SlideShare a Scribd company logo

Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)

WBDC of Florida, profile picture
WBDC of Florida

The document provides guidance for marketers on complying with the EU's General Data Protection Regulation (GDPR). It discusses segmenting customer databases into EU and non-EU audiences. It also covers obtaining consent, managing preferences and opt-outs, running permission campaigns, and working with compliant vendors. Marketers must give EU citizens access to their data, allow data portability, and delete data upon request to comply with the GDPR.

Business
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Marketer’s Guide to the GDPR
Table of Contents The Scope and Implications of the GDPR Segmenting and Synchronizing Your Databases Capturing and Managing Consent and Other Privacy Preferences Running Opt In Campaigns Working with GDPR-Compliant Vendors Managing Inbound Leads Managing Opt Outs and Other Individual Rights Outbound Marketing Tactics Cold calls Cold emails Social media outreach Direct mail Advertising Contact- and cookie-based retargeting Retargeting based on social media activity Lookalike audiences and social media IP targeting Data management platforms (DMPs) Conclusion 1 2 3 4 4 5 8 9 10 11 11 11 12 12 13 14 14 14 15
Effective May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is reshaping how marketing teams around the world engage with EU citizens. Some marketing gurus proclaim the GDPR is the end of marketing as we know it, while others see it as an opportunity to increase conversion numbers on email and advertising campaigns. Either way, there’s no debate that marketers heve needed to adjust tactics and strategies to ensure compliance with strict new data privacy requirements. In this white paper, you’ll find how-to guidance on practical steps you can take to satisfy the GDPR. These tips and tricks draw in part on Treasure Data’s own initiatives around the GDPR in areas including database segmentation, opt in / opt out management, inbound leads, cold emailing and more. As with all things GDPR, caution and due diligence are advisable. Certain rules around the GDPR are subject to interpretation, and will likely evolve over time. It’s best to consult with your own legal team and security professionals for specific direction and guidance on how the GDPR may affect your organization. The Scope and Implications of the GDPR The GDPR applies only to EU citizens, but it’s applicable to organizations anywhere in the world who have more than 250 employees and that collect personal data on EU citizens (who number more than 500 million). The implications for marketers are far-reaching. For instance, a U.S. company that uses cookies when an EU citizen visits its website is affected by the GDPR if that visitor data is collected in web forms. Any sales, marketing or advertising that involves personal EU citizen data falls under the GDPR umbrella. Let’s say an EU citizen gets her conference badge scanned at a trade show exhibit booth in Tokyo, and the lead data is then uploaded into a CRM in Denver – that counts. It will not matter where the data was collected or uploaded or where a marketing campaign is launched – as long as it’s data that represents an EU citizen, you’re subject to the GDPR no matter where data is stored. It remains to be seen how aggressively the GDPR will be enforced both within the EU and globally. A U.S.-based company with operations in the EU can certainly be subject to fines for GDPR violations. And while the situation is less clear for companies without a presence in the EU (but which have data on EU citizens), experts say that legal frameworks are in place for enforcement actions. Fundamentally, the GDPR aligns the 28 EU nations under one data privacy law and empowers EU citizens with new rights to guard their privacy. In the regulation, citizens are called “data subjects,” and companies that collect and hold consumer data are “data controllers.” Third parties that process consumer data for a data controller are called “data processors.” For instance, Treasure Data is a data processor for its data controller customers. However, our internal marketing department acts as a data controller as far as our own marketing campaigns are concerned. Marketer’s Guide to the GDPR 1
The GDPR introduces new requirements for companies in several key areas: Right to data access. EU citizens have the right to request and receive detailed information on what data your company possesses on them, where that data is stored and how it’s utilized. Data portability. EU citizens have the right to ask that your company transmit their data to another company, making it easier for them to switch to a competing service or product provider. Right to rectification. EU citizens have the right to change any incorrect information about themselves that is stored and accessed by a data controller. Right to be forgotten. EU citizens can demand you delete all information you have on them (called “data erasure”), and can revoke consents they might have given you previously. Breach notification. Applying to both data controllers and processors, this requires that EU citizens be notified within 72 hours of a data breach that might compromise their privacy. Britain’s exit from the EU (Brexit) has prompted questions about the GDPR and the UK. It’s important to note that the UK remains part of the EU until at least 2019, followed by a lengthy transition process. Even upon separation, the UK is likely to maintain strict consumer privacy regulations very similar to the GDPR. UK residents should be covered in your GDPR compliance efforts. Segmenting and Synchronizing Your Databases This basic step is essential. You want to segment your customer databases to create separate audiences for accounts and contacts that are affected by the GDPR, and those that are not. These databases could be for email automation, CRM or digital advertising – any system in which you store contact data. At Treasure Data, we’ve created the following audience segments. Note that we’ve created a separate segment for UK contacts, which could save rework down the road if post-Brexit distinctions need to be made between EU and UK citizens: • EU companies and their contacts (including contacts who may not live in the EU, but are known to work for a company with EU headquarters) • UK companies and their contacts (including contacts who may not live in the UK, but are known to work for a company with UK headquarters) • Any contact identified as residing in the EU / UK, regardless of their company HQ location This gives the Treasure Data team the flexibility to handle each population in accordance with the rules that apply. 2
