2. The Origins of GDPR
โข Attitudes towards data may be evolving, but trust remains
the constant and key factor when it comes to understanding
what people feel is most important about data
โข So the default position is to give the individual choice and
control over how their data is used
โข Businesses that fail to take responsibility will lose customers,
goodwill and ultimately shareholder value
โข Those that can demonstrate good data governance will find
customers will trust them more and share their data more,
which should lead to better revenues
2
3. 10 things B2B marketers need to know about GDPR
1. The GDPR applies if an organisation is processing personal
data
2. B2B marketers use personal data and therefore the GDPR
will apply to them too
3. Corporate email addresses and other contact details are
personal data
4. In fact the GDPR definition of personal data is broad and
includes cookies and IP addresses
5. The GDPR does NOT state that organisations need to obtain
an opt-in consent for their marketing
3
4. 10 things B2B marketers need to know about GDPR
6. The GDPR lays out 6 legal grounds for processing personal data. All are
equally valid
7. B2B marketers will be able to make use of the legitimate interest legal
ground for their marketing activity in most instances
8. Legitimate interest is a subjective legal ground so an organisation must
justify their activity and consider the privacy risks for data subjects
9. Consent is black and white. It is a โYesโ or a โNoโ. It is a robust standard
which may be hard to achieve. The ICO have said legitimate interest might
be the better choice
10. GDPR is the overarching framework but there are specific rules for the
marketing sector from PECR, which is being revised and will become the
ePrivacy Regulation in the future
4
5. The six principles of GDPR
โข Article 5 of the GDPR requires that personal data shall be:
1. Processed lawfully, fairly and in a transparent manner in
relation to individuals
2. Collected for specified, explicit and legitimate purposes
and not processed beyond those
3. Adequate, relevant and limited to whatโs necessary in
relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date
5. Kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes
for which the personal data are processed
6. Processed in a manner that ensures appropriate security
of the personal data
5
6. Controller vs. Processor
โข The organisations that determine the
means of processing personal data are
controllers, regardless of whether they
directly collect the data from data
subjects
โข For example, an accountant (controller)
collects the data of its clients when they
open an account, but it may be another
organisation (processor) that stores,
digitises, and catalogs all the information
produced on paper by the accountant
โข Both organisations (controller and
processor) are responsible for handling
the personal data of these customers
6
7. GDPR Terminology โ Accountability
โข The principle of accountability under the GDPR refers to a number
of measures organisations will need to carry out in order to
demonstrate a culture of respecting privacy and data protection
โข These include Data Protection Impact Assessments (DPIAโs),
employing Data Protection Officers (DPOโs), privacy by design and
data security
โข Accountability is the core principle
โข The GDPR asks companies to be accountable for their own
decisions on how they collect and use personal data
โข Accountability applies to everyone across the company
7
8. GDPR Terminology โ Legitimate Interest
โข The GDPR says:
โ The processing of Personal Data for
direct marketing purposes may be
regarded as carried out for a legitimate
interest
โข In addition, the GDPR says:
โ Processing for postal, email to existing
customers using the soft opt-in option or
telephone marketing to landlines should
be able to consider legitimate interest as
the basis for processing
8
9. GDPR Terminology โ Consent
โข There are six, equal legal grounds for processing
personal data in the GDPR but marketers are
most likely to use legitimate interest or consent
โข Depending on the context a marketer may need
to go down the consent legal ground but it is not
the case that consent is the only way to comply
with the GDPR: it is one way
โข The GDPR says:
โ Consent of the Data Subject means any
freely given, specific, informed and
unambiguous indication of the Data Subjectโs
wishes by which he or she, by a statement or
by a clear affirmative action, signifies
agreement to the processing of Personal
Data relating to him or her
9
10. How to obtain consent
โข The wording gains opt-in consent for
updates, tells the individual that
their information will be used to
predict potential interest (i.e.
