“GDPR.” You’ve likely seen those four letters pop up in your news feed and inbox quite a bit recently. Those letters are short for General Data Protection Regulation – a law created by the European Union (EU) to give its citizens the ability to protect their personal data and online privacy. It went into effecton May 25, 2018.
If you’re like thousands of companies around the globe, you may be thinking, “What a pain. I don’t have time to overhaul the way I communicate.” Communication is a two-way street, of course. If you are just focusing on the “I” part of the equation then, yes, the GDPR will seem like an inconvenience. But, if you focus on the other side of the equation – the people you’re communicating with – the picture starts to look a bit different.
Rethink the way you market and communicate
Among other rights, people (in the case of GDPR, EU citizens) now have the right to know what information you’re collecting about them and what you’re doing with it, as well as the right to have their data removed from your system (“the right to be forgotten”). These are rights that – as a business communicating with EU citizens – you must comply with.
Reading between the lines a bit, we can see that the GDPR legislation speaks to a larger issue: people now have more control over who is storing and processing their information. So…
Does your audience want to interact with you?
We know that people are generally willing to submit information and agree to terms (e.g., cookies and Google Analytics tracking) of sites/companies that they wish to hear from or otherwise interact with. Just think of all the user names and passwords that you likely have yourself across dozens of websites. You’re not likely going to cause a stir and/or ask to be removed from the database of a company you’re happy to hear from. So, think of your customers and prospects the same way.
Are they receiving value when visiting your website or receiving communication from you? Or, are they being bombarded with information they don’t want?
If an honest assessment points more to the latter, now is a good time to course correct. Technology can help. For example, if you regularly share information with your list using a marketing automation tool like HubSpot, you can easily determine who is and isn’t interacting with your content. GDPR or no GDPR, if someone hasn’t even opened your last 20 emails, that’s a pretty strong clue about their future buying intentions.
On the other hand, if prospects value the content you share, they will not likely flag your communications as being in violation of GDPR, nor will they want you to remove their information from your database.
What about digital marketing?
Just because a person doesn’t yet know of your service doesn’t mean that they won’t have an interest. So, it’s common practice to send digital communications (e.g., emails) to prospects who might be interested in your offerings.
Can you do this and still be GDPR-compliant? Yes, and here are your options:
1. Send communications only to people who have opted in to receive them
2. Send communications to people that you have a "legitimate interest" in contacting
The first option shows proactive consent. It is important to note that, when opting in, the user must clearly understand what he/or she is opting into and must do so willingly. This means, for example, no pre-selected checkboxes on forms.
Chances are, however, that much of your prospect database has not provided proactive consent to receive communications. You can still contact these people under “legitimate interest” if it is reasonable that they would be interested in your product or service (e.g., emailing past buyers about a new product).
Now, let’s address the letter versus the spirit of the law using an example.
Let’s say you offer a service designed to solve a real problem for companies spending at least $12 million a year on airfreight services. It makes sense for you to research and identify this target group of prospects, and the people responsible for airfreight shipping decisions, and then to reach out to them. That’s selling. And it’s certainly fair to assume that this targeted group would have a reasonable interest in learning about this solution.
Then, let's say you bought a list of prospect companies that use airfreight and sent an email to the entire list hoping to reach the very small percentage of those shippers whose spend exceeds $12 million. Forget about legal definitions here, that’s spamming.
So, can you still market to people under GDPR? Yes, but you no longer have carte blanche to do so solely on your terms. To help determine your legitimate interests in contacting individuals, see this assessment from the Data Protection Network (UK).
Remember that by storing prospects’ data, you are responsible for protecting that information. You also need to provide recipients with a clear opportunity to unsubscribe from your communications.
How to Comply with GDPR Legislation
As the full GDPR document is quite lengthy, there is a lot to digest when beginning your compliance journey. We’ve created a GDPR Basics Guide to help you get you started.
GDPR compliance can be a bit of a headache. However, a bigger headache is created when people take exception to the way you communicate with them and start exercising their privacy rights.
Our suggestion to logistics marketers: don’t invest hours and days trying to become an expert on what you can and can’t do under GDPR. Instead, use that same time to rethink the way you communicate.
Distinguish your company as one that provides helpful information that prospects want to receive versus just another firm hawking its products and intruding on an individual’s online life. If you do this, GDPR will not be a concern.
Frequently Asked Questions
Here are the questions that we hear most often:
I am in the U.S., does GDPR affect me?
It does if you serve EU-based customers or have website visitors from the EU.
Do I need to change my privacy policy?
Most likely, yes. Per GDPR, you need to let people know the 7 pieces of information covered in this article. Do so in plain language that an eighth-grader would understand.
Do content downloads (e.g., white papers) amount to implied consent to receive future information?
In our opinion, yes, in the sense that contact data is voluntarily provided by an individual, not scraped or taken surreptitiously. That is the heart of content marketing (AKA inbound marketing): providing useful information that makes people think, makes them smarter or helps them do their jobs – so useful that the individual invites you into their inbox. According to the Content Marketing Institute’s Robert Rose, “When consumers happily, willingly, and trustingly give you data, it is a more meaningful and valuable asset for your business. Delivery of relevant interactive content early and often in their experience is a key piece of the evolving learning process.”
Some companies prefer to establish additional protective measures by using a “double-opt-in” strategy. Here you would send an email to anyone who fills out their first form on the website asking if they want to receive certain future information. Only those who provide consent to this second email would be eligible for future emails. Double-opt-in strategies can be automated.
Do I need to email my entire database and ask for consent?
If your prospect list has been built organically and contains people who have opted in to receive information or who have downloaded content, then it’s fair to assume they have a legitimate interest in receiving future information. But if your prospect list is the result of a series of list purchases or other instances where you grabbed someone’s personal data without consent, it may be wise to review the lists, determine who is and isn’t interacting with your content, and send a communication asking them to opt in to future communications.
We worked with one company that had 40,000 names in its “prospect” database. Upon closer examination, it became clear that a past sales manager purchased multiple lists to create the database. The company’s own CEO was on the list 4 different times by virtue of belonging to several of the lists purchased.
Do I have to put a notice on my website that the site uses cookies?
Yes, this is a good idea because GDPR requires that you inform people if you capture and process their data. If you’re using Google Analytics or other web analytics software, you are capturing their data. A simple statement that links to your privacy statement should suffice. Many content management systems, such as Wordpress and HubSpot, have built-in solutions for cookie notices and other actions to support GDPR compliance.
What happens if I ignore GDPR regulations?
Honestly, no one knows yet because the law just took effect. There are pretty stiff penalties for non-compliance on the books, but until we have some precedents it’s hard to say. Regulators will likely look favorably upon companies that make a good faith effort to comply, even if they may not be meeting the letter of the law.
Should our lawyers be involved in crafting our GDPR compliance strategy?
Well, yes. This is, after all, a law agreed upon by the European Parliament and Council. But be careful. GDPR clearly indicates that any notices regarding privacy protection, data sharing and the like be communicated in plain language that any reasonable person could understand. Avoid legalese when crafting any new privacy statements. It may be wise to have marketing or communications people craft user-friendly language that addresses the key legal requirements of GDPR and then have the lawyers review that language.