3 Capturing and Managing Consent and Other Privacy Preferences Another basic step is to add or update contact preferences and other opt-out preferences to be comprehensive and consistent across all customer databases. For example, if you use Salesforce, Marketo and Zendesk, you probably have fields similar to the following across all your systems: • Email opt out • Call opt out • Cookie opt out • Targeted ad opt out • Social media opt out • Direct mail opt out You must keep track of every change to each of these consents over time, and operationalize these consents, taking them into account in your marketing activities. For example, you must have a process to deal with the following scenarios: • Someone calls in to your sales or support department and requests to be removed from all forms of email. The sales / support agent makes that change in the system they regularly use, and that change would then be passed on to other systems. • A user opts out of email and is recorded in your marketing automation system and this must be synced across all enterprise systems to prevent emails from salespeople doing cold outreach out of Salesforce, or vice versa. With multiple systems that could manage your customer preferences, you need one place to aggregate and summarize these requests for processing across all of your marketing databases. Managing this effort manually is a recipe for disaster — wasted resources and potential fines. This is where we rely on our own customer data platform (CDP) to help. Here are a couple of ways to manage it all: • You can build your own system of record for consent, for example in a system like Treasure Data. This would require building logic that synchronizes that data to and from your other systems. • Or, you could use your own consent management system, which was designed to be the system of record for customer preferences across your company. These systems typically have vetted web or mobile device functionality to walk users through configuring their preferences, presenting terms of service and more. Either way, you need to operationalize those privacy preferences across all your marketing activities. Managing those activities from your CDP — like Treasure Data — is the surest way to stay compliant with the GDPR. Once your CDP has your customers’ preferences logged, you can market to each one only in the ways they’ve asked for.
Running Opt In Campaigns With an opt in campaign, also known as “permission passing” campaign you will have reached out to your EU audience segments to ask them if they’d like to opt in for communications. If you have not done this before the GDPR has taken effect, it’s best to launch this campaign as soon as possible. At Treasure Data, our list includes all countries in the EU, including the UK. Here are the steps for our opt in / permission passing campaign: 1. Unify all email databases 2. Create an EU / UK segment in email / marketing automation software 3. Exclude all contacts who have previously opted out 4. Customize messaging by vertical (this is not related to the GDPR, but improves open and response rates) 5. Launch a sequence of three emails, ending with a “last chance to opt in” call to action While many of these steps are common sense, pay special attention to step 3. Honda and Flybe were fined by the UK Information Commissioner’s Office (ICO) for emailing citizens who had previously opted out of email communication. To quote the ICO, “Businesses must understand they can’t break one law to get ready for another.” In other words, if someone has already opted out, don’t email them to ask if they want to opt in again. Also, bear in mind that opt in must be explicit. For instance, if an opt in form has several checkbox options, you can’t have the opt in box checked by default. The individual must manually check it. You also need to present a legal statement that outlines how the person’s information will be used. See page 5, How to create GDPR compliant consent in web forms. Working with GDPR-Compliant Vendors First of all, the GDPR is prohibitive of list buying in general, but we’ve seen new vendor list services popping up that claim to offer names who’ve opted in to be contacted by the vendor’s customers in accordance with the GDPR. For many marketers, the restrictions on lists may be one of the biggest changes. Basically, buying lead lists with EU contacts, or using a SaaS service to look up contacts carries serious risks for marketing teams. From our research, there are a couple workarounds here. Seek legal guarantees Only work with vendors that legally guarantee their lists contain contacts who have opted in to marketing communications from other vendors. This seems like an obvious solution, but use caution: If you buy a list, send emails and find out a contact was not GDPR-compliant, you’re the one on the hook, not the vendor. Additionally, we are aware of complications whereby if a vendor extends their network, this would affect their terms of service and the vendor would have to reconfirm the contact’s opt in status, further complicating the issue. Even if you are confident of the vendor’s ability to manage this process, and the vendor’s contract states they take liability, you could still wind up with two legal actions – enforcement by EU authorities for a GDPR violation, and your own lawsuit against the lead vendor for damages. 4
5 Luckily there still seems to be a way to work these lists via cold calling. Check out more on this tactic in the Cold Calling section below. Utilize an email delivery vendor A second tactic is to provide your email copy, a list of target accounts and ideal titles to a vendor that sends emails on your behalf. Working in this way, your vendor would be classified as a ”data controller” and thereby take on the legal risk. This seems like the best way to solve the problem but it’s unclear at this time how popular this kind of model will become. Of course, with this option, you’d be at the mercy of the email delivery vendor to correctly execute, track and report on the campaign. This could slow down the sales process, but that’s still better than getting hit with a fine or eliminating the ability to email market all together. Managing Inbound Leads Managing inbound leads within the GDPR regulations breaks down into two discrete areas: • Inbound leads that come in from web forms you control • Inbound leads that come in from affiliate sites Inbound leads from web forms you control Ensuring that new leads from web forms you control are GDPR-compliant is simple if you use a double opt in process. Most marketing automation vendors provide guides for double opt in, such as: • Adobe • Hubspot • Marketo • MailChimp • Oracle How to create GDPR compliant consent in web forms If you manage a website where you capture any personal data, and there is a chance that any of your web visitors are EU citizens and/or residents, the GDPR applies to you. Luckily, having your top-of-funnel activities become GDPR compliant boils down to simply obtaining positive consent from the users who submit their information.
Obtaining positive consent As relevant to capturing information, the GDPR states that controllers must obtain consent from the data subject in order to use their information. The consent needs to be explicitly given by the EU citizen/resident through a manual opt- in. Simply adding a text disclaimer with links such as “Our company values your privacy” or “By submitting this form you agree to our terms” is not sufficient to meet GDPR requirements. As part of a website form, obtaining consent is most commonly achieved by adding an acknowledgement checkbox at the end of the form, positioned above the “Submit” button. The checkbox needs to be accompanied by a statement that specifically outlines how the person’s information will be used. The checkbox needs to be unchecked by default and the user must manually check it to be considered positive consent, rather than having the visitor uncheck a defaulted checked box to opt-out. 6
