- Channel marketing leaders must work with internal stakeholders to ensure compliance with the General Data Protection Regulation (GDPR)
- Channel marketing leaders must also take the time to understand GDPR and its impact to channel data
- Organizations must ensure corporate data privacy compliance strategy includes channel partner data, or risk facing penalties
Did you know that B2B organizations that don’t comply with the General Data Protection Regulation (GDPR) risk incurring fines of up to 4 percent of global revenue? But when speaking with clients, I am often surprised that some B2B organizations have yet to address GDPR impacts to indirect partner personal data. As of May 25, 2018, all companies doing business in the European Union must comply with the GDPR, which governs any personal data held by or shared with a supplier’s channel partners. Channel marketing leaders must assess what personal data their organization holds or exchanges with partners, and establish data privacy policies that meet specific regulations.
Channel marketing leaders must collaborate with channel sales and ops teams and align their efforts as part of a comprehensive marketing effort and broader company initiative to assess what partner data is being captured, stored and maintained. Next, they must develop processes and policies aligned to the organization’s corporate data privacy compliance strategy. Consider the following scenarios:
- Partner personal data held by the supplier. Suppliers often store and process substantial data about partner individuals in a partner relationship management or sales force automation system. Review partner privacy policies, contracts and trading terms for detrimental consequences (e.g. assumed opt-in), and ensure that terms relating to consent and legitimate interest are built into partner contracts.
- Third-party data processors. Suppliers may leverage third parties for to- or through-partner marketing activities. Personal data targeted or included in these activities is subject to GDPR compliance. To address consent requirements – and promote partner engagement – develop partner preference centers that allow individuals to select the type of information they wish to receive and the channels through which they prefer to receive it. Data processors should also supply their GDPR credentials.
- Channel program policies. Assess channel program policies and guidelines (e.g. channel incentives, deal registration, lead management, data sharing) to understand program requirements for sharing personal data. Channel marketing leaders should determine how much personal data they require from partners, why they request personal data, and if the level of information is necessary given the compliance impacts on the organization and partner.
Depending on the depth of data transferred during lead hand-off or registration processes, suppliers that operate lead or opportunity management programs may be subject to GDPR. The following scenarios require documented processes and policies for internal or external audit purposes and compliance with GDPR:
- Supplier-generated leads. Suppliers that perform demand creation activities on behalf of partners (for-partner marketing) and generate opportunities and qualified leads for their offerings to be shared with partners must pay careful attention to third-party consent if personal data is included. If the lead or opportunity includes personal data, it is subject to GDPR. If a supplier captures personal data via Web forms, or via events that include personal data capture to share with partners for qualification and close, this data capture must be transparent and revealed to the data subject when he or she provides personal information.
- Partner-sourced leads. A supplier’s channel marketing function may create channel demand programs that qualified partners select and execute directly to end customers. Suppliers often ask for personal contact data when measuring demand creation activity results and asking partners to register leads or opportunities they have sourced themselves. Unless the partner has gained consent to share with the supplier any personal data linked with the opportunity, the data cannot be shared. Suppliers must determine how much personal vs. company data they require to measure the impact of demand creation activities and consider using other metrics to measure results.
- Lead referrals. Some suppliers have formalized relationships with referral partners, which recommend – but do not resell – the supplier’s products and services. In referral programs, partners identify new sales opportunities and refer them directly to the supplier or route them to another partner that can sell, deploy and support the supplier solution that the customer requires. Enable referral partners to gain consent to share opportunity information, including specific personal data, as part of lead hand-off processes with the supplier or another specified partner.
GDPR is not a project, but a new way of working in the modern data age. Now is the time to take stock of your organization’s progress and identify any gaps that may impede compliance. Remember to work with corporate data officers/data controllers and compliance, legal and marketing operations teams to understand the organization’s approach to GDPR, extend the scope to include channel data, and determine policies and procedures for achieving and maintaining compliance.