The Five Building Blocks of GDPR Compliance
- The severity, reach and importance of GDPR requires business improvement across five key areas of data lifecycle management
- The Data Compliance Model allows marketing leaders to understand and consider key elements to drive a compliant marketing engine
- Having a contact’s permission offers a greater ability to personalize communication and instill contact confidence and trust in the company
By May 25, 2018, all companies (irrespective of headquarters location) that control or process the personal data of European Union (E.U.) citizens must comply with the strict personal data privacy regulations of the European General Data Protection Regulation (GDPR) or risk fines of up to €20 million or 4 percent of worldwide revenues (whichever is greater).
This law requires that companies – even in the B2B arena – when processing personal data, place emphasis on data subject consent or legitimate interest, the definition of which is far wider in scope in the E.U. than current personally identifiable information (PII) definitions in the U.S.
Company legal and IT teams commonly conduct vital tasks such as safeguarding the security and integrity of company data, ensuring data breach processes are foolproof and that external reporting processes meet the required standards. However, insufficient consideration of GDPR’s impact on all company marketing activity so close to the effective date may send marketing scrambling, but too late to find the time, resources and investment to be compliant. The severity, reach and importance of GDPR requires business improvement across the five areas of data lifecycle management: data intake, storage, usage, maintenance and disposal.
SiriusDecisions introduced the Data Compliance Model to allow marketing leaders to grasp the key elements that must be considered to drive a compliant marketing engine. The company must audit existing data intake and storage policies and oversee ongoing maintenance (including data disposal) practices to ensure continued cross-organizational data compliance.
- Data intake. Define which personal data will be collected and for what purposes it will be used – e.g. marketing campaigns, contract fulfillment, delivery to third-party channels. Provide a comprehensive list of all “ports of entry” for data such as Web forms (e.g. across all domains/microsites), chat, event lists, data append routines and manual entry. For each contact record, ensure that the chosen basis for future processing of the personal data is clear.
- Data storage. For applications that the marketing function is directly responsible and accountable for, full data storage, transfer and breach protocols must be implemented. The more common scenario, however, is that ultimate responsibility for marketing systems is handled by a centralized IT function and includes the use of cloud-based solutions. In this case, the marketing operations leader must coordinate process activity with IT teams to ensure compliance.
- Data usage. Oversee the creation of internal data usage guidelines, including escalation procedures. Externally, communicate the company’s privacy position and practices to the market in general. For example, communicate via email footers the selected reason for communication to a contact, link to a preference center and display trust marks prominently.
- Data maintenance. Provide quantifiable goals for data management activities to enhance the compliance quality of the data records. Note the auditing and validation steps taken to avoid any reduction of the current compliance quality via data import or system synchronization. Also document process steps designed to ensure compliance of any anonymous data that is transformed via appending actions to become personal data under GDPR. In addition, monitor the ongoing applicability of the selected contact communication method (e.g. consent renewal, change of lawful basis) and offer process steps to be followed by the marketing team to ensure this is recorded correctly.
- Data disposal. Work with the IT team, legal counsel and the appointed data privacy office to draw up guidelines and processes for archiving, lawful encryption and permanent deletion of marketing data. Introduce “marked for deletion” processes for marketing contact data. Collaborate with the company data privacy officer to create the process the marketing function can use to respond to (execute and report) all external data deletion requests.
Failure to comply with the legal mandate could expose a company to severe fines, but embracing compliance and building a permission-based approach can bring substantial benefits. Having a contact’s permission offers a greater ability to personalize communication and instill contact confidence and trust in the company. Missing the target with irrelevant or unwanted communication risks costly damage to the brand and frustration among recipients. Contacts who have provided permission are also more willing to engage and share further information such as content preferences. This enables marketers to tailor messages, identify a contact’s position in the buyer’s journey and target marketing investments more effectively. Working with a high proportion of actively opted-in contacts means that outbound tactics will enjoy lower bounce rates, avoid spam traps and see an increase in sender metrics and open rates.