Alternately, and because the GDPR only applies to EU citizens/residents, some controllers prefer to not front-load their forms with consent checkboxes and with what some may consider off-putting language. Instead, they simply ask the user if they are an EU citizen/resident. If the user indicates that they are indeed an EU citizen and/or resident, upon submitting the form, the user is notified via email that they are invited to again opt in to the controller’s intent to send them communications of the stated type. The email usually contains a link to a second web form, where the user completes the GDPR-required step of the form (which was not present in the initial step). In much the same way as outlined above, the consent is usually met by asking the user to check an itemized checklist explaining how the user’s information will be used. Obtaining consent cannot be required for the user to complete their action, which is why the user should be provided with a way to complete their action without providing consent. This approach may seem preferable since it introduces less friction for users at the initial step and serves as verification that the email address supplied by the user is valid. However, data controllers should be careful to correctly label, and make required, the citizenship/residency question so that they can properly identify EU citizens/ residents, including those who don’t reside in the EU, or hold dual citizenship. In addition, the controllers should be able to flag and not use the data of users who submitted the first part of the form, but did not complete the second (GDPR opt-in) part. Incomplete consent scenarios Under the scenario that the user did not provide consent, the consent submission is not complete. The controller has the lead data, but they can’t use it. Therefore, the controller needs a way to follow up on incomplete submissions and ask the lead to consent. Finally, a controller may choose to do a combination of the two approaches above. Under this scenario, the form doesn’t display the consent checkbox by default, but does include the question of whether or not the user is an EU citizen/ resident. If the answer to the EU citizenship question is negative the checkbox remains hidden. If the answer is positive, the checkbox is revealed. This approach is adopted by some as it offers the least friction at first glance. It also eliminates the need to have special follow up processes for users whose data is subject to the GDPR. In either case, the single most important requirement to make any form GDPR compliant is the explicit, positive consent needed from the users to have their data stored and used by the controller. A number of vendors can help you with these techniques, including Treasure Data, so just select the best fit for your business. 7
Inbound leads from affiliate sites The guidelines here are similar to when purchasing a list or working with a SaaS database contacts vendor. You need to make sure that any partner / affiliate site from which you collect data is GDPR-compliant. We suggest adding language into any new contract that places liability on the affiliate partners, as well as revisiting any existing contracts. Of course, you should consult with your legal team for more details. Managing Opt Outs and Other Individual Rights The GDPR introduces new complications in how you manage communications preferences for contacts in your database. In short: An EU contact (“data subject”) needs to be able to opt in / out of any communication type at any time. This is actually one of the more complicated aspects of how the GDPR affects marketing, but there’s a foundation we can all recognize: include an “unsubscribe” link in your email that goes to a contact preferences page. From an email-only perspective, this is pretty straightforward. Any marketing automation system you use should contain an easy “unsubscribe” link to allow people to remove themselves from further email communication. With the GDPR, however, it gets more complicated because of new rights granted to individual “data subjects.” Run afoul of any of these and you can get hit with disastrous fines. EU subjects in your database have several new rights: • A “right to data access” — they get to view all the data you have stored about them, how you collected it and how you use it. • Clear description of communications preferences and easy management of them. • The ability to opt out of any communications or of processing of their data, for marketing or many other purposes. • Contacts have the “right to be forgotten,” meaning that your company must delete any and all information you have on the person from all your systems, including downstream systems like email automation systems to which you have sent their data. 8
Here’s an example of what opt out pages would look like from an email-only perspective before and after the GDPR: You can see how many variables there are to consider, even on just email preferences. When you add phone contacts, social media, browser and mobile device tracking, chatbots, location tracking, voice systems like Alexa, and more exotic methods of data collection, it pays to centralize management of data, preferences and your interactions with customers. With the ability to pull customer data from multiple sources, unify IDs into a “golden customer profile” and push / write back to the original systems of record, CDPs can help manage this complex issue, especially where marketing operations are concerned. Different CDPs will have different integrations out of the box and most will require some custom setup to work with your specific marketing technology stack. You should also expect to involve your internal web development / management team in order to ensure a page like this displays and functions with your various domains and web properties. Outbound Marketing Tactics Outbound marketing tactics include cold calls, emails, social media outreach and even direct mail. If you thought it was ironic how direct mail has come back into vogue recently, it’s likely to get even bigger with the GDPR in place. One thing to note for outbound marketing is the GDPR’s provisions for “legitimate interest,” which allows for data processing without consent under certain circumstances. Some marketers have viewed this as a potential loophole to be 9 Before: After:
exploited; however, extreme caution is advisable. Legitimate interest is one of the most complex elements of the GDPR and it applies differently to different forms of outbound. For further information, see an official interpretation of “legitimate interest.” Cold calls It’s likely that cold calls are going to be popular again. Unlike emails and SMS, which are double opt in, cold calls are “opt out.” At least that’s how things seem to be for the foreseeable future, but the GDPR is still evolving, so stay tuned. Also note that if a contact tells your agent to stop emailing him or her, the agent needs to record that in your system of record (e.g., Salesforce), with the change propagated across all systems. Here are a few tactics we’re trying with our team at Treasure Data: • Ensuring all cold calls or voicemails to EU contacts include an opt out: • For voicemails, we’ve added, “if you’d like to stop receiving calls, just let me know.” • For live calls in which we’ve generated interest, we simply ask to schedule the next call right then, which should put follow up calls within “legitimate interest.” • If a call does not generate interest, we’re testing versions of “If I think of something I think you’ll like, mind if I call back?” This verbal opt out should be compliant. • Tracking opt outs: • We’ve added an “opted out of voice contact” field to call disposition records. Here are some examples of what we log in the task history in Salesforce: • Voicemail with opt out • Called, qualified, scheduled follow up • Called, incomplete, scheduled follow up • Called, sent [asset name], scheduled follow up • Called, sent [asset name], • Called, incomplete, opted out of calls • Called, incomplete, opted out of all communications You also need to make sure sales agents check the “call opt out” check box described earlier in the contact preferences section. This will ensure these EU contacts are not included in any call lists your sales ops team might create. Again, this area falls under “legitimate interest,” which is still being interpreted and may be updated. For the foreseeable future, however, we think this is a safe way to engage in outbound calls. An additional tactic we’re trying is having inside sales agents ask for verbal consent to email the contact a link to a particular asset, which is contained behind a GDPR-compliant “gate.” If the prospect opts in with verbal consent to email, you’re good for future marketing emails. If the contact doesn’t give verbal consent to email, but does download the gated asset, the sales person can follow up via email as part of “legitimate interest,” though the email would need to pertain to the specific asset the contact downloaded. 10
