• Companies have embarked on a journey toward General Data Protection Regulation (GDPR) compliance
  • Most SiriusDecisions clients have reviewed their data intake via a port-of-entry analysis and are taking steps to improve compliant data intake
  • Having a compliance plan is an essential part of GDPR readiness

General Data Protection Regulation (GDPR) enforcement day (May 25, 2018) is fast approaching, and an urgency to reach compliance is evident in marketing teams across the globe. Companies have embarked on a journey, from a variety of starting points, to move ever closer toward a state of compliance they believe will satisfy stakeholders and authorities. So how far along the GDPR compliance journey is your company? Would you like to know what your marketing peers are up to? 


In my previous blog post, “The Five Building Blocks of GDPR Compliance,” I discussed the SiriusDecisions Data Compliance Model, which allows marketing leaders to examine the five key areas – data intake, data storage, data usage, data maintenance and data disposal – that drive a compliant marketing engine. The two areas that by far receive the most attention are data intake and data maintenance. In this blog post, I report on what I am witnessing in the area of data intake; in my next blog post I will turn to data maintenance.

Data Intake

Most of the companies I’ve spoken to have, by now, undertaken a complete port-of-entry analysis. Where and how data enters marketing tech systems has been recorded. While labor intensive, the process has been logical and enlightening, highlighting to marketers the extent to which non-compliant data can manifest itself (e.g. via manually entered sales contacts). To avoid risk, companies have begun to discuss a disciplined approach for managing such contacts. Our recommendation is to require that the data source (e.g. business card, social-media-triggered) be recorded in the sales force automation (SFA) system. Make the population of these fields a mandatory requirement for entry to succeed. Then record any reason for legitimate interest that the contact has provided as to the intent and purpose for providing his/her data. Saving this contact should then automatically trigger an email requesting consent confirmation be sent to the contact.

The major sources of new data are Web forms and contacts gathered at trade shows. Many companies report that Web forms have been updated, and consent wording has, for the most part, been delivered by legal counsel. I have found no consensus as to whether two separate statements requesting consent to processing data and receiving marketing communication are required or whether a single statement encompassing both suffices. As I am not a lawyer, I will not offer advice on this issue, but only highlight that this is a policy ruling you need to have squared away internally. For most of our clients, a contact’s county is a standard and mandatory form field and acts as the basis for determining the appropriate jurisdiction. I hear that trade show contact forms have been updated, and many companies now ask for consent during a face-to-face discussion and then forward an email requesting confirmation of consent.

GDPR permits six lawful bases for processing personal data, of which consent is just one. However, due in part to the forthcoming EU ePrivacy Regulation and the occurrence of consent requirements in many other jurisdictions, many of the companies I speak to have decided to use “consent” as the chosen compliance basis for new marketing contacts. This has forced organizations to initiate a companywide approach to consent. Some have taken the stance that for all marketing contacts, regardless of location, a confirmed opt-in (commonly called double opt-in) is required. Although not the majority, the number of companies adopting this approach is increasing. It offers a high degree of data quality, cross-company technical conformity and risk mitigation. Some companies point to the cost of acquiring permission (e.g. perceived loss of sales opportunities due to failure to complete the consent process) and have selected a more flexible structure – e.g. to capture consent strictly in line with judicial requirements, based on the country field. 

Will every company be ready by May 25, 2018? Perhaps not. But while I am not a lawyer or a representative of any European regulatory authority, I think I can safely say that, come May 26, failure to be 100 percent compliant will not automatically lead to the sky falling, or worse, firms being levied a fine of 4 percent of global revenues. Elizabeth Denham, information commissioner for the U.K., stated in an August 2017 blog post, “This law is not about fines…it’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm…commitment to guiding, advising and educating organizations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

I can attest to the sheer scale of effort that SiriusDecisions clients continue to make to complete their journey to full GDPR compliance. Companies are taking GDPR very seriously, and have set about reviewing and altering their processes with respect to the intake of contact data.