GDPR: A Game Changer for Marketing Operations

Michelle_Miles3
Level 9 - Champion Alumni
Level 9 - Champion Alumni

The first post of a 5-part series on GDPR, we discuss the importance of preparing your marketing operations to meet compliance requirements or aligning your “defensive” strategy. In the next post, we’ll discuss options for building your “offense,” including ideas for collecting customer information in an engaging manner that’s also GDPR compliant.

If you watch football at all, you understand the importance of a good offensive and defensive strategy. You also know the impact of penalties and play reviews, sometimes the difference between victory and defeat. One ruling can be a total game changer.

We have a major game changer looming ahead for marketers. I’m, of course, referring to GDPR. I’ve been asked by many Marketo clients how the new consent-based legislation will impact the future of marketing operations. I won’t sugar coat it: marketers need to prepare for new challenges. GDPR was created with noble intentions to protect the privacy of consumers, and it will change our marketing landscape. A few specific examples:

  • Opt-in consent is required to email and retain personal data. Additionally, appropriate record keeping to verify permission is also required.
  • Lead scoring will be considered user profiling, which under GDPR, requires consumer consent. Similarly with propensity-to-purchase calculations—if you are using this to schedule follow-up sales calls, you must have permission to use the consumer’s data in this capacity.
  • Data enhancements must be declared, and past data audited. If you are further enhancing your data from a third-party source, you may need to state the origin and the purpose. Keep in mind, anyone processing your prospects’ data must be GDPR compliant, too.
  • Data management: GDPR includes a host of consumer rights and protections, which marketers need to be prepared to accommodate.
  • Record disposal: We all hate to delete information. But under GDPR, we must delete records accumulated without opting in, and, remove data from individuals who withdraw consent or otherwise request deletion of their information.

Game Changer, Not Game Over

GDPR will require changes to current marketing practices, but it doesn’t have to kill your operations completely. Preparation and identifying your vulnerabilities is essential. To start:

Read the full post on the Perkuto Blog.​

10951
30
30 Comments
Mark_McGourty
Level 2

Hey Dan,

Question: Under GDPR; A general email communication sent without a form; where does the consent come in and how is it captured?

Dan_Stevens_
Level 10 - Champion Alumni

Hi Mark - no email is ever sent with a form. Consent needs to be acquired BEFORE the email is sent. If not, then the marketing email cannot be sent to those people who haven’t provided that consent.  This will obviously make "prospecting" emails a lot more challenging (list purchases will become even more risky than they are today).  Instead, you will be sending emails to people who you already have a relationship with and already in your database - which should actually improve your overall email results.

The most common way to obtain consent is via a form (as part of event registration, gated content, contact-us, etc.), but you can also obtain it through other methods - for example, including specific language in the contracts of new customers.

Mark_McGourty
Level 2

Dan, thank you; I obviously need to think about a global opt-in program.  I'm thinking I could do this ahead of May 25.  as always, I appreciate your input.

Anonymous
Not applicable

Thanks Dan

This is a general question: How do you go about creating a preference center/form in Marketo and I assume it is directed to our own website so we can monitor the individuals preferences.

Dan_Stevens_
Level 10 - Champion Alumni

Regarding my example I provided above:

If a German citizen works for JP Morgan in NY (and lives in NY), GDPR does not apply to that person.

One of our attorneys that recently joined our team, informed me today that GDPR would apply here.  Not only does it apply to anyone in the EU, but also any EU citizen, regardless of where they are located.  Michelle Miles and Grégoire Michel, what's understanding of the boundaries of GDPR applying to specific data subjects?

Grégoire_Miche2
Level 10

HI Dan,

That was my first understanding.

But after multiple discussions and also personally reading the text (The french CNIL publishes it in French here), it is very explicit: it regards the private data of anyone LIVING in the EU, regardless of their citizenship (and not the data of any EU citizen, wherever they live). Their is an extraterritoriality clause in this that any company storing or processing this private data has to comply to the GDPR, wherever this company is located.

-Greg

Dan_Stevens_
Level 10 - Champion Alumni

Thanks Greg.  I guess I'm not following what you're saying.  Would this German citizen living in NY be protected under GDPR?

Grégoire_Miche2
Level 10

No, he would not. He is a EU citizen but Not EU resident.

-Greg

Grégoire_Miche2
Level 10

Now the problem you might have is that if the guy moves back to Germany, then, all of a sudden, he should be protected, and you may not even know in your systems that he has moved. If you stop selling to him because you do not do business with people in the US, you are safe. But if the relationship continues, you become exposed.

As the matter of fact, as soon as a company starts selling to Europe, it is not recommended to try to play smart and differentiate your prospects and customers based on where they are at a given point in time. People move fast and frequently nowadays and trying to have more "flexible" rules based on where people are located at any moment might easily lead to serious liabilities.

Greg

Dan_Stevens_
Level 10 - Champion Alumni

And this is why most global organizations - or anyone that could potentially do business with EU data subjects - are treating GDPR as global policy.  Capturing and filtering on "country" is just an additional preventive tactic should companies get audited for a violation of GDPR - to demonstrate that they at least have a process in place to try to ensure they are compliant with EU data subjects. 

The region that will be most impacted by a global policy like this is the US.  The US has some of the weakest privacy/spam laws in the world (e.g., CAN-SPAM that doesn't require consent; but does require you to honor opt-outs/unsubscribes) - and this global policy could really hamper one's marketing ability to one of the largest regions in the world.