By now, every marketer targeting a European audience is aware that May 25 marks a crucial deadline — it’s the day the European Union’s General Data Protection Regulation (GDPR) goes into effect.
Most marketers are (or should be) well on their way to ensuring that their website and landing-page form language, data transfer procedures and lead capture processes and documentation are compliant with the GDPR.
What’s less understood is how the GDPR will affect B2B marketers’ third-party lead generation efforts, such as content marketing syndication, webinars with other brands and events.
GDPR’s Effects on Third-Party Lead Gen Programs
According to the SiriusDecisions 2017 Data Privacy Compliance Core Report, the GDPR mandates organizations must acquire “clear affirmative action — freely given, specific, informed, unambiguous agreement by the prospect to have personal data processed.” Further, the SiriusDecisions report states that, under GDPR, organizations must maintain documentation “that lists the personal information it collects and processes, the location of that information, the purpose for processing that data, records of consent received from prospects, and documented processes followed for the protection of personal data.”
These rules apply to both marketers’ owned lead sources (i.e., website and landing page forms) as well as the third-party lead vendors fulfilling their paid campaigns. Therefore, it’s critical that B2B marketing teams have plans in place to ensure the media partners, publishers and lead vendors collecting prospect data on third-party sites on the marketing team’s behalf are GDPR-compliant. If they don’t, they could face crippling fines:
- Level 1: €10 million, or 2 percent worldwide annual revenue (whichever is higher).
- Level 2: €20 million, or 4 percent worldwide annual revenue (whichever is higher).
The Growing Importance of Third-Party Lead Gen
Some of you reading this may be inclined to think, “We’ll just stop running third-party lead gen campaigns.” You could do that, but first consider a couple of important points:
- The GDPR isn’t the be-all and end-all of data privacy regulations. It’s simply one (albeit a big one) of a rapidly developing wave of forthcoming data privacy regulations. More regulations are sure to follow around the world. Instead of scrambling to come up with quick-fix patches that will apply only to this specific EU regulation, think of the arrival of the GDPR as a development that presents an opportunity to create more precise and efficient demand generation practices.
- Dropping third-party programs can have detrimental consequences to your sales pipeline. About 10 years ago, with the rise of marketing automation, B2B marketers became enamored with inbound marketing. The idea was reminiscent of the movie “Field of Dreams” and its most famous line: “If you build it, he will come.” The inbound marketing movement promised that with a great inbound strategy, supported by a well-structured website and driven by the newest marketing automation technology, you could generate all the demand your company needed. If you build it, your prospects will come. This hasn’t quite been the case. The reality is more like the movie “Moneyball”: demand marketers have found that they must be creative and varied in the ways they go out and find prospects. This is even more true as account-based marketing (ABM) has grown in importance. As Jennifer Dimas, vice president of integrated marketing at Plex, put it:
“In reality, it’s crazy to think all your target accounts are just going to show up to your website. With ABM, you must go where your prospects are.”
What B2B Marketers Must Do to Prepare
So, how do you prepare your third-party lead gen programs for GDPR compliance?
Unfortunately, there’s no hack here — you must get organized, be vigilant and, most importantly, start this process as soon as possible. Here’s a straightforward, helpful approach.
Start by identifying all third-party sources using external lead forms. Then, make a simple table containing columns with these headings:
- Sources/partners/vendors: In this column, list any source or partner that captures personal data from individuals in the EU, Switzerland and/or the U.K. (The U.K. will still be governed by GDPR rules when it goes into effect in May and is also setting in place a Data Protection Bill that will bring it in line with GDPR regulations post Brexit).
- Contact information: List the names and email address etc. of your contacts at the organizations in the first column.
- Compliance with consent language and processes rules: In this column, identify each source as either Y for “currently compliant” or N for “not yet compliant.”
- Compliance with cross-border data transfer rules: As above, use this column to mark each source as either Y for “currently compliant” or N for “not yet compliant.”
- Date scheduled for compliance to be fully implemented: For those sources, partners and vendors that you marked with N’s for “not yet compliant,” find out when they will be ready, write that date in this column and then check back when that date arrives.
Further, it’s important to have your legal team write up an agreement to be signed by each lead vendor, providing an assurance they’re in compliance with the GDPR before running any EU campaigns. While it's as yet unclear if this will free your company from all legal obligations, having the contract in place is one step towards proving compliance.
Remember as well, the GDPR specifies that organizations must maintain clear records to demonstrate consent. One way to do this is to require your third-party sources to show you the landing pages and forms they’re using to present your offers and capture prospect data. Again, you’ll want to do this before they start generating leads for your EU campaigns. Take a screen shot and time-stamp it so you have a record.
The GDPR clearly is presenting B2B marketers with some major hurdles to clear in the coming months. However, each of these challenges only serves to make us better, more targeted and more customer-focused marketers — and that is a good thing.