Profiling for direct marketing) and
reminds them that they have the
Right to Object
โข This means that the requirements
for consent to be โfreely given,
specific, informed and
unambiguousโ have been met
โข Maybe add this to your Client
Engagement Letter
10
11. GDPR Terminology โ Individualโs Rights
โข A full list of rights is as follows:
โ The right to be informed โ to know what happens to their information
โ The right of access โ Subject Access Request (SAR)
โ The right to rectification โ data should be kept accurate
โ The right to erasure โ the right to have data deleted / to be forgotten
โ The right to restrict processing โ if you no longer need the personal data but the
individual requires the data to establish, exercise or defend a legal claim
โ The right to data portability โ to transfer data from one supplier to another
โ The right to object โ to stop data from being processed
โ Rights in relation to automated decision making and profiling โ that means
processes that use profiling must also allow for a manual override
11
13. GDPR โ Audit your data
โข What personal data does your company hold?
โ Prospect Data
โ Current Customer
โ Lapsed Customer
โข Where did the customer data come from?
โ Transactions
โ Third Party Data
โ Online Data (Cookie)
โ Data from profiling (matched or augmented)
13
14. GDPR โ Audit your data
โข How does your personal data leave your business, if at all?
โ You sell the data to third parties
โ You share personal data with data processors
โ You store the personal data in a non EU country
โข Conclusion
โ Now decide on the legal processing of your personal data, you
may need to delete some personal data that you hold
โ Decide on how to label data correctly as either Consent or
Legitimate Interest
โ Delete data after 6 years
14
15. Preventing potential data security breaches
โข The GDPR stipulates that in the event of a breach,
organisations must notify the relevant Supervisory
Authority, which in the UK is the Information
Commissionerโs Office (ICO)
โข A serious data breach is when the security of
Personal Data held by the Data Controller is
compromised
โข The Data Controller must notify the Supervisory
Authority of a breach within 72 hours or without
undue delay
โข Notification of a breach is mandatory, unless the
breach is unlikely to result in a risk to the rights and
freedoms of individuals
โข Maybe use secure document exchange e.g. IRIS
OpenSpace
15
16. Re Engagement Campaign
โข Under the GDPR consent has an expiration date so re-engagement will be a
tactic youโll need to build into your schedule, or youโll lose contacts
โข In any re-engagement email, there are four key points to get across:
โ How you got their details. Why is the individual receiving this email? Where
did their data come from?
โ Why you are contacting them. How long has it been since they engaged with
one of your emails? Why are you trying to re-engage with them?
โ What you will be sending them in the future. What sort of messages โ sales,
promotions, marketing, events โ have they signed up for?
โ How they can manage their consent. This is where to point them to your
preference centre so they can choose and control what they receive
16
17. Implementing alternative marketing activities
โข Now is the time to think outside the box
โข Raise the profile of Marketing within your Organisation
โข Cleanse all your personal contact data
โข Use SFDC / CRM to track all customer communication
โข Think about the alternatives to email e.g. Social Selling
or Inbound Marketing
โข Create engaging content, use Ad words to drive
prospects to your website
โข A truly integrated marketing education campaign
targeted at both internal and external audiences
17
19. GDPR Marketers Checklist
1. Plan your โpositive opt inโ campaign and how you can gain consent
2. Review your current data and whether or not you would be able to
show where consent was gained for these contacts if you were
asked
3. Revisit your privacy policy and make sure that is it easy to read and
covers all relevant areas
4. Update all the forms on your website so that they are in line with
the regulations, e.g. no pre-ticked boxes etc
5. Investigate how best to store information on how consent was
gathered using your CRM. This will be different for each CRM and
may need some technical assistance
19
20. GDPR Marketers Checklist
6. Decide how you are going to offer individuals the chance to view,
update and remove the data which you hold about them. For
example this could be a section of the website that you are able to
log in to and then amend the details i.e. preference centre
7. Decide on how long consent is valid for in terms of your business
and also a process for gaining consent after this time period is up
8. Think about alternative marketing methods alternative to email.
GDPR will provide some challenges for those companies that have
relied heavily on email marketing, but there are other ways to
contact your contacts
20
21. Bowan Arrow
โข Bowan Arrow is one of the UKโs leading B2B Marketing
Consultancies
โข We plan, create and manage all aspects of business to
business marketing activities for businesses of any size
โข Contact me andygrant@bowanarrow.com
โข Follow me @channelman
21