Looming EU Data Privacy Regs: Boom or Bust for US B2B Marketers?

If you’re a B2B marketer in the US you’re probably aware of the general trend toward more stringent data privacy regulations. But are you and your organization ready for the EU’s General Data Protection Regulation (GDPR) which goes into effect in May 2018 and applies to both B2C and B2B?

The GDPR applies to any B2B marketer who collects, stores, or uses identifying data (name, phone number, email address, IP address, etc.) about individuals in the EU. So if, like most B2B marketers, you have a database with EU prospects or customers, or use web forms, track web visitor behavior, send email campaigns, use third party lists, or exhibit at trade shows, then read on to learn more about the GDPR and why it could be a bust or boom for your marketing efforts.

GDPR Basics

The GDPR became law in 2016 and requires compliance as of May 25, 2018. The law applies to any entity, not just those based in the EU, so US firms need to understand the law now while there’s time to take the necessary actions. Some particular concerns for B2B marketers include:

1. Consent requirements – When obtaining consent it must be “freely given, specific, informed and unambiguous” using “clear and plain” legal language. Soft opt-in is no longer allowed. Consent must be an affirmative act, so pre-checked boxes or inferring consent based on inactivity on the part of the individual no longer pass muster. And you must be able to document the consent (date, consent method, what they were told).
2. Documentation and data trail – EU individuals have the “right to be forgotten” and the “right to data portability”. This means you have to document deletion requests and, if you’ve given any identifying data to another entity, you must be able to notify them. If an individual wants to see their data, you must provide it and allow them to change it or provide it to another entity upon request.
3. Security – In addition to making reasonable efforts to protect data, if there is a breach of any personal data you must report it within 72 hours of learning about it.
4. Privacy Policy – Privacy policies and statements on websites, emails, etc. must clearly state how identifying data is gathered and used, how individuals can retract consent, and must clearly state compliance with the provisions in the GDPR.

I like the SiriusDecisions data privacy compliance model which bases a data privacy compliance strategy on five elements:

By focusing on processes and policies for each of these data elements as it relates to marketing and sales prospect and customer data, your organization can ensure it meets data privacy regulations.

Why it might be a bust

If your B2B organization doesn’t sell into the EU, or capture or monitor EU individuals’ behavior (will Google Analytics data or marketing automation social monitoring data qualify as identifying data?), then maybe you won’t be subject to the regulations.

Though I wonder how any organization using website analytics tools or social media monitoring can ensure they aren’t capturing identifying data of EU individuals who might stumble upon the website or a social channel and even engage in some way. After all, an EU individual might not realize they can’t buy from you before browsing your website or downloading something. Or they might be a consultant helping their US based clients research solutions and suppliers.

If you already have records of EU individuals in your sales and marketing databases, then you may be forced to dump that data if you haven’t documented consent that complies with the GDPR. Or maybe you bought third-party lists that didn’t comply. For many B2B marketer’s this could mean dumping a significant portion of your prospect database!

Non-compliance with the GDPR regulations will certainly be a bust for your organization given the possible penalties which max out at 4% of global annual revenues for the previous year or €20 million (about US$23 million), whichever is greater. And it will likely be costly for most organizations to get their data, processes, and policies into compliance before May 2018 since internal resources, and most likely external consultants and/or legal advice, are needed.

Why it’s likely a boom

Some B2B marketers may view the GDPR as placing more restrictions on their ability to market. However, I would argue that this may be just what you need to get resources to create and maintain accurate data, and perhaps most importantly, buy-in throughout the organization to create and adhere to data policies that will help maintain more accurate data down the road — data you need to do more effective lead nurturing and content marketing. This could be your opportunity to finally build a strong in-house contact database! Don’t forget this affects not only marketing data, but also sales data such as that residing in CRM systems.

I can even see the GDPR as being a major driver for justification to implement a marketing automation and/or CRM system if you don’t already have one because these systems will automate much of the compliance for you. For example, Marketo, Hubspot and Salesforce are all addressing the GDPR specifically with product updates and customer guidance.

Having accurate data enables you to properly segment prospects and use personalization to drive better engagement, and ultimately deliver better qualified leads to sales.  You’ll have more accurate metrics enabling more insightful analysis and better marketing ROI. I like this graphic from SiriusDecisions showing the benefits of “consent-based” marketing — a marketing best practice you should aspire to anyway.

What to do now

I’ve highlighted below some actions most B2B marketers should take now to ensure compliance with the GDPR by next May.

• Get all corporate stakeholders on board including IT, Legal, Customer Service, Sales and Marketing.
• Conduct an internal assessment of current data processes and policies including how your marketing automation, CRM, and other external data suppliers or processors are complying with GDPR.
• Implement GDPR compliant processes, update policies, and train employees.
• Get consent now if you can’t prove you have it by running re-permission campaigns to get opt-in from EU contacts.
• If nothing else, create a compliant contact data capture process now to ensure that going forward any contact data for EU individuals meets the new GDPR requirements no matter the source, i.e. online, trade show, data appending, phone, third-party data purchase, etc.
• Create an email preference center so that EU individuals can control their data and consent on an on-going basis. Non-EU contacts will thank you for this as well!
• At the very least you’ll need to segment out EU contacts to create separate communications, or create processes that prevent additions of EU contacts into your database (assuming you’re confident there’s no valid scenario for having EU contacts).

I also recommend downloading Getting to grips with the GDPR: A B2B marketer’s guide which is a 40 page practical guide for B2B marketers. Another good resource is A Marketer’s Essential Guide to GDPR Compliance. Even though these resources are targeted to UK marketers primarily, the information is equally useful to those in the US.

I’ve shared with you my thoughts and recommendations, but I’m not a lawyer, so this shouldn’t be considered legal advice. You should engage a legal professional to help ensure you meet the GDPR data privacy and protection requirements.

What is your B2B organization doing to prepare for GDPR compliance? How long before other countries and even the USA create similar regulations around data privacy and protection?