11 Cold emails Cold outbound emailing has been widely used in both B2C and B2B marketing for many years, but the GDPR has changed the game. Cold outbound emailing is now a very risky tactic. Some marketers claim they’ve uncovered a “secret way” to cold email and still be GDPR-compliant. They argue that you can send a cold email introducing yourself and encourage interaction based on some contextual or real world event that arguably qualifies as “legitimate interest.” By this thinking, you could send one email, which can’t include a product but must include an opt out link. If the contact responds, great, you can continue to email the contact on the given subject. If not then you are prevented from further follow up. We see a big flag in this: Under the GDPR, it’s illegal to buy a cold list of emails unless the list vendor can provide proof that the list is made of people who’ve opted in. If a complaint is filed, however, you and your company will be on the hook, not the list provider. From Treasure Data’s perspective, the only way to safely do cold emails may be to have a vendor send emails on your behalf (like an outsourced sales development team) and provide you with any warm leads it uncovers. As long as you’re only providing email copy to the vendor, and don’t have the contact information from the vendor’s list, you should be safe. However, we will be holding off on this tactic for the remainder of 2018 to see how the rules are being enforced. If other companies prove that it works, you could consider joining the bandwagon. Social media outreach Social media marketing is largely unaffected by the GDPR (except advertising, see more on that below) since the terms and conditions of sites like Facebook, LinkedIn and Twitter cover you. Additionally, anyone you’re connected to, or who has liked your page, can sever your connection simply by un-following you, etc. This kind of control on the contact’s side is exactly what the GDPR is trying to enforce across all marketing channels; it just so happens that social media already has this built-in. What this likely means is that social media marketing is about to get even more sophisticated as companies learn to leverage it more in the absence of more traditional techniques like cold email. Direct mail What’s old is new again. Direct mail is seeing a resurgence as marketers look for ways to cut through the digital noise and reach contacts higher up in the org chart. With the GDPR, this tactic will likely become even more popular as it’s not as regulated as much as most digital forms of communication. Like cold calls, direct mail is opt out vs. opt in and falls under “legitimate interest” so you’re free to send packages, etc., so long as you can show that it’s related to the contact’s interests and minimally intrusive to his or her life. Of course, if you receive a notification to stop, then you must. There’s still a risk, however, and that comes in how well you track these opt out requests. Again, like cold calls, it’s recommended that you log direct mail activities in your CRM and create a disposition status that tracks the opt in / out status.
Field events Field events take place in many geographies, not necessarily only within the EU. So let’s say an EU citizen gets her conference badge scanned at a trade show booth in Tokyo, and the lead data is then uploaded into a CRM in Denver – those GDPR rules still apply. It will not matter where the data was collected or uploaded or where a marketing campaign is launched – as long as the data represents an EU citizen, you’re a “data controller,” subject to the GDPR no matter where data is stored. Within the GDPR, managing leads collected at trade shows, conferences and other events (summits, meetups, networking events, etc.) comes with its own set of considerations. Here are some general guidelines to consider: Review and update all of your event contracts. Make sure the organizer has updated their terms and conditions to include opt-in language like “by attending this conference you agree that our sponsors may contact you for marketing purposes.” If they don’t, you should reconsider your sponsorship of the event. Most events make lead retrieval units available for sponsors and you usually have the option to customize the questions. One question should be “by getting scanned you agree to receive marketing material from us” and your booth staff should be trained to ask this question EVERY TIME THEY SCAN someone (and mark the box!). Even if the event includes the opt-in in their T&Cs you should obtain consent at your booth as well in case you get caught on the wrong side of an audit. This gives your company additional protection. Your method for GDPR compliance at field events should be codified in a formal internal process and documented. Your staff should sign off that they have received training on how to correctly obtain consent and capture leads. Talk with your legal council about where / how to best store this documentation. An option is to have event / booth signage notifying attendees that by attending they are consenting to marketing of any type. Your staff should point out the signs during the event when collecting business cards, scanning badges, etc. To be fair, this has questionable value in an audit, but, if you take a photo of the booth and document the signage, then it could help. Obviously with the GDPR, gone are the days when you stood in the aisle saying, “Hey, would you like this cool pen? Oh, can I scan your badge?” But on the bright side, we expect to get more qualified leads and improve our performance metrics in the end. Advertising Digital advertising in the EU is now a lot more complicated under the GDPR, so we’ll look at how different forms may be affected, and what you can do. The sections below will cover retargeting, lookalike audiences, IP targeting and DMPs. One fundamental first step is to use an ad tracker like Ghostery that shows you all the pixels and cookie tracking on your website. That’s important because many websites have pixels and cookies left over from software they no longer use. Scrubbing those residual elements is a sound move for GDPR alignment. Contact- and cookie-based retargeting How retargeting is affected seems to depend on what kind of retargeting you’re doing: contact-based or cookie-based. 12
