It's time to review your organisation's GDPR preparations.Marketing automation has become a natural tool for many of the most successful marketing organisations, not least in B2B, but GDPR gives us reason to review many of the processes that have been automated. There we need to identify areas of risk where we have high exposure. The next step is to address shortcomings before the 25 May 2018 deadline.Here we highlight five pitfalls and how to avoid them.
Explicit consent for lead scoring and reverse IP tracking
As you know, the GDPR requires explicit, or "active", consent to the storage and use of personal data. But this does not only apply to the sending of newsletters. Two key Marketing Automation features that many marketers and sales teams use on a daily basis will now require explicit consent from the data controller, namely IP tracking and lead scoring.IP tracking - using a person's IP address to obtain information about their behaviour. This requires explicit consent under the GDPR, both for storage and processing.Lead scoring - assessing and rating how warm and ready to buy different leads appear to be based on their online behaviour - is key to a time-efficient and productive collaboration between marketing and sales. However, the process counts as "profiling" under the GDPR and constitutes processing of personal data that requires explicit consent. Similarly, consent is required for purchase propensity calculations via Sales Force Automation systems in cases where the calculation, or the profiling that it entails, is the basis for following up with a salesperson.Lead scoring and IP tracking are two common processes that are widely used by many organisations but where explicit consent has rarely been sought and given by the data controller. Organisations wishing to continue using these processes should immediately review their databases and ensure that they have the consents they need. These should be documented so that the organisation can show where and when the consent was given and the scope of the consent.
Data focus - limited data collection and storage of personal data
As marketers, many of us are probably guilty of collecting and retaining a little more personal data from a person than we actually need. Where in the past we have casually collected nice-to-have data (which we might have thought we might need at some point in the future), we now need to shift to asking ourselves, with each collection, what data is really necessary to have. Just because your Marketing Automation Platform allows you to store complete profiles of your contacts, doesn't mean you have to, so review all your forms and check that all the information requested is actually necessary. In B2B, often all that is needed is a name, email address and company name. Also review your databases and weed out and delete any information that is not clearly necessary.
Review your system support and synchronisation between MA and CRM
If it hasn't been done before, now is the time to move from Excel files and other manual systems for storing customer data to centralising all personal data in a robust CRM system. For those who have already taken that step, it's time to review how the CRM system works with the Marketing Automation platform to avoid the risk of someone who has withdrawn their consent being contacted anyway. The penalties are severe for those who slip up.CRM and MA systems need to be fully synchronised so that an opt-out in one system automatically applies to all marketing and sales communications with the recipient. It is important to be absolutely certain that every name in the CRM database and every email address in the MA system has given explicit consent to receive marketing material.In the context of centralising personal data in a CRM system, it should also be possible for users to access their data, review its intended use, and change their preferences themselves.
Explicit consent for reactivation of inactive contacts
Where previously you could contact old contacts to update or extend consent previously given, the GDPR requires you to have explicit consent that covers every type of communication (e.g. newsletters, offers or invitations require explicit consents), even if the contact is made to renew an opt-in. Thus, reactivation campaigns targeting people who have been inactive for months or even years, in order to renew a database, are no longer allowed.Even data management campaigns where old data is used to create new data, are limited by the consent requirement. Old data must be reviewed and discarded where it does not meet the new requirements, and marketers are held accountable for all activities whether they rely on new or old automated processes.
Disposal of data
Last but not least, any data that you do not have explicit consent to store, process and use must be deleted. This applies both to old personal data where active consent was never given (or even requested). This includes the new right to be forgotten, which means that a company must delete all data it holds about an individual, if the individual so requests. Again, a centralised system for all personal data is beneficial. This is so that consent (or its withdrawal) can be managed in one place but have an impact throughout the organisation. It also allows individuals to easily toggle their various consents on and off, giving companies greater ability to target the right type of marketing to the right people.One exception, which constitutes a "legitimate interest" under the GDPR, is the retention of the data needed to execute an individual's request to be forgotten. Thus, it is permissible to store an email address in order to mark it as blocked for the organisation.The GDPR is a bit of a jungle but no one knows Marketing and Sales Automation like we do. That said, we're happy to guide you through your preparations. And even make sure you come out stronger on the other side. Get in touch and we can tell you more about how we work and what we can do for you.
*The contents of this article should not be construed as legal recommendations or advice on legal or regulatory matters. Reasonable steps have been taken to ensure that the content is not untrue or misleading. However, no guarantee of accuracy or completeness is given and no liability can be claimed for misstatements or omissions. The publisher accepts no responsibility for any action taken solely on the basis of the information contained in this website