don't cry, marketer
PHOTO: Tom Pumford

Maybe you’ve heard the idea that the Chinese word for “crisis” is composed of two syllables that respectively mean “danger” and “opportunity.” It's a great idea, but unfortunately it just isn't true

Yet “crisis = danger + opportunity” won’t go away because it perfectly captures the way many erstwhile business gurus would like to think of moments of crisis. 

So when I recently heard someone in the digital marketing world predict the coming “GDPR crisis,” I couldn’t help thinking about potential positive outcomes, along with the risks.

Don’t get me wrong: when it comes to preparing for GDPR — the European Union’s General Data Protection Regulation — too many businesses are whistling past the graveyard. It’s a regulation with potentially serious consequences for companies that violate it.

But the upside of GDPR is that it’s a forcing function for improving the experience users and customers have with digital services. And guess what? Businesses that are already oriented towards delivering a great digital experience are going to have a much easier time with the regulation.

Email, Through a GDPR Lens

Let’s take a group of businesses close to my heart: developers that incorporate email into their apps and services. “Email” covers a lot of ground. It could mean classic email marketing programs, transactional messages such as ecommerce receipts, or notifications and other emails that support user interactions and engagement. All of these are powerful tools for driving engagement and growth among potential users and current customers alike.

But if you’re using email, you’ll be affected by GDPR. And considering how the law goes into effect May 25, 2018, you’re cutting it close if you’re just now acquainting yourself with something that will have a very significant effect on your business.

You aren’t alone. Far from it:

  • A mid-2017 survey by DocsCorp found only 27 percent of U.S. and Canadian firms had begun to prepare for GDPR.
  • 54 percent didn’t even know the implementation date for GDPR compliance.
  • Though they’re on the front line of EU, as of the fourth quarter of 2017, only 18 percent of large U.K. companies surveyed by the Technology Law Alliance, a leading specialist technology specialist law firm, claimed to be ready for GDPR.
  • 89 percent said their companies were involved in some form of data mapping or data flow activity, but only 41 percent had a detailed GDPR compliance plan in place.

The ABC's of GDPR

GDPR is a new regulation initiated by the European Parliament, the Council of the European Union, and the European Commission. It’s meant to strengthen and unify data protection for all EU citizens, and also concerns itself with how personal data gets exported and used outside EU boundaries. That latter part will be of serious interest to non-EU-based email marketers.

GDPR is the result, in part, of outcry by citizens and residents of the EU about protecting their personal data. One benefit for marketers is how it’ll clarify and simplify the regulatory environment for businesses operating within the EU. And, if history is any guide, GDPR will probably become the template for regulations in other countries, including the U.S.

In the meantime, though, what’s the impact of GDPR on different marketers? Let’s check out a couple hypothetical businesses who use email in its applications:

Marketer A: A global platform provider with operations inside the EU, including localized/regionalized email campaigns supporting products marketed to citizens of EU member states. They’re actively targeting prospect and users inside the Union.

Should it comply with GDPR? Absolutely! And many companies like this are investing big budgets to do so.

Marketer B: A small startup SaaS provider located in the U.S. that’s not actively targeting EU buyers or consumers, but may get site traffic and opt-ins to its contact lists from all over the web.

Should it comply with GDPR? Yes. Because any service that collects data about EU citizens or residents is subject to regulation — with potentially large consequences.

Here’s why Marketer B, even as a small, regional startup, needs to worry about GDPR compliance:

  • GDPR applies to anyone, anywhere, who collects personal data from an EU citizen or resident, or instructs an agency or list generator to do it on their behalf.
  • Even if they’re not intentionally targeting EU citizens, they’re with the purview of GDPR if those people visit their website and opt into a list.
  • Those who violate GDPR may be liable for fines of up to 4 percent of annual revenue or €20 million (about $24.6 million), whichever is greater.

Think You’re Compliant? Think Twice

A 2018 Forrester report, The State of GDPR Readiness, surveyed over 3,000 global digital decision makers at firms with 20 or more employees. They found a lot of them thought the regulations didn’t apply to their businesses, since they didn’t physically operate in the EU.

Even more worrisome? Thirty percent of the respondents believed they were GDPR-compliant, but might not pass muster. Forrester felt only some of them had done the necessary groundwork in data discovery and classification, or built data flow maps or run gap analysis.

Exactly what does GDPR demand from marketers who want to gather personal data from people?

  • Companies must receive explicit “unambiguous consent” from visitors to a website or other digital touchpoint before they can track their behavior or collect any information about them.
  • It sets a higher threshold for what’s considered “unambiguous consent.”
  • It demands greater accountability in data practices, including auditable information about data collection and use, and consumer transparency about a company’s data practices.
  • It lays out a new and more inclusive definition of “personal data,” broadened to include device IDs, IPs, cookies, even location data.