13 • Contact-based retargeting. Contact-based seems to be easy to comply with, provided you include this as part of your “double opt in” process when downloading an asset. Two steps you need to take: 1. Make sure you use double-opt in (opt in on the download form, and by contact confirmation to a follow-up email), and that the terms and conditions include language that contacts are opting in to retargeting. 2. Make sure you have an option to disable ad retargeting on your opt in / opt out page (see the “managing opt out requests” section above). • Cookie-based retargeting. Cookie-based retargeting is trickier. The common interpretation seems to be that you need to secure opt in for all cookies on your website via an opt in pop-up box, even if you don’t track personally identifiable information through Google Analytics or other means. When someone chooses not to opt in to cookies, you need to obey their wishes and not track them. You also need to make them aware that they may experience reduced functionality on your website. If a contact does opt in for cookies, any retargeted ad needs to contain a link that allows the data subject to opt out from further retargeting. Retargeting based on social media activity Right now this looks like it will be a safe tactic as the social media platform is essentially acting as a data controller, and permission to retarget is covered by their terms and conditions. If someone likes or follows your page on Facebook, they are “opting in” based on Facebook’s terms and conditions. If a contact wants to opt out of seeing your ads, all they need to do is opt out on the ad itself or unfollow your page.
Lookalike audiences and social media It appears that social media lookalike audiences will be safe for marketers as the social media platform (e.g., Facebook) assumes the role of the data controller. (For lookalike audiences through a digital ad partner, like a DMP, please see the DMP section below). You as the advertiser never get access to the individual contact details of the audience members, so are not a data controller and therefore should be exempt from the GDPR. That being said, if you are uploading lists of lookalike audiences based on contact information or web cookies, then that usage needs to be clearly stated in your terms and conditions, and you need to allow contacts to opt in (vs. opt out). For more on this, please refer back to the section on lead forms, or cookies, above. IP targeting IP targeting comes in two forms: 1. Targeting the IP address (or device ID) of the individual user 2. Targeting the IP address of a corporate office In the case of targeting an IP address (or device ID) of an individual user, you need to refer to how you handle cookies: an opt in pop up, with a link to terms and conditions outlining what the data will be used for, and linked to a page at which contacts can opt out or ask that you delete their information entirely. IP targeting on a corporate office is still OK, but there seem to be some nuances. The current interpretation seems to be this: If you’re simply targeting the IP address (or a range of them) for a corporate office, you’re OK. Since this is a common tactic, this should come as a relief for many marketers. If, however, you are using both IP targeting for a corporate office and using filters like “job title,” then it becomes a bit of a gray area. The rules on this are not 100% clear, but the GDPR is built to protect personal information. It could be argued that a combination of IP address and professional titles can be traced back to an individual, so you might be in trouble. Our opinion is that you should take a “wait and see” stance for now and revisit this tactic once its application becomes clearer over time. Data management platforms (DMPs) By most accounts DMP service providers will need major changes to their operating procedures because of the GDPR. From our interpretation, they carry a lot of additional risk because they frequently serve as a data processor for your data versus a data controller. Let’s look at a few common scenarios for DMP service providers and how this might play out with the GDPR. Programmatic advertising and DMPs If you provide contacts to your DMP partner for programmatic advertising and you remain the data controller, the GDPR compliance burden is on you, not the DMP. So, if you’re going to do this, you need to make sure that you 1) outline the use of this data in your terms and conditions 2) provide only “opted in” contacts to the DMP and 3) have a mechanism for processing opt out requests that come from the contact through the DMP. In addition to that, DMP service providers often also work with demand-side platforms (DSPs) and trade desks to source and fill ad inventory. Again, each one of these handoffs extends the data processor network and introduces a potential point of failure for which you, as the data controller, will be responsible. If you’re going to go down this route, you should ask for an outline of the DMP’s data network, including where the data is stored for each part in the chain, what kind of encryption is used, and how opt outs will be passed back to you. 14
15 There are a lot of moving parts to this type of advertising and a lot of potential risk, so we at Treasure Data are taking a “wait and see” approach. Lookalike audiences and DMPs This seems like the safest way to engage with a DMP service provider for the short term as you’re not passing any personally identifiable information to the DMP and therefore forcing the DMP to take on a role of a data controller. The flip side to this is that the data received back from the DMP will be high-level and general, which will prevent you from further targeting any individual contained within the DMP audience segment. Of course, a DMP could provide more detailed information to you from contacts that went through an “opt in” process so that you could do more accurate targeting. This assumes, however, that the data from the DMP is clean and that’s a big risk as you’re going to be the one targeted by a fine if you retarget someone who did not opt in. Given that, it seems like this is another area where you’ll want to wait and see what happens. DMPs and data breaches GDPR mandates that any data breach of personally identifiable information (PII) must be communicated to anyone who might have been affected within 72 hours. When dealing with a DMP partner and its larger network of partners and data processors, you need to make 100% sure that the DMP is as secure, if not more, than you are, and that the DMP has processes in place to communicate a data breach in time for you to meet the 72-hour deadline. Remember, you’re the data controller in this scenario, so you carry all the risk. Conclusion The GDPR will require dramatic changes across cold emails, programmatic and targeted advertising, as well as how opt in / opt out processes are managed. However, cold calling, direct mail and lookalike advertising should remain “business as usual” for now. The most important things you can do now are the following: • Ensure all your different prospect and customer databases have consistent communications preferences fields that are synced daily • Run an opt in / permission passing campaign for your current EU / UK contacts • Update your lead capture forms and cookies to be opt in • Revisit your programmatic advertising and strongly consider stopping any channel that relies on PII that you do not directly control • Create a landing page on which contacts can see what data you’ve collected, and which automates opt in, opt out and “forget me” requests from a central location. If you need help on this one, you should talk with Treasure Data.
Version 1.3

