On April 14, 2016, the EU Parliament approved the General Data Protection Regulation (GDPR), and it goes into effect on May 18, 2018. What you do (or don’t do) over the next five months to become GDPR compliant will impact your company for many years to come. We know the urgency and seriousness of this mandate is keeping our marketing community up at night. So, we hosted a Denver Marketo User Group (MUG) gathering dedicated to all things GDPR. Denver MUG co-leaders, Marisa Rybar and Ginger Wilson facilitated the event’s conversations.
Chris Arrendale, CEO and Principal Deliverability Strategist at Inbox Pros, and Jack Yusko, Privacy Compliance Analyst at Marketo, presented on the GDPR topic to a crowd of 30+ eager-to-learn marketers at ID headquarters. Considering the importance of the topic and our dedication to adhering to data privacy best practices, we’ve summarized the night’s discussions for those who may have missed it.
“GDPR is like CASL on steroids.”
As soon as Chris muttered these words, the entire room straightened up and leaned in closer to listen as he ran down the definition of Personally Identification Information (PII) and Sensitive Personal Information (SPI):
- Online identifier
- Health information
- Cultural profile
- …and more
“Permission is king these days.”
Simply put, you cannot send prospecting and sales messages (via email or text) without explicit opt-in consent (or parental consent to collect data for children under 16) from your EU recipients. And the EU gives strict guidelines on how to obtain that consent:
- You can’t use pre-checked boxes on your forms.
- You must keep consent requests separate from other terms and conditions.
- You have to make it easy for people to withdraw consent, and you have to tell them how to do it.
- You must keep evidence of consent (who, when, how).
“Are you asking for too much information?”
Chris posed this rhetorical question to the audience, and then he advised attendees to implement a “Privacy by Design” or “Privacy by Default” approach to collecting and processing project — only ask the bare minimum to cover your GDPR bases.
And then, he specified EU residents’ user rights under GDPR:
- They must have access to their own data.
- They can correct their own data at any time.
- They have the right to delete their information (“Right to be forgotten”)
“Marketers need to be in charge of opt-ins.”
- Make GDPR compliance an important part of your goals now and into 2018.
- Revisit CAN-SPAM laws, and analyze your organization’s current state of compliance.
- Figure out what needs to change and prioritize.
- Tackle your checklist step-by-step so you don’t get overwhelmed.
- Schedule regular check-ins with key stakeholders.
- Train your employees (i.e. sales representatives) and provide updates as necessary.
- Work with and review your partner contracts to confirm they are also GDPR compliant.
“Appoint a Data Protection Officer (DPO).”
The DPOs main responsibilities:
- Educate the company on important compliance requirements
- Train staff involved in data processing
- Conduct audits to ensure compliance and address issues before they arise
- Serve as the point of contact between the company and GDPR Supervisory Authorities
- Monitor performance and provide advice on the impact of data protection efforts
- Maintain comprehensive records of all data processing activities conducted by the company
- Interface and inform data subjects about how their data is used, their “Right to be Forgotten,” and what measures the company put in place to protect their personal information
“You have 72 hours to report data breaches to authorities.”
GDPR compliance applies to data breaches too, so Chris recommended developing procedures to detect, report, and investigate personal data breaches. Know that you must notify the Information Commissioner’s Office (ICO) within 72 hours when a Data Protection Act (DPA) breach occurs, and you have to communicate to affected individuals soon after that. If you don’t follow these data breach protocols, your company must pay fines as well as a fine for the breach itself.
Chris and Jack rounded out the presentation by fielding audience questions. Jack spoke in detail about Marketo’s year-long GDPR-compliance preparations. He also invited audience members to review Marketo’s recently published ebook, The GDPR and The Marketer: A Practical Guide for the Marketo Customer to learn more detailed information.
Reach out if you like to learn more about Marketo, learn more about the Marketo User Group, or if ID can help you prepare and execute GDPR readiness.