Since every aspect of modern email marketing depends on personal data – for analytics, retargeting, database management, personalization and delivery of superior customer experiences — GDPR compliance isn’t an option for most digital marketers. Very few companies will be able to shrug off its implications.

Related Article: Why GDPR Is the Kick in the Butt Marketers Need

How Do You Get Compliant?

How can you use email marketing under these new rules? There’s a way forward, and the benefits of going the distance to GDPR compliance may provide some unique benefits. Here’s a quick checklist of the most basic, and important, steps you should take.

Focus On Unambiguous Consent

Make sure you revamp your data capture and prospecting practices so you’re always getting that freely-given, specific, informed and unambiguous consent that’s at the heart of the new regs.

That includes developing new opt-in permission rules that stick close to GDPR (such as always asking for consent at the point of data collection), proof of consent-storing systems, and a method for consumers to ask to have their personal data removed.

Eliminate any “soft” opt-in and opt-out processes completely. Mandating a “hard” process like a double opt-in procedure for consent verification is one great step toward protecting yourself and reassuring your contacts that you’re compliant.

Related Article: Mastering Customer Consent in Advance of the GDPR

Map Your Data Capture

Do you know exactly where and how you’re collecting personal data? Or even who’s accessing it? For instance, even a closely-managed website may have a large number of embedded tags from third-party vendors enabling their digital marketing tools to function.

Tags are sometimes installed without site managers or marketing departments even knowing they’re there, but by permitting those tags they’re implicitly giving those vendors the right to collect visitor data. A typical enterprise site may have from 50 to 150 embedded third-party tags that may also include “daisy chain” redirects of user data to fourth parties. It’s vital to map these, and any other data collection points across your entire digital presence.

Audit Your Present Database

GDPR applies to all personal data, not just new data. So make sure you know what geographies your current contacts hail from, and make sure you’ve captured a “consent audit trail” for those from within the EU. Any “ambiguous” records means you’ve got to obtain  new and expressed permission from those outdated contacts.

Unfortunately, many firms have found they lack those audit trails and the cost of obtaining consent from prior contacts is too high, and have had to junk their EU lists and start again from scratch.

Scrutinize Your Data Vendors

Audit them, their lists and their data inventory; are your list providers or other third-party aggregators compliant? You’re exposed if they’re not. Remember, GDPR expects any agency or vendor acquiring data on your behalf to follow the rules, too, or you’re liable for their misdeeds or mistakes.

Purchasing lists with clear, affirmative statements of consent within the original subscription are permissible under GDPR, but be very cautious: Is there enough information on hand to verify a list is compliant, in case you find yourself in court because an action was brought against you? If a vendor isn’t able to provide that backup, show them the door.

Disclose Your Personal Data Handling Practices

Transparency is critical under GDPR, so make sure you have a clear privacy policy that explains how you collect, store, process and transfer personal data. State it all in ordinary, easily grasped language: GDPR looks askance at legalese. Make sure that policy is communicated plainly to people, too.

Make Unsubscribing Easy

Under GDPR, giving contacts the ability to unsubscribe is just as important as how you handle the opt-in process. They need to have a clear and simple unsub mechanism available for removing themselves from your list, via a link visible in any marketing email. Using it, they can unsub from that message, from all marketing communications (if they so choose), and also view a return email address if they need to contact you.

Related Article: Marketers Are Missing the Point — and the Opportunity — of the GDPR

GDPR – An Opportunity for Authenticity

We’ve discussed before how important it is build authenticity and connection with your audience, in order to develop trust (and better products). Rather than damage your marketing efforts, GDPR actually offers a once-in-a-lifetime opportunity to deepen that engagement with people.

That’s because by taking the time and expense to become compliant with GDPR, and letting your targets know you’ve done so, you’re demonstrating a tangible investment in become more trustworthy and considerate of their wants. This gives you an acute advantage over other email marketers who can’t establish compliance, or fail to merchandise the fact they’re making it a priority.

My own company recently went through the process of ensuring our GDPR compliance. While it was unquestionably a large task, it also surfaced opportunities for delivering a great customer experience as well.

For example, it helped our product team prioritize development resources to launch an email preferences center that allows customers to choose the specific kinds of email they want to see from us. That’s a small, but tangible, improvement that makes visible how meeting the law’s requirements can reinforce a commitment to delivering a great customer experience.

GDPR was propelled into law by the desire of EU consumers to protect their personal information. When you demonstrate compliance, you’re proving you respect their wishes and earn their trust. That gives you a chance to build a relationship with them that’s more personal than ever.

So, is the “GDPR crisis” a danger or an opportunity for digital businesses and email senders? Despite the regulatory risks inherent in this broad law, GDPR can help businesses make explicit the value of respecting their customers’ needs. That seems a real opportunity to me.