More Related Content

PDF
Will GDPR Kill Outbound Marketing?
MarketJoy Inc.
 
PDF
GDPR & You, Claus Mortensen, Ecosystm
Chris White
 
PPTX
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Dr. Donald Macfarlane
 
PDF
How to be CASL & GDPR Compliant for the New Year 2019
TechSoup Canada
 
PPTX
Practical Guide to GDPR 2017
Dryden Geary
 
PDF
Opt-in Opt-out in Italy
mls marco merlo
 
PDF
Cognizant business consulting the impacts of gdpr
audrey miguel
 
PPT
**JUNK** (no subject)
Gaurav Kharb
 
Will GDPR Kill Outbound Marketing?
MarketJoy Inc.
 
GDPR & You, Claus Mortensen, Ecosystm
Chris White
 
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Dr. Donald Macfarlane
 
How to be CASL & GDPR Compliant for the New Year 2019
TechSoup Canada
 
Practical Guide to GDPR 2017
Dryden Geary
 
Opt-in Opt-out in Italy
mls marco merlo
 
Cognizant business consulting the impacts of gdpr
audrey miguel
 
**JUNK** (no subject)
Gaurav Kharb
 

What's hot (20)

PPTX
Findability Day 2015 - Noel Garry - IBM - Information governance and a 360 de...
Findwise
 
DOCX
Eleven Steps To Making Your Website Legally Compliant
Brian Miller, Solicitor
 
PDF
GDPR Solutions That Won't Break the Bank
"John "Jeb"" Beckwith
 
PDF
Driving change
Reem Allos, MS JD
 
PPT
Legal Implications of a Mobile Enterprise
Hawley Troxell
 
PDF
United Kingdom GDPR Action Taken Against Canadian Company
Barry Schuman
 
PDF
ILC Cyber Report - June 2018
Internet Law Center
 
PDF
EC2017 United Kingdom
Robert Bond
 
PDF
Paradise by the DASHBOARD Act?
Maxx Cook
 
PDF
Are you GDPRed yet?
Datamatics Business Solutions Ltd.
 
PDF
Joint ad trade letter to ag becerra re ccpa 1.31.2019
Greg Sterling
 
PDF
Session B: Handout 1
feitwincities
 
PPT
PBPATL - Privacy Seminar 2011
Kimberly Verska
 
PPTX
E Mail Marketing And The Law 2009
Blue Zebra Associates Ltd
 
PPTX
GDPR vs Blockchain – A Paradox, Challenge and an Opportunity
Affiliate Summit
 
PDF
The california consumer privacy act (ccpa) is in effect starting on january 1...
RominaMariaBaltariu
 
PDF
7. is there a market for organic search engine results and can their manipul...
Matias González Muñoz
 
PDF
Tal ron drihem and co - LAC 2017 - Clarifying the situation: Legal responsibi...
iGB Affiliate
 
DOC
Week5 paper-susbauer
Kathryn Susbauer
 
PDF
2. the google commitments. now with a cherry on top
Matias González Muñoz
 
Findability Day 2015 - Noel Garry - IBM - Information governance and a 360 de...
Findwise
 
Eleven Steps To Making Your Website Legally Compliant
Brian Miller, Solicitor
 
GDPR Solutions That Won't Break the Bank
"John "Jeb"" Beckwith
 
Driving change
Reem Allos, MS JD
 
Legal Implications of a Mobile Enterprise
Hawley Troxell
 
United Kingdom GDPR Action Taken Against Canadian Company
Barry Schuman
 
ILC Cyber Report - June 2018
Internet Law Center
 
EC2017 United Kingdom
Robert Bond
 
Paradise by the DASHBOARD Act?
Maxx Cook
 
Are you GDPRed yet?
Datamatics Business Solutions Ltd.
 
Joint ad trade letter to ag becerra re ccpa 1.31.2019
Greg Sterling
 
Session B: Handout 1
feitwincities
 
PBPATL - Privacy Seminar 2011
Kimberly Verska
 
E Mail Marketing And The Law 2009
Blue Zebra Associates Ltd
 
GDPR vs Blockchain – A Paradox, Challenge and an Opportunity
Affiliate Summit
 
The california consumer privacy act (ccpa) is in effect starting on january 1...
RominaMariaBaltariu
 
7. is there a market for organic search engine results and can their manipul...
Matias González Muñoz
 
Tal ron drihem and co - LAC 2017 - Clarifying the situation: Legal responsibi...
iGB Affiliate
 
Week5 paper-susbauer
Kathryn Susbauer
 
2. the google commitments. now with a cherry on top
Matias González Muñoz
 
Ad

Similar to Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation) (20)

PDF
GDPR's Impact on Social Media - Everything You Need to Know
Visitor Analytics
 
PDF
Are you GDPR Ready? Checklist Whitepaper
Serversys
 
PDF
GDPR & Data Privacy Guide - Free Download
Visitor Analytics
 
PPTX
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
Human Capital Department
 
PDF
What is GDPR ? by M32
Pneus Touchette Distribution inc.
 
PPTX
General data protection regulation
Fahad Ameen
 
PPTX
Gdpr zilla
David Boswell
 
PPTX
GDPR: A Practical Guide for Marketers
Treasure Data, Inc.
 
PDF
"If we're leaving the EU, does GDPR even matter?" And other FAQs
Tech Data
 
PDF
How GDPR Guidelines Regulate Marketing Automation and Customer Engagement
Ray Business Technologies
 
PDF
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
PPTX
Operational impact of gdpr finance industries in the caribbean
EquiGov Institute
 
PPTX
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
PPTX
How will GDPR affect your business - Marketing Fox & Birkett Long
Louise Owens
 
PDF
UXPSystems_whitepaper_Privacy_Nov182016
Andrey Plotnikov
 
PDF
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
Mailjet
 
PDF
5 Questions Financial Institutions Should Ask About GDPR Readiness
Appian
 
PDF
GDPRIBMWhitePaper
Jim Wilson
 
PPTX
Gdpr action plan
Ulf Mattsson
 
PPTX
A Brief Overview on GDPR
Neha Patel
 
GDPR's Impact on Social Media - Everything You Need to Know
Visitor Analytics
 
Are you GDPR Ready? Checklist Whitepaper
Serversys
 
GDPR & Data Privacy Guide - Free Download
Visitor Analytics
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
Human Capital Department
 
What is GDPR ? by M32
Pneus Touchette Distribution inc.
 
General data protection regulation
Fahad Ameen
 
Gdpr zilla
David Boswell
 
GDPR: A Practical Guide for Marketers
Treasure Data, Inc.
 
