The General Data Protection Regulation (GDPR) is European Union legislation that began to be enforced on May 25, 2018. Its aim is to strengthen the rights of data subjects within the European Union (EU) and European Economic Area (EEA) with regard to how their personal data is used and how it’s protected. (‘Personal data’ means any information that relates to an identified or identifiable natural person). This article will focus on GDPR consent.

Six Key GDPR Principles

To that end, the GDPR is structured around six key principles (detailed in Article 5 of the legislation):

1. Transparency on how data will be used and what it will be used for.
2. Ensuring that the data collected is used only for the purposes explicitly specified at the time of collection.
3. Limiting the data collection to what is necessary to serve the purpose for which it is collected.
4. Ensuring the data is accurate.
5. Storing the data for only as long as necessary within its intended purpose.
6. Prevention against unauthorized use or accidental loss of the data through the deployment of appropriate security measures.

One key aspect of the GDPR where Marketing needs to review past, current, and future practices is consent. Later in this article we’ll give you a checklist of seven key areas to address regarding GDPR consent.

What is GDPR Consent?

The definition of GDPR consent is: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

This dual need for an ‘affirmative action’ that captures GDPR consent, which also must be ‘specific’ in how the personal data will be used before any processing of the data, represents a significant change for most marketers in how they record and respect customer preferences.

Also, customer preferences change over time and rarely exist in perpetuity. GDPR consent guidelines have something to say about this too—namely that organizations, specifically marketing, must make it easy for data subjects to make any changes in preference or withdraw consent altogether.

Consequently, all marketers need to audit, identify, and review the current points at which they are collecting personal data for processing.

Here is a Checklist of Seven Key Areas to Address Regarding GDPR Consent:

1. Leave nothing to chance. Spell out exactly what you are doing with customer data in your privacy policy.
2. Consent must be clear and easily understood. We suggest you put a link to your privacy policy at any point where a customer is completing a form, or interacting with your website. If you are tracking customer cookies on your website, this could involve putting a banner on your website declaring you are tracking cookies and asking for customer consent to do so.
3. You must make consent easy for customers to change, or withdraw it altogether by making subscription preferences easy to find and global unsubscribe a one-click preference.
4. Consent must be freely given, no deception or coercion.
5. Consent is a one-time non-editable event.
1. You cannot change consent without asking.
2. You cannot change refusal of consent.
3. And, you can ask for new consent or different consent.
6. Consent must be a positive action.
1. Consent must be affirmative and specific in how the personal data will be used.
2. Also, consent must be a click or checkbox …. “Yes, I agree” or an actual signature.
3. Absence of action is not consent.
4. Furthermore, we highly recommend double opt-in for subscriptions.
7. You are allowed to send non-consensual communications when they are specific to:
1. A transaction that requires confirmation or notice such as eCommerce order notifications.
2. A communication that is required as means to complete a contractual obligation on part of the user or organization.
3. A communication that is required by a specific membership or operational model where said model is clearly stated in a terms of service (e.g. operational emails to a franchise owner).

Follow the Guidance to Comply with GDPR Consent Requirements

In conclusion, following the guidance above will ensure you are complying with GDPR consent requirements. Furthermore, it will also create good will with your customers. Privacy concerns are headlines in the news every day. You can ensure your customers they can trust you by following the consent procedures we’ve discussed. Happy consenting!

Which countries are included in GDPR compliance? Learn more here.

Did you know our GDPR experts can help you with GDPR Consent? Contact us today.

The post A Checklist of Seven Key Areas for Marketers to Remember Regarding GDPR Consent Guidelines appeared first on Beasley Direct and Online Marketing.

GDPR is a new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data. It came into force May 25, 2018.

Many of our US clients are shocked that they need to worry about GDPR compliance. The impact is especially felt by the marketing department who uses marketing automation or sales automation software to manage prospect or client data. The territorial scope of the GDPR applies to companies operating in the EU and also to non-EU businesses who:

• a) market their products to residents of the EU, or who
• b) monitor the behavior of residents of the EU.

In other words, even if you’re based outside of the EU, but you control or process the data of EU residents, the GDPR will apply to you.

