Compliance? *gag*
There are few things I like thinking about less than regulations impacting email marketers. But, it’s important for our businesses to CYA and it’s good for us as consumers, and blah blah blah.
I finally got around to catching up on GDPR compliance and how this impacts all of us Pardot admins. It’s kind of a lot. In 10 questions, here’s the quickest and least boring way I can summarize it:
1. What does GDPR stand for?
General Data Protection Regulation. Aka, a new law passed by the EU in May that adds some new requirements (read: hoops) for organizations that market to, track, or handle personal data of EU residents.
This applies to you if you’re doing business or marketing to people in the EU, no matter where your company is physically located.
2. What kind of data is the GDPR all hot and bothered about?
Literally everything.
The GDPR regulates the “processing” of personal data — so collection, storage, transfer, etc. The definition of personal data is extremely broad and includes any info related to an identified individual. The reg breaks this into 4 categories:
Personal Data
Anything relating to an identified or identifiable data subject.
(Example: my favorite color is green.)
Sensitive Personal Data
Info on race/ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, health/sex life/sexual orientation, and genetic or biometric data.
(Examples: I’m a raging liberal, I have the resting heart rate of an 83-year-old chainsmoker, and I believe Marc Benioff is a demi-god.)
Pseudonymous Data
Personal data that can’t be connected back to someone without additional information stored elsewhere.
(Example: Say I’m creeping on Jenna Molby’s blog and reading her new post on two column forms. Jenna records my IP address and links it to the pages that I’m viewing. But it’s “pseudonymous” because without my name and deets, Jenna doesn’t know it is me.)
Anonymous data
Data that can’t ever be connected to an identified or identifiable person.
(Example: Pardot puts a suggestion box in the middle of the Forbidden Forest. Or on a site that collects no information, not even IP addresses.)
3. When’s the last possible second I can wait to think about this?
May 25, 2018 is the date these requirements go into effect. So like 7 months-ish. Tick tock.
4. You lied, this is pretty boring… but tell me what’s changing anyway?
The GDPR establishes certain rights for individuals:
Consent
Whenever someone is about to submit personal information (i.e. any form) they have to give affirmative consent for you to process their data. You cannot infer consent from a form submission alone, or a pre-checked box, or showing them disclosure text.
Right to data portability
Individuals can demand a copy of the data you’ve gathered on them.
Right to be forgotten
Individuals can request you delete the info you’ve gathered on them when the data is no longer needed for its original purpose or when they no longer want you to have that info.
Compliance Requirements for Businesses Processing Data
For companies, GDPR lays out requirements for A LOT of things, including:
- Gathering and using email addresses
- Documenting internal processes to stay GDPR compliant
- Conducting a Data Privacy Impact Assessment for new technologies
- Mandating certain types of businesses hire a Data Privacy Officer
- Creating privacy policies and compliant contract terms
- Reporting obligations when a data breach occurs
5. What does this mean for email marketing, specifically?
Under GDPR, you can only send email to people who’ve “freely given, specific, informed and unambiguous” consent to be marketed to by you. This has been the case for several European countries under other laws, but GDPR gets even more specific about it.
In addition, the signup process must inform subscribers about the purposes of collecting personal data. So if someone signs up for a webinar, and you want to use that info later to send them cat videos, you need to mention that on the form before the user hits submit.
GDPR also requires that you keep a record of when and how you got consent from your subscribers. And your process for doing so in the future. So start stretching your documentation muscles.
6. Wait, some of this sounds problematic.
Ding, ding, ding!
Most companies will have to make major changes to get into compliance, both in terms of the processes they follow and the technology they have in place to support those processes.
Pardot and other marketing automation platforms are not in compliance today out of the box, and in some cases, they actually make it impossible for their customers to comply.
Take the “right to be forgotten” for example — you can’t actually “forget” or delete someone in Pardot. That person will go to the recycle bin, but all the info you’ve collected from them sits there.
There’s still time before the May 2018 deadline, and I have faith that the Pardot product and security teams will come through with changes to support us in getting GDPR compliant.
7. What’s the worst possible thing that can happen if I ignore this and just watch Silicon Valley re-runs?
GDPR violations are enforceable with fines of to €20 million or 4% of your company’s annual revenue (whichever is greater). Woof.
8. Does Brexit mean I don’t have to worry about this if I just do business in the UK?
Nice try.
Yes, the UK is bidding adieu to the EU. But that’s a long process that won’t be over by May. So GDPR will apply in the UK, at least for a while.
9. Ugh, fine. What should I start doing to comply with GDPR?
You could stop doing business in the EU.
If you’re not willing to do that, then there are a few things you can do to get a jump start on meeting the requirements:
a. Work on an affirmative opt-in process
Make the user check a box or complete a field to opt into communications, and add this to all of your forms. Nebula Consulting did an awesome Topical Office Hours session on this.
b. Start documenting your marketing and lean gen policies
Work with your legal team to create a privacy policy for your website, a cookies policy, and document your processes for obtaining affirmative consent from your list.
c. Do a compliant permission pass / opt-in campaign stat
There’s no “grandfathering” of subscriber data that you collected pre-GDPR. So if you have an email list that hasn’t affirmatively opted in (i.e. you email every person who has ever filled out a form on your site) you’re not technically allowed to email them anymore if they’re based in the EU.
To avoid that landmine, do a permission pass for your European prospects and customers that asks for explicit consent. A lot of companies may jump on that bandwagon as the compliance deadline gets closer — so beat the rush and get this done ASAP.
d. Stay tuned for updates from Pardot
We will likely see more guidance coming out on this topic, from both Pardot and other thought leading entities in the space, hopefully shedding some additional light on how the regulation will be applied.
10. Is this going to kneecap my ability to grow a subscriber list?
Not going to sugarcoat it: YEAH. It’s very likely that by complying with GDPR, your list growth will slow down big time.
Theoretically, since these regulations apply only in the EU, you could implement one process for your European clientele, and keep things as is for relationships in other parts of the world. But this adds a lot of complexity and administrative overhead to the mix.
For most businesses, it probably makes the most sense to get GDPR compliant and leverage one set of opt-in and privacy practices. GDPR is about as strict as it gets — so if you do get into compliance, you’re pretty much good to go globally.
The subscribers who you do capture in a double opt in / affirmative consent model will really want to hear from you, which will have positive ripple effects on metrics like open rate, click through rate, and more.
What other GDPR compliance questions do you have?
If you’d like to learn more about this, Salesforce has a landing page to share what they’re doing to become GDPR compliant. There’s also a short Trailhead module that dives deeper into the history and intent of the law.
Disclaimer: I am not a lawyer, although I did watch a whole season of the Practice once when I had the flu. Do not leverage this blog in place of actual legal counsel. That would be crazy.
But if you’re like me, and asking questions to try to get a better handle on this thing, I’d love to know what else you’re wondering about. Post your questions in the comments and I’ll see if I can help find some answers!
Great primer on GDPR.
Thanks!!
Three years down the road, it’s interesting to see what little progress Pardot has made on opt-in. Each time I’ve asked them about it I’ve been instead signposted to content about double opt-in.
Websites must have in place a GDPR compliant cookie consent banner to ensure that they protect the data privacy of their website users, inform them about the cookies that are active on their website and address any privacy concerns that the users might have.
However, the users find the cookie consent banner as an annoying element on any website. The reason for this proliferation of the GDPR cookie consent is the lawmakers want you to take good care of the personal information of your users.
cookie consent free