"If we're leaving the EU, does GDPR even matter?" And other FAQs
Tech Data
 
How GDPR Guidelines Regulate Marketing Automation and Customer Engagement
Ray Business Technologies
 
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
Operational impact of gdpr finance industries in the caribbean
EquiGov Institute
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
How will GDPR affect your business - Marketing Fox & Birkett Long
Louise Owens
 
UXPSystems_whitepaper_Privacy_Nov182016
Andrey Plotnikov
 
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
Mailjet
 
5 Questions Financial Institutions Should Ask About GDPR Readiness
Appian
 
GDPRIBMWhitePaper
Jim Wilson
 
Gdpr action plan
Ulf Mattsson
 
A Brief Overview on GDPR
Neha Patel
 
Ad

More from WBDC of Florida (20)

DOCX
OCPS How to Do Business Workshop
WBDC of Florida
 
DOCX
March 19 Bids Orange County Public Schools (OCPS)
WBDC of Florida
 
PDF
RFP 19-15-SSP Moffitt McKinley Center OR#5 Renovation
WBDC of Florida
 
PDF
Forecast Opportunities Broward College
WBDC of Florida
 
PDF
Moffitt Cancer Center RFP 19-12-ssp new hospital expansion owners representat...
WBDC of Florida
 
PDF
H. Lee Moffitt Cancer Center and Research Institute, Inc. Request for Propos...
WBDC of Florida
 
PDF
Orange County Public Schools Bid Information December 2018
WBDC of Florida
 
PDF
H. Lee Moffitt Cancer Center and Research Institute, Inc. Request for Proposa...
WBDC of Florida
 
PDF
SBA contracting resources - Contracting 8a certification overview
WBDC of Florida
 
PDF
WBENC Corporate Member List 2018
WBDC of Florida
 
PDF
Broward College Forecast opportunities
WBDC of Florida
 
PDF
Moffitt Inpatient Bed Expansion Project - Barr & Barr Supplier Diversity Cons...
WBDC of Florida
 
DOC
RFP 19-07 Desktop-Laptop Leasing Refresh Program
WBDC of Florida
 
DOCX
Moffitt Cancer Center: RFP 19-06 M2Gen Molecular Lab Buildout - Construction ...
WBDC of Florida
 
DOC
RFP 19-04-SSP Outpatient Scheduling Optimization H. LEE MOFFITT CANCER CENTER...
WBDC of Florida
 
PDF
Her Dreamers Webinar Workbook
WBDC of Florida
 
PDF
Vision statement worksheet
WBDC of Florida
 
PDF
Women of Color Empowerment Institute Inc.'s (WOCEI) Professional Mentorship L...
WBDC of Florida
 
PDF
Orange County Public Schools Bid Information July and August 2018
WBDC of Florida
 
PDF
The 5 languages of appreciation in the workplace summary
WBDC of Florida
 
OCPS How to Do Business Workshop
WBDC of Florida
 
March 19 Bids Orange County Public Schools (OCPS)
WBDC of Florida
 
RFP 19-15-SSP Moffitt McKinley Center OR#5 Renovation
WBDC of Florida
 
Forecast Opportunities Broward College
WBDC of Florida
 
Moffitt Cancer Center RFP 19-12-ssp new hospital expansion owners representat...
WBDC of Florida
 
H. Lee Moffitt Cancer Center and Research Institute, Inc. Request for Propos...
WBDC of Florida
 
Orange County Public Schools Bid Information December 2018
WBDC of Florida
 
H. Lee Moffitt Cancer Center and Research Institute, Inc. Request for Proposa...
WBDC of Florida
 
SBA contracting resources - Contracting 8a certification overview
WBDC of Florida
 
WBENC Corporate Member List 2018
WBDC of Florida
 
Broward College Forecast opportunities
WBDC of Florida
 
Moffitt Inpatient Bed Expansion Project - Barr & Barr Supplier Diversity Cons...
WBDC of Florida
 
RFP 19-07 Desktop-Laptop Leasing Refresh Program
WBDC of Florida
 
Moffitt Cancer Center: RFP 19-06 M2Gen Molecular Lab Buildout - Construction ...
WBDC of Florida
 
RFP 19-04-SSP Outpatient Scheduling Optimization H. LEE MOFFITT CANCER CENTER...
WBDC of Florida
 
Her Dreamers Webinar Workbook
WBDC of Florida
 
Vision statement worksheet
WBDC of Florida
 
Women of Color Empowerment Institute Inc.'s (WOCEI) Professional Mentorship L...
WBDC of Florida
 
Orange County Public Schools Bid Information July and August 2018
WBDC of Florida
 
The 5 languages of appreciation in the workplace summary
WBDC of Florida
 

Recently uploaded (20)

PDF
How to Get Approval for Business Funding
Jake Thornhill
 
PDF
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
PDF
Blood Collected straight from the donor into a blood bag and mixed with an an...
UsamaJaved91
 
PPT
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PPTX
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
PDF
Family Law: The Role of Communication in Mediation (www.kiu.ac.ug)
publication11
 
PDF
Module 2 - Modern Supervison Challenges - Student Resource.pdf
OmoobaOrun1
 
PDF
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
PDF
Booking.com The Global AI Sentiment Report 2025
agatadrynko
 
PPTX
operations management : demand supply ch
JayeshJaiswal23
 
PDF
Charisse Litchman: A Maverick Making Neurological Care More Accessible
The lifescience magaizne
 
PDF
Introduction to Generative Engine Optimization (GEO)
seoplus+
 
PDF
Technical Architecture - Chainsys dataZap
Chainsys SEO
 
PDF
Digital Marketing & E-commerce Certificate Glossary.pdf.................
RoobaV2
 
PDF
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
PPTX
Slide gioi thieu VietinBank Quy 2 - 2025
hoadm5190
 
PDF
Building a Smart Pet Ecosystem: A Full Introduction to Zhejiang Beijing Techn...
fuijfsdsazdyu
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PDF
1911 Gold Corporate Presentation Aug 2025.pdf
Shaun Heinrichs
 
How to Get Approval for Business Funding
Jake Thornhill
 
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
Blood Collected straight from the donor into a blood bag and mixed with an an...
UsamaJaved91
 
