Quick Contact Icon
Back To Top Icon
Show Filters
Sign up for regular updates:
RSS Feed

Add our RSS feed to stay up to date with the latest Splitpixel news and content.

Add Our RSS Feed
Blog Search
Click To Search

GDPR is coming… what should I be doing?

With GDPR on the way in May 2018, let's take a look at what you need to be doing with your customer data to stay compliant.

Blue Pixel Top Left
Posted by Michelle
3 January 2018

It's now impossible to ignore the rumble of General Data Protection Regulation (GDPR) approaching, yet many marketers seem to be struggling to know where to start. It was easy to put to one side in 2017, but now we're in 2018, and it's coming in this year (25 May, to be exact), you need to be acting, not putting it off any longer.

GDPR is all about transparency, affirmative consent and giving people control of their data. B2B marketers are used to sitting pretty with the Data Protection Act (DPA) and Privacy and Electronic Communications Regulations, which addressed the use of personal data and really only applied to B2C.

With GDPR, any data which can be used to identify an individual, whether that's corporate email addresses, cookies, or IP addresses, is classed as personal data, and if you’re keeping and using it, you need to have a good reason why – and explicit permission to do so.

We've put together a step-by-step for you to make it more manageable...


1. Back to basics: what even is GDPR?

Ok, nobody wants to read chunky pieces of EU legislation, but if you're going to be held liable (by collecting, holding or processing any data, yes, you), we think you better had. In addition to that, the ICO has put together a guide to GDPR, which explains a bit more about the changes in relation to DPA, what rights are being covered now and what kind of data individuals can request under the new legislation.


2. Carry out a data audit

Identify your data assets. What information do you have, and where is it? Is it all held within the EU? Is it necessary data? The DMA has a great article on carrying out a thorough data audit.

Data hides in the unlikeliest of places. As well as the obvious (CRM systems, marketing automation software, email marketing software), you could have data held in spreadsheets across your company – and don't forget to check old software or systems you used to use. Keep a record of this.


3. Get your house in order

What processes do you have around data? Understand and document them. Who has access to the data? Do they need it? How is consent to use that data given and recorded? Identify the risks, then assess impact and likelihood of breach.


4. If you've purchased a marketing list, speak to your provider now

Chances are that if you've purchased data in the last year, the list expires in April – this isn't a coincidence. Marketing data providers are switching up their terms now, in the lead up to GDPR being implemented.

One of the new requirements is to have a Legitimate Interest Assessment, which your provider could help with. This demonstrates that you've considered the impact on the data subject and the relative importance of the marketing activity you want to implement. Get written proof (which could be found on their website) that your provider is operating within the guidelines.

Download our guide to digital marketing project management


5. Get consent

If you use cookies on your website (and who doesn't these days?), you need to be highlighting it and informing users. Your privacy policy, terms and conditions and forms need to be updated to be fit for GDPR – you must tell users what you will be using their data for and get their consent.

A straightforward way to make this work on forms that capture user data is through a small explanation of terms on the form itself with a link to the full terms, with an unticked "I consent" checkbox, which is a required field.

The shorter text could be as simple as "I agree to receive related marketing communications from [company] and understand that I can unsubscribe at any time.", with a link to the more detailed terms and conditions.

We appreciate that it seems like overkill to get consent from someone who's simply completing an enquiry form, but if that information goes straight into marketing automation software or a CRM system, you still need to do this.


6. Plan your documentation now

This is the biggie – document everything. The burden of proof is on you, and the fine is huge if you get caught breaching the regulation.

Introduce appropriate controls, including putting suitable contracts in place with data processors like mailing houses, email companies and marketing agencies. Find out if the data ever leaves the EU.

Documenting source information is vital, as this will determine under what basis you are using the data. This can be consent or legitimate interest. For purchased lists, your marketing data provider could help you – they may collect and provide data based on legitimate interest.

Determine whether the data you hold on a subject would put them at risk – this is especially relevant in industries that hold medical data on individuals. Create a risk treatment plan, prioritising the highest risks – what is the risk to the subject; how are you protecting their data? If there is high risk to the subject, do a full impact assessment – what would be the consequences if the data you hold on them wasn't secure?

For existing contacts, check that your opt-ins satisfy the new consent rules – if they don't, you need to get everyone to opt in again, or have a documented system under legitimate interest.

As an example, you could keep those contacts on your database who have clicked an email from you in the last six months (as this shows legitimate interest), and delete the other records – you could send them a final, goodbye email, to get them to opt back in (with the updated forms and terms in place) before deletion.

Consider how you will keep your data up-to-date. Some providers will be refreshing the data they provide to you every couple of weeks. How will this work with the data you’ve collected yourselves?

You can’t keep data for any longer than you need it, and you can’t keep anything that’s not relevant – for example, you don’t need their phone numbers if you’re not ringing them, or if you’re not targeting by location, you don’t need their address. Oh, and you can’t keep this stuff just in case – you need to have a plan already in place for its use to justify why you're retaining it.


7. Make it easier for yourself

This isn't a necessary step, but one we think makes marketers' lives so much easier! Marketing automation software such as HubSpot has some great features that ensure that you keep on the right side of GDPR.

  • HubSpot makes data collection transparent with landing page forms
  • It's easy to document on the system how consent was gained
  • There's no need to use additional email marketing software
  • Data is stored in accordance with GDPR requirements
  • Unsubscribes are automatically actioned
  • It’s straightforward to amend or delete subjects directly in the system
  • You can export all data on a subject
  • Double opt-in can be automated if required

So that's it! If you have any specific needs in this area then it's best to speak with a business data expert, but this is the process we’re following here, and we hope it helps you to understand what you need to get started with to stay compliant. 

Multiple Campaigns Image CTA


Say Hello

If you want to know more about what we do, or would like to discuss a project, please email us or fill in the form below to drop us a message.