In Data We Trust: An Interview on GDPR Compliance for Marketers
With the upcoming May 25, 2018 compliance deadline for the European Union’s General Data Protection Regulation (GDPR), Uberflip’s Director of Revenue Marketing, Tara Robertson, sat down with Michelle Miles, VP of Consulting Services at Perkuto to discuss the impact of GDPR on marketing automation users. Michelle is also a Marketo Certified Solutions Architect, Marketo Champion, and a speaker at Marketing Nation Summit.
Tara Robertson: First off, thanks for participating in this interview and for your team’s publication of The Marketo Client’s Guide to GDPR Compliance. Our own marketing team at Uberflip found it very helpful for understanding GDPR and making this seemingly complex piece of legislation accessible to marketers. What’s more, we’re using your guide as our own GDPR checklist to ensure we’re compliant, so that’s saying something!
Michelle Miles: Thank you! We love helping marketers succeed and GDPR is certainly top of mind for many organizations. We thought producing a compliance guide in plain English and that speaks specifically to the needs of marketing leaders would be helpful; we’ve received a lot of positive feedback on it. And for those who don’t want to navigate GDPR alone, give us a call and let’s chat about your situation.
TR: Having said that, we’d like to dig into GDPR for marketers in a bit more detail, based on what you’ve covered in your guide. So let’s get right to it.
At a very high level, ultimately, it seems that GDPR comes down to securing consumer trust. Your guide cites an alarming statistic that: “57% of Europeans do not trust brands to use their data responsibly and 89% of Americans avoid companies who do not protect their privacy of consumer trust and damage to brand reputation.” How does this translate into GDPR and its stipulations around consumer consent?
MM: The GDPR best practice approach is to track BOTH data consent and email consent, as one does not guarantee the other. Having said that, email consent can constitute data consent, if appropriate privacy policies are acknowledged. When using content (such as a white paper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may, however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always link your forms to your privacy policy! Overall, the rationale behind GDPR is transparency in data usage—consumers want to know how you will be using their data. Your privacy policy is an ideal location to provide this verbiage.
TR: You mention that GDPR stipulates the addition of a Data Protection Officer (DPO) role, but leaves the decision to companies themselves on hiring a dedicated DPO. What are you seeing in the industry in terms of hiring specifically for GDPR?
MM: It all really depends on the size and budget of the company, but overall, using a shared DPO makes a lot of sense. Having said that, you’ll want to make sure your company has sufficient access to an external DPO and can adequately advise and answer your questions within a reasonable amount of time. And keep in mind, not every company is required to have a DPO, although it is recommended by European supervisory authorities.
TR: The comprehensiveness of GDPR means that companies can either comply, or remove all EU records from their systems. Is it really that clear cut / black and white? Are there any workarounds? Are you aware of any organizations removing records rather than comply?
MM: While there are very few things in life we can consider black and white, I do consider this one an either/or scenario—either comply with the requirements of GDPR, or remove those records from your database. Keep in mind, you’ll also need to ensure you’re not putting cookies on EU visitors using your site. If you are not actively marketing to or doing business with contacts in the EU, it’s just not worth the risk to retain inactive, junk, or other records that are not viable to your organization. Remember, GDPR carries with it a €20 million penalty for non-compliance…do you really want that kind of liability lurking in your database?
The only exception would be if you are a company that retains HIPAA health records, criminal history, or certain types of scientific, historical, or statistical research data and are required to keep data on file for legal purposes, or, if your accounting team needs customer data for tax purposes. Otherwise, I know plenty of companies are doing the math and reevaluating if continuing to do business in Europe makes sense for them.
TR: With respect to privacy, marketers in Canada have had to deal with a similar, yet very different piece of legislation known as CASL, which prohibited companies from sending commercial electronic messages to an electronic address, without consent. How much more (or less) stringent do you think GDPR is?
MM: Great question! We’ve done much work around CASL compliance as we are a Canadian-based company ourselves. When comparing CASL and GDPR, the opt-in processes are very similar as both require an unchecked checkbox and a link to your privacy policy to capture consent, as well as retaining the opt-in date, timestamp, opt-in source, and IP address (if available) to verify the consent.
So if you are already using CASL methodology, you can apply it to your GDPR operations. But that’s where the similarity ends. GDPR is much more extensive and goes beyond permission to email, extending into cookies, data processing, and other elements that are not governed under CASL, not to mention the higher penalties.
TR: Though GDPR is focused mainly on protection, you recommend documenting your team structure, database access levels, and more. What are the additional positive impacts of GDPR in terms of forcing companies to be more explicit and rigorous about how they treat their data?
MM: While GDPR preparations are causing some of us to lose sleep at night, I do believe the underlying principle is valid. 57 percent of Europeans do not trust brands to use their data responsibly—that’s almost two out of three European consumers! GDPR is causing us all (OK, requiring us) to rethink our processes and the reasons behind our data collection. On the front-end, it means going back to marketing basics and emphasizing the value of your offer in your messaging.
On the back-end of your operations, it’s about data security and knowing exactly who has access to your database, and for what purpose, and tightening that up. The other statistic I find staggering is 30 percent of security incidents come from current employees (See: The Global State of Information Security Survey 2018, PwC, CIO, and CSO, October 2017).
While no one likes to think about employee theft or data security, it (unfortunately) happens. Best data practices include limiting internal access to your database to those who truly need it—GDPR makes us think about data access and data flow, internally and externally. If you are retaining data, you are defined as the “Data Controller” and anyone—or company, software, or vendor (think MarTech stack)—who is touching, enhancing, or collecting on your behalf is a “Data Processor.” And guess what—everyone has to be compliant by GDPR’s rules. At the end of the day, all of these efforts should inspire a greater amount of trust in our relationships with EU consumers.
TR: Thanks again Michelle for sharing your expertise and insights on GDPR! We’re certain our audiences will incorporate these important takeaways into their upcoming compliance initiatives.