Marketing ops guide to GDPR compliance
This article first appeared on November 9, 2017 on the MarTech Series website.
The General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, strengthens data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. It affects any company, including U.S. companies, which collect data or handle customer data containing EU citizen information. Marketing GDPR will impact virtually every business, especially companies in consumer Internet, ecommerce, AdTech, MarTech, SalesTech, HRTech, security, even the Internet of Things. Authorities can fine companies up to €20 million or 4% of a company’s annual global revenue, whichever is greater, based on the seriousness of the breach and damages incurred.
Also read: How GDPR Will Revolutionize Location Marketing
GDPR is broad and extensive. Many areas are open to legal interpretation; especially the definition of what data meets the definition of being “directly relevant to your business.” In this guide to GDPR compliance, we’ll focus on the needs of the marketing operations team managing the marketing technology stack within any enterprise that collects and holds EU citizen data in its sales and marketing database, including both B2B and B2C companies.
To become GDPR compliant, here are the top ten things a marketing ops team, in collaboration with their security and privacy counterparts in IT, need to do:
- Designate a Chief Data Privacy Office or equivalent
- Inventory all of the systems where you may have EU citizen data
- Upon request, be able to deliver all of the data you have on a specific person
- Also upon request, be able to remove all of the data you have on a specific person
- Sign Data Processing Agreements (DPA) with your customers, vendors, and partners with whom you share data
- Be able to control the distribution of data so EU citizen data, is not transferred to any third-party who does not have the DPA in-place with your company
- Install security technologies and implement privacy best practices
- Have a process in place to monitor and alert impacted contacts when a breach is identified
- Be able to demonstrate that you’re collecting only the personal information that is directly relevant to your business
- Conduct data privacy training to personnel that will come into contact with EU data
The impact of marketing GDPR is all-encompassing. Without the proper preparations, virtually every marketing and sales application you use and every sales and marketing service relationship you have is almost guaranteed to be a compliance risk. The one area that is the most difficult to maintain compliance is the ability to control the delivery of EU citizen data to third-party Data Processors. To illustrate how tricky this is, the following scenarios are all examples of data transfers to a third-party Data Processor:
- A salesperson clicks a button inside your CRM to enrich a lead using a data enrichment service by passing name, email, address, and phone number to a 3rd party provider
- A marketing analyst extracts prospect data from your marketing automation platform and emails the spreadsheet to your trusted agency partner to do some analysis
- A predictive analytics vendor extracts leads from your CRM automatically to score the leads and assign attribution
Also Read: Brand Transparency for GDPR
Data delivery to a third-party Data Processor is so hard to control because data can leave your possession in a variety of means in the modern marketing technology stack, including but not limited to:
- A vendor plug-in for your CRM or marketing automation platform
- A native application that extracts data from your CRM and sends it to the vendor’s servers
- Application-to-application integrations and connectors that synchronizes data between connected applications
- A product that uses a third-party service for enrichment or validation
- Embedded javascript on your forms that does dynamic look-up against a third-party database
- Your custom code that calls a third-party API
- A Webhook you configure that calls a third-party API
- Automated scheduled delivery of reports
- Manual extraction of data and sharing via email or file sharing services
- A data warehouse, reporting database, customer data platform, customer engagement platform that centralizes the collection of customer data across the data sources you have
To be compliant, you need to implement process, control, and monitoring mechanisms, so you can:
- Track which vendor, technology, service, and agency are GDPR compliant with DPA in place, and which are not
- Base on each third-party’s GDPR compliance status, control the flow of EU data out of your sales and marketing technology stack through fine-grained data permissions and policies
- Identify people data that fall under the scope of GDPR across data repositories, even if they’re missing an obvious country designation
- Maintain detailed reporting on all data transfer activities to third-parties, covering both GDPR compliant and non-GDPR compliant third parties, both via manual and programmatic transfer
In closing, it is worth reemphasizing that the impact of GDPR is all-encompassing. Without the proper preparations, virtually every marketing and sales application you use and every sales and marketing service relationship you have is almost guaranteed to be a compliance risk. Don’t procrastinate on taking the appropriate actions to be compliant. It can take six to twelve months of preparation to achieve compliance. If you have not already started your GDPR compliance effort, you’re already behind schedule and should start immediately.
Ready to find out more? Learn about Openprise for GDPR compliance and register to see a live demo now.
Leave a comment