On May 25 (one week from today), the EU General Data Protection Regulation (GDPR) takes effect.
That’s one week from the day of this publication.
To date, Laura Petrolino has provided us with a “Communicator’s GDPR Checklist and Resource Guide,” and everything we need to know about GDPR compliance, but knowing and doing are very different.
Since these articles have been published, we have been asked countless questions about GDPR.
Questions about compliance issues, relevance (does it apply to you and your business? Most likely!), and who or where you can go to for help implementing compliance measures.
So, as the GDPR deadline looms, the Big Question this week just made sense:
Are you GDPR Ready? If so, what did you have to do?
If not, what questions do you still have?
Are You GDPR Ready? It’s a Process
Like any big change, there’s going to be a learning curve, and according to Bryan Gaynor there will be some rippling effects across the online advertising space during the process.
GDPR is going to be a process and a learning curve for everyone.
EU based cookie pools may shrink, but these audiences will likely improve in quality because the user is engaged and wants to see ads relevant to them.
Ad Costs will likely go up, particularly in Display and Social, where the shrinking cookie pools will create higher demands for more engaged users and drive auction prices up.Rethink your strategic approach to these channels and how to utilize them in the best manner.
*TIP #1: Be extremely transparent about how you collect cookie data and provide an option for users to opt out**Tip #2: Place an empty opt-in checkbox at the end of your forms*
While it is not 100 percent clear if this is required, placing an empty opt-in checkbox at the end of forms etc, to allow users to choose to receive future marketing from the company, may be a good option.It may also help improve the quality of the lead scoring as they are expressing a true interest in your company beyond the existing offer.
At the very least, provide a notice at the end of every form which states that they agree with your privacy policy.
Note: Bryan’s response is credited to a GDPR post he wrote earlier this year.
GDPR: Common Sense?
The vulnerability of the information we share online is a very big deal, and the GDPR is being called one of—if not the—most important change in data privacy history.
As a result, it’s no surprise that GDPR compliance can be considered a herculean endeavor.
That said, depending on your business, and the how, why, and where behind your data collection, some measures are just a matter of common sense.
From Maksym Podsolonko, who provided a quick list of what he has done to be GDPR ready:
We clarified our privacy policy, split the email subscriptions, added data transfer and deletion options to the client profile page, embedded new breach alarms, and added security tools to the product.
Similarly, Leeyen Rogers acknowledges that because 20 percent of her company’s user base lives in the EU, they put a priority on their GDPR compliance.
We are GDPR ready.
We let all of our European users, and non-European users that get form submissions from European users, know about GDPR and how that relates to the company.
GDPR Confusion
One of the biggest questions asked about GDPR compliance is, as noted, whether it applies to the organization in question.
In most cases, GDPR compliance is a better-safe-than-sorry action item.
What about those organizations that don’t get it?
From Beth Rimmels:
Since our company places a high value on privacy and efficiency, complying with GDPR was fairly easy.
We don’t have a habit of asking for extraneous data, and we explain why we ask for a given piece of material.
Convincing some of our clients to become GDPR compliant has been the challenge.
The large corporations who hire or interact with EU citizens quickly understood the need for it.
Medium-sized businesses are too prone to thinking “It’s a European thing. I don’t have to worry about it,” despite selling online to EU customers or EU newsletter subscribers.
Tip: Whether you think GDPR is relevant to your business or not, do an audit of all the information you collect from clients and prospects.Document which departments have access to what material, and how you use it. That tends to demonstrate the benefits of GDPR compliance and provides valuable insight for a variety of circumstances.
Tip #2: Moving forward, whether your business needs to be GDPR compliant or not, stop asking for unnecessary personal data. It will improve trust with your audience and simplify your data processing.
Are You GDPR Ready? Share the Love
Jon Kerry-Tyerman calls GDPR a seismic shift:
Startup teams can consider whether to invest in compliance from the beginning, when systems are managing a smaller volume of data.
This will ensure that compliant systems and processes scale as the company grows.
The alternative is that the team will later need to make changes to their system, when data volumes and systems are larger, and/or risk running afoul of fines and penalties.
His colleague, Lisa Hawke, is the Vice President of Security and Compliance.
She created a free GDPR resource (and spoke about their measures at length during one of her company’s podcasts) in hope that her efforts can aid other GDPR readiness activities.
GDPR Best Practices
From KJ Dearie:
Not only does my company work with businesses and marketers to help them achieve GDPR compliance, but we have taken our own steps to better adhere to the guidelines of the GDPR.
Although our organization doesn’t target EU users at this time, we’ve found that implementing the following strategies in line with the GDPR are ultimately the best practice for building customer trust and engagement:
- We’re implementing opt-in checkboxes at user signup. One of the biggest components of the GDPR is legally obtaining user consent to collect and process their data in accordance with Article 7.