Many marketers also don’t know what countries are part of the countries and territories covered by GDPR compliance. Read on for a list.

What European Countries are Part of GDPR?

GDPR covers all of the European Union Member States, which includes: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

The United Kingdom is still part of the EU and thus governed by GDPR. This includes: Channel Isles, England, Northern Ireland, Scotland, and Wales.

GDPR also includes European Economic Area Countries, such as Iceland, Lichtenstein, and Norway.

What Non-European Countries are Part of GDPR?

There are dependent territories/countries that are technically in the EU though not in Europe that are governed by GDPR, these include: Azores, Canary Islands, Guadeloupe, French Guiana, Madeira, Martinique, Mayotte, Reunion, and Saint Martin.

The European Union is a Fluid Entity

You need to keep up on the news and be aware of countries exiting and entering the EU and who are governed by GDPR.  For instance, the United Kingdom has plans to leave (Brexit).  Italy and Greece are making noises about leaving.  Potential Member States trying to enter are Albania, Bosnia & Herzegovina, Kosovo, Macedonia, Montenegro, Serbia, and Turkey.

What Does the GDPR have to do with US Marketers?

Chances are, even if you’re a US company, you have European Union residents in your database.  I discussed this with a small regional bank client recently. The marketing manager thinks of her company as being local.  But after thinking about it more, she suddenly realized they have foreign investors applying for mortgages, opening bank accounts, etc.  This put her in a panic, knowing she needs to get her data collection, website and company policies aligned with GDPR compliance.

Many US companies have been collecting email addresses for years through lead generation programs and eNewsletter subscriptions, without collecting the country of residence for the subscribers. If this is your situation, you need to get compliant or stop emailing your list.

If you need help with updating your marketing automation platform for GDPR compliance, we can help. We help clients manage their campaigns on several marketing automation platforms, such as Marketo, Salesforce Marketing Cloud (Pardot and ExactTarget), Hubspot, and IBM Marketing Cloud (Silverpop).  Contact us!

The post Do You Know Which Countries are Included in GDPR Compliance? appeared first on Beasley Direct and Online Marketing.

GDPR is a new, comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. It will begin to be enforced May 25, 2018.

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider. It will also apply to non-EU businesses who:

a) market their products to people in the EU, or who
b) monitor the behavior of people in the EU.

In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

What is the GDPR?

The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU or not. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

The GDPR provides more privacy rights to EU individuals and places significant obligations on organizations regarding data collection. Some of the key principles are:

1. Transparency on how data will be used and what it will be used for.
2. Ensuring that the data collected is used only for the purposes explicitly specified at the time of collection.
3. Limiting the data collection to what is necessary to serve the purpose for which it is collected.
4. Ensuring the data is accurate.
5. Storing the data for only as long as necessary within its intended purpose.
6. Prevention against unauthorized use or accidental loss of the data through deployment of appropriate security measures.

What is the Penalty?

Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.

How Specifically Do You Comply?

GDPR compliance will involve several steps of updating your marketing operations at all touchpoints with customers.  You will need to update your privacy policy, add data collection fields to your forms, update your subscription center, and ensure data is secure, etc.  Hubspot provides a helpful checklist (get documentation here).

We’ve compiled links to several marketing automation platforms’ documentation for GDPR compliance. We have found that most of the platforms provide specific shortcuts to implement changes to form fields and data maintenance.

We found this guide from Marketo especially helpful, even if you’re not a Marketo user. It provides specific examples of fields to add to your forms (get documentation here).

Anybody using the Salesforce Marketing Cloud has multiple touchpoints and products within the cloud to update. They provide comprehensive documentation (get documentation here).

Here’s a guide provided by Oracle Marketing Cloud (get documentation here).

Here’s a guide provided by IBM Watson (get documentation here).

If You Need Help Updating Your Marketing Automation Platform for GDPR Compliance, Contact Us

If you need help with updating your marketing automation platform for GDPR compliance, we can help. We help clients manage their campaigns on several email platforms. Contact us for a free consultation!

The post GDPR Compliance is Coming to Marketers in the US: Are You Ready? appeared first on Beasley Direct and Online Marketing.