Editor’s Note: This is a guest post written by David Ratcliff, CEO of Vendemore. David Ratcliff is the Managing Director of Vendemore, where he built the Swedish company’s managed service model and has been instrumental in bringing Vendemore to the global market. He has decades of experience in international marketing and advertising with companies such as IBM, HP, Panasonic, Sony, Microsoft, Nokia, Pepsi, Lucas Films, Universal Music and others.
The GDPR fear campaign has begun. In case you haven’t heard about it (which is very bad at this point) the General Data Protection Regulation is an EU regulation passed to strengthen data protection and privacy for EU citizens. In anticipation of May 2018, when the new regulation goes into effect, many businesses are starting to investigate what this means for companies outside the EU.
Why Should I Care?
It would be easy to write this off as an IT problem to solve, and there has been a lot of guidance from reputable sources for IT, security, and governance pros to peruse. But this regulation will have a much broader impact and require dedicated attention from across the business landscape, including marketers and sales teams who rely on customer data to understand behavior, refine messaging and deliver customized content that is timely and relevant to prospects.
The law passed in 2016, giving everyone two years to prepare, but going from “we have plenty of time” to “oh crap, what are we going to do about this?” can happen in the blink of an eye. And the stakes are high. Failure to comply can result in a penalty of up to four percent of global annual revenue, and U.S. companies dealing in high volumes of data are an easy target.
Gartner recently predicted that only 50% of companies impacted by the regulation will be compliant by the end of 2018. As a marketer, especially those who rely on data-driven strategies like account-based marketing to feed the sales engine, you don’t want to be on the wrong side of that statistic.
What Do They Want?
To use existing data, marketers will need a fully documented permission trail, including the data and source of the consent. And as an American company, you are not immune to the ramifications. While the regulation is coming out of the EU, it will apply to any company that sells or advertises to any business or subjects residing within the union. In this day and age, that’s pretty much everyone.
In addition, all of your customer data needs to be organized in such a way (i.e. not in a spreadsheet or in siloed tool repositories) that, if a subject requests, you can easily provide the data or erase it in a reasonable amount of time. This also includes any of your customer data that is being handled by third party partners or vendors.
What Can I Do?
Here are three things you can do now to make sure your marketing organization is positioned well when the time comes.
1. Hire an outside auditor to review your data and processes. Talk to your IT department, as they are likely aware of and hopefully already taking steps to address the upcoming regulation.
Bringing in an outside expert now, will give you space to correct any issues before time is no longer on your side. A recent audit conducted by W8 Data, found that, in the UK, 75 percent of existing customer data does not meet GDPR requirements. Considering 45% of U.S. executives believe that GDPR does not apply to them or do not know whether it applies to them, the U.S. is surely no better positioned.
Find out where your company stands and where you need to be. Make sure the person determining the answers is a reliable source who is well versed in the regulation requirements. Upside? You can demonstrate to your customers that you take privacy seriously and are going the extra mile to ensure you are GDPR compliant.
2. Check in with third-party vendors. Chances are, as a marketer, you are using one or most likely several of the 5,000-plus martech solutions out there. If account-based marketing is part of your strategy, this is especially critical, as ABM, by definition, is about customizing marketing efforts based on individual prospect information and behavior.
Vendors who have access to your customer data will leave you taking the hit if they are exposed. Don’t just take “yes, we’re covered” for an answer. Make sure your relevant vendors have taken the appropriate precautions and can supply audit results or some other proof of compliance. If a third-party is not able to prove their GDPR compliance, the work they do with your EU data is illegal. Adding this requirement to your service level agreements can create an extra layer of protection.
3. Assign a GDPR representative. Assigning or hiring a Data Protection Officer (DPO) is actually required by the new regulation in most cases. Required or not, the earlier your company assigns this responsibility to someone, the better. Your representative may not come from the marketing department, as there are many functions within the business that can touch customer data, but it is important to know who your representative is and stay informed.
This is all the more reason to make sure you are connecting on this with your IT or security team. They can’t be expected to understand the ins and outs of every department, or how you might be storing and using customer data. Having a person responsible for understanding all the requirements, bringing everyone together and seeing the bigger picture will be a critical asset.
In closing, don’t freak out. Leading up to May, you will hear horror stories and see a lot of content designed to create a frenzy. Get out ahead of the regulation and be prepared. Taking these steps and locking down GDPR compliance ASAP could actually become a competitive advantage rather than a drag on resources, a looming risk or ultimately a PR nightmare that your marketing team will have to manage.
Once you feel good about compliance, then you can start thinking about what content will encourage and maintain consent from your audience, but that is entirely another topic to tackle.