Our Thinking

GDPR and you: Part 2

In our first post on GDPR, we covered what GDPR is and why you should not ignore it even if you don’t do business with EU citizens. In this post, we will make some tactical recommendations to ensure compliance. If you are new to GDPR, please refer to Part One.

Recommendations for Email Marketing/Marketing Automation systems:

GDPR is a new regulation, however, a number of things that GDPR recommends can be categorized as “email or communication best practices”.  If you use any email marketing software e.g. Constant Contact, MailChimp, Clickbacks etc. or Marketing Automation solutions like Pardot, Marketo etc, make sure you do the following:

  1. With technology at your disposal, it is tempting to capture too much information about your prospects, clients etc. To ensure GDPR compliance, make sure you review the information that you collect, match it with the task, and confirm whether you should keep/capture this information or not.
  2. Build an email or communication preference centre, if you don’t have one yet. Let the clients decide what, when and how often they want to hear from you. This will not only ensure compliance, but also improve client engagement with your communication.
  3. Build and maintain separate lists based on what your users say they want – your newsletters, special offers, offers from 3rd party etc. This is easily doable with Marketing Automation systems.
  4. Within each email you send, include the information about how you acquired the recipient’s data.
  5. Provide an option for “Forget me” which allows users to delete their data, and when a user unsubscribes using “Forget me”, delete their information along with ceasing the sending of emails. Make sure your Email Marketing/Marketing Automation software has this feature. Typically, deleted contacts are quarantined so there is no impact to the historical reporting.

From a system’s perspective, most of the top-tier Marketing Automation/Email Marketing systems are becoming GDPR compliant. So, the newer web forms build within these systems will be compliant, however, depending on the system you are using, it is recommended that you make sure the historical web forms are also compliant.

Recommendations for your Website/Mobile apps

  1. Review all venues of data collection: The Canadian Anti-Spam Law (CASL) required businesses to ask for consent at the point of capturing the email address. GDPR takes things to the next level. GDPR requires businesses to provide details of how you will use the data. Also, businesses are only allowed to collect the necessary information to complete the task. All venues of data collection are covered, including the comments form. One way to do achieve this is to have a link to your website’s Privacy Policy and including this information in the Privacy Policy.
  2. Provide the user with the means to request/export their full information stored on your website as well as the ability to request deletion of that information. Such requests need to be responded to within 30 days.
  3. Make sure the privacy policy on the website has details around:
    1. What data do you capture?
    2. Whether you share the data?
    3. How people can access their data, if they wish to?
    4. How can they delete the data or request deletion?
  4. Make sure you notify the visitors that your website uses tracking cookies.
  5. For eCommerce websites, if you will be using purchase history to email special offers, mention this at the time of collecting the data and provide users the option to opt-out. Also, make sure you have the necessary snippets of Privacy Policy in all the right places.
  6. Don’t store the financial information (e.g. credit card information etc) within the website.
  7. In case of a data breach on your website, inform the users ASAP (within 72 hours) and provide options to delete user’s information.
  8. The data captured in Google Analytics (or any other analytics) is also under the scanner of GDPR, if it can be directly linked to an individual. More than the websites, this applies to modern CRM and Marketing Automation systems that can track and store user’s browsing behaviour with the user’s profile within the system.

In our next post, we will cover more information about GDPR compliance and your website’s Privacy Policy.

Note: The above information is to help you identify and implement the GDPR compliance process as a starting point. This is not intended as legal advice. Please contact a lawyer to see if there are legal risks to your business.