In the last few weeks you’ve no doubt seen emails flooding your inbox with companies notifying you of updates to their privacy policies to comply with GDPR. If you’re unclear what GDPR is, whether it applies to you, and what you need to do, you’re in good company. According to Hubspot, only 36% of marketers have heard of GDPR, and 15% of companies have done nothing to prepare. Fortunately, it’s not too late to start working toward compliance.  

This blog will provide a brief background on what GDPR is, who it applies to, and step-by-step action items on what you need to do to start working towards GDPR compliance. 

What Exactly is the GDPR? 

The General Data Protection Regulation (GDPR) is a data and privacy protection regulation passed by the European Union (EU). Also known as “the right to be forgotten,” GDPR was enacted with the intent to give individuals more control over their personal data, and increase the obligations and restrictions on organizations that collect or process personal data.  

As a US Business, Does GDPR Apply to Me? 

Every business—whether large or small, inside or outside the EU—is subject to the GDPR. If you have customers, business partners, or anyone you make contact with that is an EU resident or does business in the EU, you can be subject.  

Here’s an example of how US businesses without EU customers can still be impacted: Most businesses today having tracking cookies on their website (think Google Analytics). Cookies track IP addresses, which GDPR views as personally identifiable information. If someone from the EU visits your website, you will be tracking and storing their IP address data. So pretty much anyone with a modern website is subject to GDPR. 

What Does GDPR Mean for Marketing Efforts? 

As a business owner or marketing professional, your head must be spinning with these new GDPR rules and requirements. Whether or not it intended to do so, the GDPR will restrict the use of marketing tactics like purchasing lead lists, cold email marketing, and collecting/storing prospect data without express permission. It will instead shift focus towards inbound marketing practices like content marketingsocial media marketingbranding, and search engine optimization (SEO).  

This isn’t necessarily a negative aspect of the GDPR; inbound marketing tends to attract more viable customers due to providing content that is interesting to them, hence drawing more valuable prospects. 

What Steps Should I Take to Make Sure I Comply With GDPR? 

The road to GDPR compliance is long and will take a while to fully implement, however, there are a few important steps you should take immediately. I have outlined these steps below.

1. Come up with an inventory of all the types of personally identifiable data you collect. This could be email addresses, phone numbers, website IP addresses, etc. Please note, you do not need to collect the actual individual data, just the type. For example, you don’t need to collect a list of all actual email addresses you have in your database at this time, you just need to list “email addresses” or “IP addresses” as the type of data you collect.

2. Document Data Usage. Document what you use that the collected data for, and where/how you store it. (For example, your business might collect email addresses to send weekly blogs to your customers.)

3. Update Your Privacy Policy. You’ll now want to update your privacy policy (using the data you documented in the last two steps) to let your customers and website visitors know what data you collect, what you use it for, and how you store/protect it. You can find examples of how to update your privacy policy to cover GDPR guidelines here.

4. Notify your customers, business partners and anyone you email. The message you send can be different based on whether you are sending it to people in the US or the EU.

a. US or Non-EU Contacts: If you know the person you are emailing is not a resident of the EU, you can send a basic email notifying them that you have updated your privacy policy.

b. EU Resident Contacts: If the person you are emailing is a resident of or works in the EU, you will need to notify them of the new privacy policy, but you must also give them the opportunity to opt-in to receive future email communications from you. 

5. Collect Opt-In Records of EU Resident Contacts. You’ll want to have a list set up in your email marketing software to collect opt-ins of the people who are EU residents and want to continue receiving your communications. They can stay in your mailing list.

6. Data Storage and Removal. After one week, people from the EU resident list who have not opted-in, will need to be removed from your database. Note: The fact that someone is your customer or client does not count as them having “opted-in.” Under GDPR, EU residents must actually expressly opt-in, regardless of customer status. 

So What Happens if I am Not in Compliance? 

If an organization doesn’t process an individual’s data correctly or follow GDPR compliance requirements, the fines can be steep. Very steep. Though the numbers look scary, UK information commissioner Elizabeth Denham stated, “We’re not going to be looking at perfection, we’re going to be looking for commitment.” They do not intend to make examples of organizations by issuing hefty fines when they are not deserving of it. The best course of action is to prepare your business to be GDPR compliant and ensure you have all the appropriate data and security policies in place as soon as possible. 

Without a doubt, a higher bar for marketing professionals has been set as a result of the GDPR. Marketing tactics which aren’t designed with GDPR compliance in mind will hastily meet their demise. This will require marketers and business owners to be more innovative with their marketing strategies but will also result in more creative and conscientious marketing practices. 

Next week we will be releasing a follow-up blog on how to properly collect, store and process data in a way that is GDPR compliant. Very important for anyone with marketing lists or customer databases (so basically, everyone.) 


Disclaimer: This blog post is not intended to provide legal advice to help your company comply with the GDPR. We are providing background and information on the GDPR only. Any legal information mentioned above is solely for the purpose of supplying facts and details regarding the GDPR. You may not rely on this blog as legal advice nor as a recommendation of any particular legal understanding.