On Friday, May 25, 2018, a new law governing the collection and protection of personal data went into effect in the European Union. The General Data Protection Regulation (GDPR) created a uniform set of laws regulating the protection of personal data by companies doing business in the EU. It replaced the 1995 EU Data Protection Directive with enhanced requirements on those companies that collect personal data and stiffer penalties for those companies that fail to comply.
The GDPR basically defines four characteristics of consent for those collecting personal data. Consent must be:
How will this new law affect your business?
In short, if you sell or market products and services to the European Union, this new law applies to you. The GDPR affects your website, your content and the back-end structure of your site used to convert prospects/leads — think CMS and marketing automation software.
Under the GDPR, you will only be allowed to collect data and send emails to people who’ve given you their explicit consent, and opted-in to receive messages. If someone fills in a form, for instance, you can’t assume consent or use a pre-checked checkbox granting consent is not in compliance. At the same time, if someone has given consent to receive information on a particular topic, it’s illegal to send unrelated marketing email to those people. In essence, prospects must specifically opt-in to every form of marketing email you might send.
The forms on your site must tell subscribers about your company and what you intend to do with any data you collect. The GDPR requires you to keep records of everyone who has agreed to allow you to collect and use their data. Some changes you should consider to your site:
If you are using marketing automation, there are some immediate changes you’ll need to make before continuing your marketing and sales strategy in the EU. If you are using a content-marketing strategy to sell in the EU, you’ll need to:
In your notice, you’ll need to have a legal reason to use a contact's data. That reason could be consent (they opted in) with notice (we told them what they were opting into), performance of a contract (e.g. they are our customer and we want to send them a bill), or what the GDPR calls “legitimate interest,” e.g. they're a customer, and we want to send products related to what they currently have.
You’ll also need the ability to track that reason (also known as “lawful basis”) for a given contact.
One type of lawful basis of processing is consent with proper notice. In order for a prospect to grant consent under the GDPR, a few things need to happen:
Before a contact submits a form, they must agree with your privacy notice and must opt-in to email marketing.
The way we see this issue, it only affects companies in or doing business in the EU. But that will most likely change in the coming months/years as both the industry and the law deal with the fallout from the misuse of personal data on a grand scale. You may have noticed Mark Zuckerberg speaking to the European Union Parliament this week about steps Facebook is taking to protect user data.
That trend, in our view, is only going to continue. Just as website compliance with the Americans With Disabilities Act is a growing issue for most companies, so too is GDPR likely to be high on your radar in time. Now might be a good time to talk to your legal counsel, just to get a feel for what the future might hold. As always, we’re happy to talk to you about what you might need to do and how to get it done, should you choose to push toward compliance with this new law.
HubSpot user? See what HubSpot has to say about GDPR.