B2B Marketers: Don't Let GDPR Scare Get to You*

  • By Idan Carmeli
  • 22 Nov, 2017

* I hope you appreciate my heroic resistance against the pull to use the ‘keep calm and comply with GDPR’ meme in the headline.

GDPR, or General Data Protection Regulation, may look like an innocent four letter word, but it’s been robbing sleep from increasingly more B2B marketing operations pros out there, mostly because of what they don’t know about it. The purpose of this post is to attempt to clarify at least some of the uncertainty that surrounds it, as far as marketers are concerned, to help you approach the subject without getting distracted by the horn blares  of GDPR scaremongers running rampant out there, and so you can evaluate the implications for your marketing operations. In the following section, we will summarize the main aspects of the regulation, and then will do our best to give you practical advice and pointers, especially as far as your marketing automation setup is concerned.

Disclaimer: this article and anything written in it does not constitute legal advice, and any interpretation of it as such is the sole responsibility of the interpreter. Our purpose is to collect and organize in a single location the information we’ve gathered about GDPR from public domain sources, such as the UK’s ICO, as a service to the public, and specifically to our clients, actual and prospective.

The TL;DR (Too Long; Didn’t Read) Version

  • GDPR is an EU directive that is planned to go into effect on May 25th, 2018.
  • It will apply to the UK, regardless of Brexit, according to the UK’s ICO (Information Commissioner’s Office).
  • Its purpose is to set a clear direction for all 28 EU member countries in terms of personal data protection .
  • It affects every organization that collects data about EU individuals, regardless of its location.
  • If affected, the organization is required to record and justify its intention in said collection.
  • Data collection needs to be limited to what’s required and necessary for its intended processing.
  • Consent for data collection must be explicit. It can’t be assumed or forced, and it must be acquired separately for each type of processing that is intended to be performed on the data. Opt in data must be saved.
  • Any person in the collected database will have the right to request information about the way their data is being processed and whether it’s been shared with anyone
  • In addition they will have the right to ask for erasure.
  • In total there are seven rights the GDPR specifies and they’re all listed here
  • Firms with over 250 employees should employ a Data Protection Officer (DPO). The GDPR applies also to smaller organizations if certain conditions are met (more below)
  • Organizations would need to provide the audiences they market to an option to opt-out of any direct marketing, tracking or profiling that is being done through their data.
  • Fines for non compliance are exceptionally scary and can go anywhere between 2%-4% of annual turnover, or $10M-$20M, whichever is higher.
Now, don't let the last item scare you into frenzied action, or, worse, freeze you into inaction. Assuming you're a legitimate B2B service provider or vendor, and your marketing practices are not on the spammy side of the dish, then you're not really the target of the regulation. Yes, there are some actions you should take, but none of it should spell the end of marketing as you know it. Simply read on and note our 'takeaway' sections with our advice on what you should do. 

Diving Deeper - The Detailed Version

The GDPR is about protecting the rights of individuals to keep their personal data from being collected and abused by organizations, public bodies and businesses in general:

protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data

The core principles that govern collected personal data

According to the GDPR, collected personal data must adhere to the following principles:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Takeaway #1:
As you can see, if you’re a typical B2B company, operating in a legitimate business segment or niche, and you’re selling legitimate products or services that solve a real problem for your target market, then you have little to worry about, in our opinion. All of our clients fall into this category, and none of them, as far as we know, collects information they shouldn’t be collecting, not to mention use it in ways that GDPR was designed to block. It’s mostly the consumer brands that need to worry, especially in the nether regions of such verticals as gaming, gambling, advertising, Forex trading, etc. Also, any organization that collects financial information e.g. for payment processing. And, duh, any organization, be it B2B or B2C or B2Whatever, that employs permission-less marketing tactics. Seriously, GDPR notwithstanding, stop it, ok? not cool.

GDPR Implications for Marketing

If you process personal data for direct marketing purposes:

  • You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse.
  • You must deal with an objection to processing for direct marketing at any time and free of charge.
  • You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
  • This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
  • You must offer a way for individuals to object online.
  • If you’ve shared personal data with 3rd parties and the person in question wishes to have their data erased, you must inform the 3rd party as well and take reasonable measures to ensure their compliance.

Takeaway #2
Set up a subscription preference center : if you don’t have one already, you need to start putting together the groundwork for letting your audiences select their communication preferences. Your marketing automation platform is the place to start managing this process. The important thing to consider here, in our experience, is to think carefully about how preference data is taken into account for each future campaign, be it automated, a one-off, a sales drip, etc.

Tip: start by polishing your existing (or create new) smart/dynamic lists to select members of your marketing database from one of the 28 EU countries, and to group them by content preference selection as well as opt-in / opt-out data.

Takeaway #3
The EU’s “cookie law”, a precursor to GDPR, resulted in what you may know today as the cookie notices in virtually any website you’re visiting. You know, the ones that let you know the website is tracking your activities in a cookie. To comply with GDPR starting May 2018, websites will need to expand this feature and offer their viewers a way to opt-out of any tracking or retargeting they may be subject to following a visit to the website. This means you’ll have to modify your retargeting pixel placement practice to allow for visitors to remove themselves from your retargeting campaigns. Furthermore, since GDPR will almost certainly be a Regulation and not merely a Directive, everyone affected will need to comply and cookie consent will stop being a state-governed issue:

… under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data. [source: cookielaw.org ]

B2B marketers should consult with their web admins to prepare for these implications.

