Marketing in the GDPR era: 4 tips on the quest for compliance

Like so many other companies offering products and services to a global audience, the Mertech team recently turned our attention to data, privacy, and new data protection laws going into effect, such as the General Data Protection Regulation. The conclusion we drew was an easy one:

While the Regulation technically applies only to our audience located in the European Union, we know that privacy and data protection are critical for everyone in our community. As a result, we decided to implement a few changes that will have a positive impact for everyone, regardless of their physical whereabouts.

Whether you’re curious about some of the changes that you’ll find throughout the site, or looking for a few best practices to implement in your organization’s marketing, here are 4 areas that played a significant part in our GDPR compliance efforts (you can also find our take on GDPR compliance for databases here).

Disclaimer: This information is not legal advice for your company to use in complying with the EU’s data privacy law, the General Data Protection Regulation. Instead, it provides information to help you better understand some of the legal points covered in the GDPR as they relate to websites and marketing. In summary, we insist you consult an attorney for advice on interpreting GDPR requirements or for particular legal advice.

4 marketing topics related to GDPR compliance

In GDPR terminology, data subject is referenced throughout the legislation; the term is defined as “an identified or identifiable natural person.” To make each of the following points easier to share and understand, we’ll demonstrate using a data subject named John.

Privacy Policy

At Mertech, we’ve had a Privacy Policy posted on our website for several years, but it was time for a sizeable update that would include a lot of details that were not offered in the past. The main points we added include why and how we collect data, what we do with the data we collect, how we protect the data collected, and the data rights of each subject we have information about.

If it’s time to update your policy, or if you’re just getting started with your first, here are some things to consider:

• Easy to understand: The GDPR specifically notes that information related to data processing must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language,” (Article 12). At Mertech, we took this opportunity to go through our policy and remove or replace any details that resembled legal jargon and instead worked to explain things in simple terms.
  
  
  
  
• How we collect data: In our policy, we listed and explained the technologies that help us collect data from website visitors and the marketing emails we send, such as cookies, log files, and clear gifs. When you’re working on your privacy policy, it’s helpful to review information provided by your marketing and/or email platform, website analytics provider, website plugins, etc. in order to get all the details covered.
  
  
• How we use the data we collect: This portion of our Privacy Policy talks about using the data collected in order to improve John’s website experience by personalizing the information he sees, or to send him information that we think may be of interest to him.
  
  
• How we protect collected data: In our look at GDPR as it relates to databases, we talked about secure data storage through methods such as anonymization and pseudonymization. But when it comes to your marketing, you also want to be aware of the safety measures in place for receiving and/or transferring data on your website. In our case, we checked with our marketing platform (In GDPR terms, they are known as the Data Processor), and verified that they are compliant with the EU-U.S. Privacy Shield Framework, the approved data transfer mechanism covered in Article 45 of the GDPR; as a result we covered this point specifically in our Policy. 
  
  Bonus tip: Discussing data protection is also a great time for you to assure your website visitors that you will never sell or share their personal information to any third party, assuming that’s a promise your organization makes to the community.
  
  
• Rights for each data subject: Under GDPR, John has the right to request access to the personal data that we have about him. Additionally, he is able to request that we modify or delete his personal data. In our updated Policy, we made it easy for John to find the email and/or physical address where he can reach us for reviewing, correcting, and/or removing his personal information. Make sure that any method of contact you provide in your Policy is one that is checked regularly, and not an unmonitored email address, since the GDPR standard for responding these types of requests is 30 days.

