The Marketer’s Guide to GDPR – Ignore at Your Own Peril

Gary Survis is a Venture Partner and head of the Onsite Marketing Center of Excellence. Gary focuses on driving operational strategies and improvements within Insight and its portfolio companies.  As a former Insight portfolio company CMO, he brings an operational perspective to assist marketing heads to succeed in their role.

In this blog, Gary discusses the forthcoming EU General Data Protection Regulation (GDPR) and how it will impact marketing and sales organizations globally. 

Acronyms are great…if only because they can obscure the true meaning of a policy under the subterfuge of the alphabet. GDPR is one of those types of acronyms—General Data Protection Regulation. This is the EU’s data protection and privacy regulation that goes into effect on May 25, 2018.

If you are unaware or don’t understand the implications for marketing, you may be putting your organization at serious financial risk. And, most importantly…if you think this only impacts European organizations, you are making a serious error! Lastly, there are significant fines that could be levied against your organization: 20 million Euros or 4% of worldwide revenue, whichever is greater!  

This blog should now have your attention. 

It’s all about marketing: It’s a mistake to think about GDPR simply as a compliance or IT exercise. Any marketing organization that markets to European prospects must pay attention. Marketing and sales are on the front line where many of this regulation’s infractions will be most visible. The impact of GDPR will be felt in every aspect of what a modern marketer considers their tools of trade. While the regulations are far-reaching, the first place to begin is with a company’s prospect list.

Opt-in only: This is a key difference in approach compared to what many marketing teams do today, whereby marketers request that prospects “opt-out” of communications. Hence, a person can get contacted by the company because they haven’t been explicit that they don’t want to be contacted. Under GDPR, marketing can only be in contact with prospects that opt-in to communications. The implications here are that on any landing page, your company’s privacy policy needs to be updated, and most importantly, your database needs to be scrubbed to ensure marketing is only speaking to people who have opted-in to communications.

Sales needs to know: For GDPR, it’s irrelevant whether the outreach comes from marketing or sales. Salesforce needs to be updated to include information on how a prospect’s name was obtained, when it was obtained, and whether they have opted-in for contact. Imagine a scenario where an ISR checks their email history and finds a contact with whom they spoke with last year. If the record in SFDC indicates the contact has not opted-in for communications, and the ISR never checks this and sends an email from Outlook, then your organization is in violation of GDPR. Systems need to be put in place to avoid this scenario.

Your MAP is a violation waiting to happen: Modern marketing depends on sophisticated tools to track prospects, determine intent, and serve up the right information, to the right prospect, at the right time. GDPR significantly limits how you can leverage a marketing automation platform. 

Let’s begin with IP tracking. The guidance on GDPR is clear here. If you want to track an IP address of a prospect, you must gain consent. Your MAP needs to be updated to stop tracking unless there is consent.

Lead scoring is another area where there will be some significant changes. Lead scoring comes under the category of profiling. Under GDPR, you cannot use data to create a profile of a prospect from data they have not initially provided. Further, you cannot create workflows in your MAP or CRM based on this profile. This requirement may irreparably change the marketer’s ability to determine lead quality.

What should I do now? What’s been described here represents only a few of the significant changes that are required under GDPR. Companies will still be able to market in Europe, albeit differently than today. 

Here is how Insight recommends that you begin to approach GDPR:

1. Learn: Insight Onsite has a three-part webinar series to jumpstart your learning (all available on demand on our website). The marketing webinar features experts from Salesforce and Sirius Decisions. Below are some useful links to start your learning:
   • GDPR: Sales & Marketing Webinar 
   • Mimecast GDPR Preparedness Kit 
   • SFDC Trailhead
   • GDPR Tasks for Marketing
2. Assess: Assess your organization’s preparedness for GDPR compliance, and include key stakeholders to develop a comprehensive list of issues. If necessary, hire an outside firm to assess and identify your major vulnerabilities. 
3. Plan: Once you understand what needs to be done, plan how to get it done. May 2018 is only seven months away, so use this time wisely. Prioritize the biggest areas requiring change and iterate from there. Until May, your existing practices are not in violation, so use all of your available tools to email, contact and update your database asking them to opt-in.
4. Educate: Preparedness and education go hand-in-hand. The marketing and sales implications are far-reaching, so educate your teams as broadly as possible including legal, IT, compliance, customer success, and services.

GDPR compliance will be a journey for all organizations: it will take time to understand the implications for marketing and sales. If you haven’t already begun, it’s time to evaluate and get your arms around the issue. GDPR is not something to be treated lightly or ignored. 2018 will usher in a new era of doing business in Europe; we will all need to live and prosper within its constraints.

Gary Survis Operating Partner More By The Author