GDPR (or the General Data Protection Regulation, to use its full title) is everywhere you look at the moment. And understandably so. It’s a big change. But is it as scary as everyone keeps saying? I get it. On the surface, marketing & GDPR don’t seem obvious BFFs. When I started to do my research on the topic, I was crapping myself just like everyone else.
How would it affect my marketing?
Would my email subscriber numbers fall off a cliff?
What about my ad strategy – would anyone actually opt in to my opt ins anymore?
Marketing and GDPR month
I decided that if I was wondering about how to balance marketing and GDPR, lots of other entrepreneurs would be too. I talk
incessantly rather a lot about value. Specifically, about the value you provide to your clients. As you know, I believe your content is a way to provide value long before your clients get cosy on your customer list.
Through my research, I’ve realised that GDPR is also related to value. How? Well, naturally, the data you hold on your clients is incredibly valuable – both to you, and to them.Complying with GDPR is the perfect opportunity for you to demonstrate how much you value your contacts' data - by acting responsibly and taking care of it appropriately. Click To Tweet
Never one to miss out on an opportunity to show my clients how much I love them (and their data), and to share knowledge where I can, I’ve declared March as “Marketing and GDPR Month”. This month I’ll be challenging myself to become GDPR compliant way ahead of the May 25th deadline.
I’ll be blogging my progress and, because it’s such an important topic, I’m pairing up with Rory Campbell from Forde Campbell, a commercial law firm specialising in IT, tech law, and the internet, for tech companies and start ups.
Together, we’ll be busting some myths, helping you incorporate GDPR compliance into your content and generally reassuring you that marketing and GDPR can go hand-in-hand.
But first, some housekeeping. Before we can figure out how to align our marketing with GDPR compliance, we first need to understand exactly what it is. I’m not a lawyer, so I thought I’d call in a tame expert (Rory) and ask him some questions:
Rory, is winter coming?
Jo, the succinct legal answer is Yes. But No at the same time, with a spot of It’s already been winter for a while, and a final note of Perhaps more of an Ice-Age than a Few Cold Months.
We lawyers like to be clear.
The fact is that, while many people have focussed on the threat of fines of up to €20 million, that’s missing the point. Fines will only be imposed in very limited circumstances. The real effect of GDPR will be to change the culture of modern business, so that personal data use will become an everyday responsibility and risk management factor – rather than something to be considered only when things go wrong.
What does GDPR compliance mean for business owners & entrepreneurs?
GDPR is actually pretty empowering for consumers. I know I’m a lawyer, and as such am more partial than most to a regulation, but GDPR is here to help everyone. Why? Because, everyone has the right to the protection of personal data.
For businesses, the GDPR is about obligations, rather than rights.
The drivers for GDPR are, firstly, the transformation since the last data legislation (1998’s Data Protection Act) of how technology uses personal data; secondly, the massive uptake of mobile tech by consumers (particularly children): and thirdly, the fact that the law now wants businesses to demonstrate compliance – rather than doing nothing until the data protection watchdog, the Information Commissioner’s Office, comes calling.
In a nutshell, if you’re in business and you hold personal data about your customers or employees (that’s everyone, basically), the GDPR applies to your business.
To start on the GDPR compliance journey, you need to take time out to look at your organisation, think how data flows through it, and be able to state:
What types of personal data do you hold? Why are you holding it?
How do you obtain personal data? Once obtained, how do you store it? How is it protected, and how is access to it controlled?
What do you do with this data? How, when and why do you share it, and by what means?
Having carried out this data audit, you will have the information you need to take the first steps towards compliance.
Can I comply with GDPR on my own or do I need to hire in extra help?
For most small to medium businesses, GDPR compliance can be handled in-house. However, it’s an ongoing business task and one that needs to be defined. Data protection needs to be monitored and compliance with GDPR needs to be checked regularly, just like you do for other essential business tasks.
The initial step of answering the questions above will take an investment of your time, but it’s entirely doable by the average business owner.
Are you obtaining data?
Nearly every business that operates in the 21st century obtains personal data. Got a contact page on your website? You’re collecting personal data. Newsletter sign up pop up on your blog? You’re collecting personal data. Facebook ads with downloadable resources? You’re collecting pers- Okay, you get the picture.
So, yeah. Data collection and GDPR are inextricably linked.
But that doesn’t have to be a bad thing.
The aim of the regulation is to ensure that personal data is handled and processed responsibly, that contacts are clear on why their data has been collected and what it’s going to be used for. Contacts also have the right to access their data and have it corrected, removed and forgotten.
I think that’s pretty reasonable, don’t you?
What are you doing with their data?
Your contacts need to be aware of what you’re doing with their data and (where you’re relying on their consent to carry out your activities) they need to provide their clear, unambiguous permission. That means that, in turn, you need to provide them with clear information on what you’ll be doing.
Sending them a newsletter once a week? Let them know when they sign up.
Informing them about promotions because they downloaded a discount code? You need to tell them.
Marketing and GDPR action plan
I said earlier that I’ll be “live-blogging” (if you can call weekly posts “live”) my Marketing and GDPR compliance quest, so I figured the first step is sharing my action plan.
Your action plan is likely to be different, and, as I’m not a lawyer, the contents of this or any future blog post do not constitute legal advice.
All that said, it would make for a pretty shit blog series if I didn’t share my own process, so here goes….
The first action on my Marketing & GDPR Action Plan (I love me an action plan, so obviously I made one) is to figure out how I’m obtaining personal data, and what that data is. I’m thinking about:
Do I hold employee/contractor data, client data, or both?
Could an individual be identified from the information I hold? e.g. contact information, IP address, etc.
Where is this data held? Excel spreadsheets on laptop? In the cloud? On a scrap of paper? On a CRM system?
Who has access to the data?
Is there anyone who should have access to the data, but does not? (Or vice versa.)
How am I obtaining the data? e.g. contact form on website, sign up pop up on blog, FB ads, etc.
How do I request consent? Do they tick a box? Click a button?
What information do I give people whose data I hold? e.g. What do I tell them when they download a resource?
When an individual comes on to my contact list, what do I tell them about how I will use their data?
How am I using their data? (Are there different categories?)
Am I passing any of their data on to third parties?
You can download these questions in checklist form to help you figure out the beginnings of your compliance process – just click the image below.
Once again – I’m not a legal professional, so this checklist does not constitute legal advice and does not prove legal compliance with GDPR – that’s your job 😉
Marketing and GDPR – the (love) story so far
Today we’ve talked about how GDPR can impact your marketing strategy, and started the process of defining how we come to hold data and the process for this. This is an incredibly important step towards being able to prove your handling process.
We also looked at how GDPR doesn’t need to be the death of your marketing strategy. In fact, when we re-frame it, we see that the GDPR just means being responsible and transparent….qualities all of your clients will value.
Next week, I’m going to talk about the steps I’m taking to ensure all my data collection points are GDPR compliant.
For local entrepreneurs and business owners (that’s Northern Ireland for me, in case you weren’t sure), Rory and I are hosting a free talk on Marketing & GDPR on Thursday 22nd March in Ormeau Baths Gallery. We’ll be discussing how the regulation affects your marketing in more detail and offering insight into how it’s actually an amazing opportunity to connect with your customers. Click on the image below to learn more and sign up: