process. Even if the solution you come up with isn’t exactly elegant, it’s far more efficient to do this during the onboarding process than it is to go back later and ask them to opt-in.
Be mindful of new records in your CRM. Another important thing to consider for GDPR compliance is how shared customer data is handled across teams and departments. For instance, when the sales team finds new prospects, they may be in the habit of adding all that data directly into their CRM. In some CRM setups, those customer email addresses will be dropped right into the marketing funnel, where they’re suddenly receiving emails about everything from event registrations to special promotions. If even one of those customers is an E.U. resident, your company is now in violation of the GDPR.
Subscription centers aren’t the answer. One solution that often comes up in GDPR compliance discussion is the implementation of an email subscription center. If people have the ability to directly manage their subscriptions, the thinking goes, they might decide not to opt-out of some newsletters or other emails. In reality, however, subscription centers tend to be little more than a waste of time and money.
By the time someone has gotten frustrated enough by your marketing emails to click in the link to your subscription center, they’ve already decided to unsubscribe. Only a tiny percentage of people — less than 2% — will remain subscribed to any emails. If you have a 4% unsubscribe rate, and only 2% of those who planned to unsubscribe were saved by your subscription center, you would need to have an absolutely massive email list in order to even justify the costs.
Send opt-in email to both existing customers and prospects. The GDPR rules apply retroactively, which means that you now need to have the clear, unambiguous consent from everyone on your email list. This means sending opt-in emails to everyone in the E.U. that you’re currently marketing to, customer and prospect alike. If they don’t respond, you then need to remove them from all your newsletters and other lists. I’d suggest doing this at least a few times before the GDPR deadline hits, providing as many opportunities for opt-ins as possible.
Say goodbye to your purchased or scraped email lists: Not that long ago, buying and selling email lists was standard procedure in email-based marketing. While we’ve moved on as an industry, there are still plenty of marketers who lean on purchased or scraped lists from time to time. Under the GDPR, these practices now result in heavy fines. If you’re still using scraped or purchased lists, it’s time to stop.
The specifics of GDPR compliance will obviously depend on your company’s relationship with European customers. Even if you never do business outside of the U.S., it’s worth noting that most of the changes required by the GDPR are fairly reasonable. If you do have customers in the E.U., however, it’s essential that you update your marketing to become GDPR compliant, as European officials are more than happy to issue fines for even small infractions to foreign companies who ignore the law.
Have questions? Give me a shout!
Our guest blogger Peter Borden is the Founder and Principal Consultant at Expandery, a boutique consulting firm specializing in delivering marketing and sales solutions for high-growth companies.