Rights in relation to automated decision making and profiling

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. First, you should identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR. Specifically, individuals have the right not to be subject to an automated decision when:

  • it is based on automated processing; and
  • it produces a legal effect or a similarly significant effect on the individual.

What else does the GDPR say about profiling?

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:

  • economic situation;
  • personal preferences;
  • behaviour;
  • location; or
  • movements.

When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place. You must:

  • Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
  • Use appropriate mathematical or statistical procedures for the profiling.
  • Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimize the risk of errors.
  • Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

Takeaway #4:
marketing automation platforms offer B2B marketers several tools that profile and quantify certain elements of their audiences’ personal profiles. These may include, among other technologies:

  • Behavioral and Demographic scoring frameworks
  • Predictive scoring engines
  • Content recommendation engines
It would seem that to comply with GDPR, B2B marketers should prepare a statement that describes clearly and succinctly their use of such tools and its purpose. Such statements can be included in your website’s privacy notice. It can be something as simple as “We collect data about content you have consumed while on our website in order to serve you better content offers over time, as well as for anonymized statistical analysis we perform internally.” Consult with your legal counsel team for the appropriate wording for your circumstances.

When does a Data Protection Officer need to be appointed under the GDPR?

Under the GDPR, you must appoint a data protection officer (DPO) if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences. You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR. In other words, even if you don’t appoint a DPO, someone in your organization will need to be made aware of your GDPR obligations.

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Article 39  of the GDPR:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

What does the GDPR say about employer duties?

You must ensure that:

  • The DPO reports to the highest management level of your organisation – ie board level.
  • The DPO operates independently and is not dismissed or penalised for performing their task.
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.

What should be the DPO's qualifications?

The GDPR does not specify the precise credentials a data protection officer is expected to have. It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.

Takeaway #5:
unless you’re a large enterprise, you are not obligated to formally assign a DPO. Simply make sure you or someone else in your organization is aware of the main aspects of the law, especially as it regards to the personal rights it addresses, and designate them as the focal point for inbound inquiries and for org-wide training. Speaking of which, it’s widely accepted that training and educating your organization’s employees regularly about GDPR should be your top priority to move towards compliance.

Converto's View on GDPR Compliance for B2B Marketers

Overall, we believe that the GDPR will force marketers into being better at what they do, and will force out practices that are already frowned upon such as list purchases and other permission-less marketing tactics. 

B2B marketers running legitimate, best-practice operations should have little to worry about, in our opinion, and we advocate adopting a no-stress approach to the project of ensuring their organization's practices adhere to the GDPR guidelines.  Yes, there are actions to take; no, it won't affect your business as badly as some scaremongers would like you to think. Especially if you've done  a decent job to date of being transparent about your use of collected personal data.

If you're such a marketer, then it is reasonable to expect that only a handful of your EU audience members, if any, will ever contact you with a request to execute one of their rights as defined by the GDPR. A good litmus test of how risky things would become for you after May 25th 2018 is to check your current sender score, or check (if possible) how many spam complaints you've received in the past year or so. If you're green now, odds are, you'd be green after GDPR, as long as you take care of the basic compliance requests.

Further Reading

The Converto Logs

By Idan Carmeli 22 Nov, 2017

GDPR, or General Data Protection Regulation, may look like an innocent four letter word, but it’s been robbing sleep from increasingly more B2B marketing operations pros out there, mostly because of what they don’t know about it. The purpose of this post is to attempt to clarify at least some of the uncertainty that surrounds it, as far as marketers are concerned, to help you approach the subject without getting distracted by the horn blares  of GDPR scaremongers running rampant out there, and so you can evaluate the implications for your marketing operations. In the following section, we will summarize the main aspects of the regulation, and then will do our best to give you practical advice and pointers, especially as far as your marketing automation setup is concerned.

Disclaimer: this article and anything written in it does not constitute legal advice, and any interpretation of it as such is the sole responsibility of the interpreter. Our purpose is to collect and organize in a single location the information we’ve gathered about GDPR from public domain sources, such as the UK’s ICO, as a service to the public, and specifically to our clients, actual and prospective.

By Idan Carmeli 22 Aug, 2017
By ‘good’ I mean ‘nerdy’ and by ‘things’ I mean ‘experiments’. But let’s start at the beginning. One of our clients, a classic B2B multi national firm, uses data to track which product line would be of interest to a specific contact in their database. They do it so they can send better targeted information in their campaigns, direct inquiries to the appropriate product people internally, and because I told them to.
By Idan Carmeli 14 Feb, 2017
In this LinkedIn post , I explore three themes that inhibit the achievement of accurate Lead-to-Revenue visibility within B2B organizations.
By Idan Carmeli 25 Jan, 2017
Marketo has been communicating this architectural change to its customers worldwide since August of 2016, yet only lately it has become clearer that the change will affect more than a few fields. Specifically this is true for Marketo customers whose Salesforce CRM edition is the Professional edition.

Tip: if you're unsure which edition your Salesforce org is running on, log in to your account there and simply hover the cursor on the browser tab where Salesforce loaded. The tab tooltip will show you the edition.

If you're not a Salesforce Pro user, you can stop reading here; the change won't affect you beyond the 16 fields that you were asked by Marketo to recreate in Salesforce (see here , Marketo login required).
More Posts
Share by: