GDPR Is Looming. Here’s Your To-Do List

By Ginger Conlon | 3.21.18

Many U.S. companies aren’t ready for the General Data Protection Regulation  (GDPR) to take effect on May 25.


In some cases, their executives think it doesn’t apply to their organization. In reality, “GDPR applies to any company that markets to consumers who are EU data subjects, despite where they currently reside,” says Susan Wiseman, SVP, general counsel, and corporate secretary, for Braze (formerly Appboy) , which has been on a two-year journey to be GDPR compliant and recently hosted an event to educate partners and clients on GDPR. “You may market to someone here [in the U.S.] who’s an EU data subject.”


In other cases, business leaders are mired in the processes associated with GDPR preparedness. “You have to take this in an organized fashion; you can’t do everything at once,” Wiseman advises. “The main focus of GDPR is giving data subjects control of their data. Everything should map to that.”


With GDPR looming, it’s essential to proceed quickly but cautiously forward and get your data and marketing houses in order. After all, the dangers of noncompliance are greater than just potential fines. Noncompliant businesses may lose partners and B2B customers who don’t want to risk their reputation and bottom line by working with companies that aren’t following the regulations set in GDPR. Noncompliant businesses may also lose B2C customers who lose trust in them.


What's a marketer to do


Lawyer up. In some organizations marketers are leading GDPR compliance efforts, but GDPR is a law, so it’s crucial to work with a lawyer, whether in-house or external, Wiseman advises. Although there’s plenty of counsel online, such as articles (like this one) and whitepapers, none should substitute for actual legal counsel and expertise. “This is such a particular area of law it’s important to work with someone who understands it in a deep way and can ‘predict’ what regulators might be looking for,” she says.


Build a team. Marketers can’t go it alone when it comes to GDPR compliance. Team leaders and other key stakeholders from all departments within an organization need to be involved because, as Wiseman points out, “You need a solution that works across the company.”


Think differently. GDPR compliance is driving fundamental shifts in “how marketers are able to approach their job…, in transparency, and in data management,” Wiseman notes. This means marketers need to rethink how they handle everything from retargeting to cross-selling and from driving opt-ins to simplifying opt-outs. Marketers also need to reconsider how they collect, use, and share customer data, including data onboarding and identity management.  


Know yourself. Marketers, and other business leaders, need to understand when their company is collecting and using data as a controller or as a processor, Wiseman points out. She cites as an example that Braze is a controller in terms
of internal data, such as employee information, and is a processor for its customers’ data.  


The reason this is so important? “The data controller is responsible for its third-party providers,” Mailjet head of legal and DPO Darine Fayed said during Braze’s GDPR Beyond Borders event. “We can’t just blindly subscribe to services online and use our customer data through them. We have to vet all partners.”


Map your data. The most difficult and time-consuming aspect of preparing for GDPR is data mapping. It’s also the most vital element of preparedness. Marketers should work with the rest of their company’s GDPR team to determine what data the company has, exactly; where it’s stored; what tools the company uses to collect, analyze, and share it; how the data is used; and who the company shares
it with.


“Taking that detailed inventory is a painful process,” Wiseman says, adding that in Braze’s case it was just the first step in mapping its data. “Then we had to determine not only how — in a practical and scalable way — we make sure we’re compliant with GDPR, but also how our customers can use our services in a compliant way.”


Get your digital house in order. Mapping data also should include tracking how customers’ online data travels. Fatemeh Khatibloo, a principal analyst at Forrester Research, recommends using tools such as Ghostery to track where a website is sending data, for example.


Partner up. GDPR isn’t just about what a company is doing with its data; it’s also about what that company’s partners are doing with data. Marketers need to understand, in detail, how their partners are using and managing data. “You have to show what you and your partners are doing with data,” Wiseman says. “It’s onerous but necessary.”


And, track what data is sent to partners and why. “Get buttoned up about what you’re sending to whom,” Braze CTO and cofounder Jon Hyman said at its GDPR event. “Understanding what you need to send to who, when, and for what helps minimize risk.”


You may also need to revise partner (and customer) contracts to make sure your obligations are up to date, Greenhouse Software head of legal Kate Hooker, said during the event.


Update your opt-in strategy. Forrester’s Khatibloo advises marketers to move toward “consent by design and default.” That means being clear about what customers are opting in to, and no checked boxes. She also suggests streamlining opt-ins to create levels of data sharing, as well as merging consent with preference. “Get consent for what data you can collect and how you’ll use it at the same time,” she says. For instance, as customers complete an online profile, give them the option to subscribe to newsletters that match their interest.


Remember that “unbundled consent” is a best practice. It’s important to request an opt-in to each separate item. Consent is ongoing, so create and retain a consent record to track when it’s necessary to ask for consent again.


Be visible. Determine what’s most visible — such as your privacy policy, opt-in
and opt-out processes, and use of retargeting — and prioritize revising them to be GDPR compliant. It’s a red flag if those types of visible areas aren’t GDPR compliant, Braze’s Wiseman notes. And if you’re compliance is a work in progress, consider showing that, too, to confirm that you’re working on being compliant. Braze launched an entire section on its site dedicated to GDPR.


Take a deep breath (but not too deep). Highly visible global companies such as Google and Facebook will be the most likely initial targets of GDPR, Wiseman posits. That may buy other companies some time in terms of possible visits from regulators, but compliant enterprises won’t want to risk working with noncompliant companies. “No company wants to work with a business that’s going to put them on the front page of the newspaper because of GDPR,” Wiseman says.


Don’t freeze in the headlights. GDPR is vague, and that can be scary enough to stall the efforts of even the boldest of marketers. “Everyone is afraid because GDPR is vague,” Wiseman says. “Will data protection authorities think what we’re all doing is compliant?” To answer that question, Braze and others are acting as discussion facilitators: putting information on their websites, hosting events, sharing ideas and strategies. “People want to know what you’re doing that’s compliant and that enables them to comply,” she adds.


Keep learning. There’s a great deal of hype and misinformation. Be careful not to get so drawn into it that key areas of GDPR get overlooked. For instance, consent is not the only basis for processing data; having a valid business interest is another. It’s essential to understand the difference and nuances — one more that reason working with legal counsel is so important. Another example is record keeping: what information companies have to keep and for how long. “You need to document the ways you’re using customer data and the basis for processing
each type of data,” Braze SVP of Marketing Marissa Aydlett said during the its
GDPR event.


GDPR compliance is daunting, but there are upsides.


Wrapping up the Braze event, European Big Data Initiative Chairman Pierre-Nicolas Schwab said, “GDPR presents two types of opportunities: One is to show consumers that you respect their data. Another huge opportunity is to review your data collection practices and create efficiencies. Eliminate data and tools you don’t need, which saves money. You’ll be storing less data and improving your prediction models. It’s all positive, but you have to have the courage to start over again with your data practices.”

Bonus to-do item: Think beyond GPDR as a compliance hurdle; consider it an oppor-tunity to build customer trust and enhance the customer experience. Read more.

About the Author

Ginger Conlon, chief editor and marketing alchemist at MKTGinsight, catalyzes change in marketing organizations. She is a frequent speaker on marketing and customer experience, and serves in advisory or leadership roles for several industry organizations. Ginger was honored with a Silver Apple lifetime achievement award for her contributions to the marketing industry.

Find her at @customeralchemy and on LinkedIn.