Cookies notice

Building upon the “how we collect data” portion of our Privacy Policy, GDPR mandates that website visitors are given notice that cookies are being used to track their activity. Again it’s important to emphasize that this notice is presented in language that they can understand. Furthermore, site visitors must have two options in the notice: an affirmative opt-in or the choice to decline cookies. One helpful hint here is to keep your cookies notice brief and to the point, but you may also want to consider a link in the notice that will take visitors to your complete Privacy Policy, as we’ve done here:

Lawful basis of processing

Per GDPR, any organization that is processing the data of an EU-based data subject must have a legal reason to use it. The legislation states that your legal reason must fall into one of six categories (Article 6), although for our community it’s probably safe to say that your legal reasoning will most likely be found in one of the first three listed here:

• Consent: This two-degree category states that our data subject, John, gives consent when he chooses to opt-in, but this is only valid if he is given notice at the time he opts-in (meaning that John was provided with an exact description of what he’s opting into).
  
  
• Performance of a contract: For instance, let’s assume that John is a customer; under GDPR you are allowed to send him a bill regarding his account - no consent necessary.
  
  
• Legitimate interest: This category is the most flexible, but that does not mean you should rely on it as a default to make things easy. That being said, a real scenario where legitimate interest can be used is when John is a customer, and you want to send him information about products related to what he currently has. Learn more about legitimate interest and when you can and cannot rely on it.
  
  
• Legal obligation: Used when processing is necessary for you to comply with the law (not including contractual obligations).
  
  
• Vital interests: Processing the data is necessary to protect the data subject’s life.
  
  
• Public interest task: For the performance of a task tied to public interest or for official functions, and the task has a clear basis in law.

Additionally, you must log your lawful basis reasoning for John in your contact records. It may be helpful to look into the options available through your CRM or other contact database for tracking and storing this kind of information, which is where we found our solution.

Consent to communicate and/or process data

One of the most obvious changes to our website as it relates to GDPR is found in the forms that we use (for downloadable offers, etc). Each form is now complete with a statement that grants permission for Mertech to “store and process” the information of the person filling it out. And in many cases, you will also find that we offer the option to sign up for a blog subscription or other email list at the same time a visitor is completing a form. The critical part to note here is that per GDPR standards, John must affirmatively opt-in to any options - meaning he needs to click on a check box, because pre-selected check boxes are not compliant.

Consent is a significant part of the Regulation, because if our data subject, John, fills out a form on the website, it does not serve as an implicit opt-in to everything that we want to send him. We are approved to reach out to him about the specific request he submitted (such as emailing him the white paper he wanted, or replying to his product question, demo request, etc.) but that’s where communication must cease unless he is a customer who falls under the ‘performance of a contract’ or in some cases ‘legitimate interest’ reasoning for lawful processing.

If your website has any forms for collecting someone’s personal data, such as their name or email address, you should also take steps to gain their consent and log your lawful basis for processing. It may also be helpful to consider adding a link from the form to your complete Privacy Policy so that you can ensure your audience is well-informed about your data practices.

Email permission campaign

Taking communication consent one step further, the Mertech team launched a campaign to collect updated email preferences from our community. We realized that sometimes people may have a change of opinion about the emails they once signed up for, and although there is a link to update email preferences at the bottom of every email we send, we wanted to make it more obvious to everyone that they have control over their inbox.

The effort was relatively simple, using our marketing platform. Every contact in our database - customer or not - was sent an email with a link to a page showcasing all 4 of the email subscription types we offer, where they could select the emails they want to receive (remember, affirmative opt-in!) and save their preferences. If you are interested in running your own campaign to update email preferences, check with your email or marketing platform to see what kind of options they offer.

Withdrawal of consent (opt-out)

One last note about consent, as it applies to GDPR: it must be just as easy for John to withdraw his consent as it is for him to grant it. Including “unsubscribe” and “update my subscription preferences” links at the bottom of every marketing email is the first step.

Second, as we talked about in listing ‘rights for each data subject’ in the Privacy Policy section above, you should also provide John with an email address and/or mailing address where he can withdraw his consent or object to how his data is being processed.

Have GDPR compliance notes to share?

Everyone appreciates new ideas and suggestions! If you are able to offer any insights to the Mertech community based on your own GDPR efforts, please leave a comment below.