In May 2018 the new EU data privacy act called the General Data Privacy Regulation (GDPR) is coming into force. The purpose of the legislation is to have an impact on how organisations obtain, store, manage or process personal data of EU citizens. In this post, we will provide some fundamental information and links to sources talking about the GDPR and its consequences that we have found useful, and hopefully you will too. (Note that this post is not to be considered legal advice.)
First of all, the new law refers to all EU citizens. That means that it applies regardless if you’re operating in a B2C or B2B environment. The new regulation will replace the 1995 data protection directive—which came into force in a world that was just starting to become ‘onlinified’—and has been interpreted differently by different countries. GDPR wants to take into account what has happened since; that we are living in an environment where you leave digital footprints whenever you access a destination online from any device. And the fact that this data is then being used to track behaviours and—in the best of worlds—improve services.
What is all the fuzz about?
There are two main points that have caused eyebrows to be raised.
First of all, the new regulations apply regardless of where your business is based. So if you are situated outside of the EU, but you collect data of EU citizens, GDPR will still apply.
Secondly, the maximum penalty for being in violation of GDPR regulations are stipulated to be up to €20 million or 4% of the company’s global annual revenue (whichever is greater).
Why should I care, and where do I start?
Essentially, GDPR is likely to hasten the demise of tactics like buying email lists, cold emailing and spam. And the principles of inbound—to provide guiding content to opted-in contacts that want and value the information—is likely to get a boost.
Recently, HubSpot wrote an excellent blog article highlighting the GDPR principles you should consider at the various stages of the inbound marketing methodology which contained the following graphic:
As you can see, eight distinct principles apply throughout the inbound journey. HubSpot’s blog post describes these in more detail (with examples), but the key points are:
- Communicate clearly how and for what you will be using the data that you collect.
- Make sure the individual give their active consent. Active means that ‘opt-out’ consent (i.e. pre-filled checkbox that the user provides their consent) will no longer be permitted under the GDPR.
- Inform about the right of the individual to withdraw consent.
2. Data minimisation
- Only collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of the collection.
3. Purpose & usage limitation
- Only use data in ways that are compatible with the intended purpose for which it was collected.
- Make sure you have active consent from individuals when transferring or sharing data with another company.
- Store personal data using ‘appropriate technical and organisational security measures’.
- Have procedures in place to correct data when an individual claim that information is no longer accurate.
- Keep records to prove compliance with GDPR (for instance, records of individuals’ consent).
- Have policies in place governing the collection and use of data (also see ‘Retention’).
- Implement a ‘Privacy by Design/Default’ policy, to systematically consider the potential impact that a project or initiative might have on the privacy of individuals.
- Ensure that contracts with third-party vendors cover data collection privacy provisions.
- Appoint a data protection officer (DPO).
- Store personal data only for as long as is necessary to fulfil the intended purpose of collecting it, or is otherwise required by law (e.g. need to retain financial data for auditing purposes).
- Define and communicate your data retention policy, e.g. how long you will retain individuals’ data for, and the business justification for holding on to it for that specified period.
- If an individual requests that their data be deleted, delete it and confirm the deletion.
Is HubSpot making any changes?
The short answer is yes, but we don’t yet know exactly which changes and what they will entail. Our best guess is that improvements will be around GDPR consent in forms, localised double opt-in, support for efficiently deleting data and communicating deletion.
Want to know more?
If you want to know more, here are further GDPR resources in addition to above mentioned blog post by HubSpot that are worth taking a look at:
- HubSpot’s GDPR information
- HubSpot’s GDPR checklist
- Translated version of blog post about GDPR written by Belgian HubSpot agency Dallas
There are also some resources in Swedish:
GDPR is easily mistaken for a technical challenge that requires only a technical answer (e.g. ‘we need to use double opt-in’), but we hope above gives a broader understanding of GDPR and the process and policy implications.
If you want to know more about how Zooma deals with GDPR, then feel free to get in touch with us.