For consent to be valid, it must be given freely through an affirmative action. We’re making this easy for our users by adding a checkbox on our signup page. It asks our customers to opt in to any desired marketing communications, and to consent to our privacy policy.
- We’re making changes to our privacy policy to optimize transparency.
The GDPR seeks to promote a healthier relationship between businesses and users when it comes to user data. One of the keys to adjusting this relationship accordingly is to increase transparency and clarity.
We’re following this initiative by updating our privacy policy with a Table of Contents, FAQ-style headers, and short tl;dr sections to be more readable, understandable, and transparent about how exactly we may interact with and treat our users’ information.
- We’re instituting a new Universal Privacy Policy.
Not only did we recognize the need to update our privacy policy to better suit the requirements of the GDPR, but we wanted to offer this same adjustment to our users.
As our website offers a privacy policy generator, we reworked the entire builder and final policy to reflect the changes brought about by the GDPR.
We even added an entire section geared toward the GDPR specifically, as we found the regulation to be so prevalent in the data protection and privacy plans pursued by businesses and marketers within the US.
- We’re making it easier for users to delete their accounts. The GDPR aims to give users control over their own data.
As such, the regulation dictates that business owners and marketers make it easy for users to view, edit, and delete their own information.
To fit this new standard, we’re implementing data management tools on our site that make it easy for users to request to delete their account and, with it, scrape any personal data of theirs, which we store.
I hope these tips help some of your readers adjust their own strategies for the GDPR, and I’m curious to see what other businesses and marketers say they’ve done to bolster compliance.
GDPR: More Questions
Tytti Rekosuo’s organization has made great strides in GDPR compliance, but like many others, she has more questions as the deadline looms.
We’re an IT software company specialized in Environmental, Health and Safety software.
The upcoming GDPR has impacted our Marketing and Communications team. As a result, we have had to change some of the processes to comply with the new legislation.
We do a lot of email marketing, which means that we hold a record of our contacts.As the new GDPR states, individuals must have given consent for companies to hold their personal data (i.e. name, email address, job title, etc.).
So, you must also be able to demonstrate that you have the required processes in place. You must also be able to proof that the people have given you the consent to hold their information.
Therefore, we’ve sent emails to all our contacts to let them know what personal data we hold of them and whether they would like to still stay subscribed to our emails.
The new legislation requires people to have the option to unsubscribe and demand the removal of their data if they so desire.
There are also different legal grounds for consent. It’s important to make sure that your processes reflect that.
For example, you should know whether it’s legitimate interests or consent that has given you the right to process the personal information. So, do not hold spreadsheets with personal data on them.
Keep the details in a system (like CRM). Make sure that you have categorized the data. You need to know where you’ve gotten the information. Then you need to inform your contacts that you hold their data and what their information will be used for.
One of the questions I am still looking more information on? The processing of personal data relating to press contacts that freely publish their contact information online.
It would be great to hear some advice on this.
GDPR: Enforcement?
So, are you GDPR ready? It seems like most respondents are well on their way, if not compliant already, however, another big question remains.
First, a reminder: The GDPR is, currently, a European regulation governing the protection of its citizens’ data and information.
So who will enforce GDPR compliance in the rest of the world?
Let’s leave the last word to Ruth Carter, who is an internet attorney. She shares what she did to become GDPR ready, and asks an important question:
I started by reading the law cover-to-cover and I wrote my own summary of the pertinent issues.
I added double opt-in consent for my email list. And I added the information to the confirmatory email that we are required by GDPR to give to individuals when getting their consent to put them on our list.
My question that remains at this time is, how will the enforcement of this law look in reality?One of the challenges of complying with a new law is we don’t have real-life case studies to draw from.
The Question of ROI
Gary Vaynerchuk once asked, “What’s the ROI of your Mother?”
He threw it out in response to a persistent question many were asking: What’s the ROI of social media?
It’s important to know what the return on your investment is. There needs to be an end game. Results from our tactics.
All that said, ROI isn’t always an easy thing to calculate. As Gary’s question illustrates, the ROI of an event, a meeting, or lifestyle choices aren’t always line-items on a ledger.
What’s the ROI of the “The Big Q”? It’s a great format. It garners traffic and creates conversation. It’s something we’re known for. It results in new Slack Community members.
Ultimately, it’s a value-add, engaging piece of fun content. Like social media (and our Mothers), it’s a long play.
Still, be that as it may, ROI is a weird thing.
What’s the ROI of this meeting? How do we figure out the ROI of Slack? What’s the ROI of a team retreat (just as an example, Gini)? These are good questions.
They’re big questions, in fact!
So, the next Big Question asks:
What does ROI mean to you? How do you define, establish, and measure it?
You can answer here, in our free Spin Sucks Community, or on the socials (use #SpinSucksQuestion so we can find you).