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
Family Law: The Role of Communication in Mediation (www.kiu.ac.ug)
publication11
 
Module 2 - Modern Supervison Challenges - Student Resource.pdf
OmoobaOrun1
 
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
Booking.com The Global AI Sentiment Report 2025
agatadrynko
 
operations management : demand supply ch
JayeshJaiswal23
 
Charisse Litchman: A Maverick Making Neurological Care More Accessible
The lifescience magaizne
 
Introduction to Generative Engine Optimization (GEO)
seoplus+
 
Technical Architecture - Chainsys dataZap
Chainsys SEO
 
Digital Marketing & E-commerce Certificate Glossary.pdf.................
RoobaV2
 
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
Slide gioi thieu VietinBank Quy 2 - 2025
hoadm5190
 
Building a Smart Pet Ecosystem: A Full Introduction to Zhejiang Beijing Techn...
fuijfsdsazdyu
 
IFRS Notes in your pocket for study all the time
jjj81507
 
1911 Gold Corporate Presentation Aug 2025.pdf
Shaun Heinrichs
 

Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)

  • 2. Table of Contents The Scope and Implications of the GDPR Segmenting and Synchronizing Your Databases Capturing and Managing Consent and Other Privacy Preferences Running Opt In Campaigns Working with GDPR-Compliant Vendors Managing Inbound Leads Managing Opt Outs and Other Individual Rights Outbound Marketing Tactics Cold calls Cold emails Social media outreach Direct mail Advertising Contact- and cookie-based retargeting Retargeting based on social media activity Lookalike audiences and social media IP targeting Data management platforms (DMPs) Conclusion 1 2 3 4 4 5 8 9 10 11 11 11 12 12 13 14 14 14 15
  • 3. Effective May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is reshaping how marketing teams around the world engage with EU citizens. Some marketing gurus proclaim the GDPR is the end of marketing as we know it, while others see it as an opportunity to increase conversion numbers on email and advertising campaigns. Either way, there’s no debate that marketers heve needed to adjust tactics and strategies to ensure compliance with strict new data privacy requirements. In this white paper, you’ll find how-to guidance on practical steps you can take to satisfy the GDPR. These tips and tricks draw in part on Treasure Data’s own initiatives around the GDPR in areas including database segmentation, opt in / opt out management, inbound leads, cold emailing and more. As with all things GDPR, caution and due diligence are advisable. Certain rules around the GDPR are subject to interpretation, and will likely evolve over time. It’s best to consult with your own legal team and security professionals for specific direction and guidance on how the GDPR may affect your organization. The Scope and Implications of the GDPR The GDPR applies only to EU citizens, but it’s applicable to organizations anywhere in the world who have more than 250 employees and that collect personal data on EU citizens (who number more than 500 million). The implications for marketers are far-reaching. For instance, a U.S. company that uses cookies when an EU citizen visits its website is affected by the GDPR if that visitor data is collected in web forms. Any sales, marketing or advertising that involves personal EU citizen data falls under the GDPR umbrella. Let’s say an EU citizen gets her conference badge scanned at a trade show exhibit booth in Tokyo, and the lead data is then uploaded into a CRM in Denver – that counts. It will not matter where the data was collected or uploaded or where a marketing campaign is launched – as long as it’s data that represents an EU citizen, you’re subject to the GDPR no matter where data is stored. It remains to be seen how aggressively the GDPR will be enforced both within the EU and globally. A U.S.-based company with operations in the EU can certainly be subject to fines for GDPR violations. And while the situation is less clear for companies without a presence in the EU (but which have data on EU citizens), experts say that legal frameworks are in place for enforcement actions. Fundamentally, the GDPR aligns the 28 EU nations under one data privacy law and empowers EU citizens with new rights to guard their privacy. In the regulation, citizens are called “data subjects,” and companies that collect and hold consumer data are “data controllers.” Third parties that process consumer data for a data controller are called “data processors.” For instance, Treasure Data is a data processor for its data controller customers. However, our internal marketing department acts as a data controller as far as our own marketing campaigns are concerned. Marketer’s Guide to the GDPR 1
  • 4. The GDPR introduces new requirements for companies in several key areas: Right to data access. EU citizens have the right to request and receive detailed information on what data your company possesses on them, where that data is stored and how it’s utilized. Data portability. EU citizens have the right to ask that your company transmit their data to another company, making it easier for them to switch to a competing service or product provider. Right to rectification. EU citizens have the right to change any incorrect information about themselves that is stored and accessed by a data controller. Right to be forgotten. EU citizens can demand you delete all information you have on them (called “data erasure”), and can revoke consents they might have given you previously. Breach notification. Applying to both data controllers and processors, this requires that EU citizens be notified within 72 hours of a data breach that might compromise their privacy. Britain’s exit from the EU (Brexit) has prompted questions about the GDPR and the UK. It’s important to note that the UK remains part of the EU until at least 2019, followed by a lengthy transition process. Even upon separation, the UK is likely to maintain strict consumer privacy regulations very similar to the GDPR. UK residents should be covered in your GDPR compliance efforts. Segmenting and Synchronizing Your Databases This basic step is essential. You want to segment your customer databases to create separate audiences for accounts and contacts that are affected by the GDPR, and those that are not. These databases could be for email automation, CRM or digital advertising – any system in which you store contact data. At Treasure Data, we’ve created the following audience segments. Note that we’ve created a separate segment for UK contacts, which could save rework down the road if post-Brexit distinctions need to be made between EU and UK citizens: • EU companies and their contacts (including contacts who may not live in the EU, but are known to work for a company with EU headquarters) • UK companies and their contacts (including contacts who may not live in the UK, but are known to work for a company with UK headquarters) • Any contact identified as residing in the EU / UK, regardless of their company HQ location This gives the Treasure Data team the flexibility to handle each population in accordance with the rules that apply. 2
  • 5. 3 Capturing and Managing Consent and Other Privacy Preferences Another basic step is to add or update contact preferences and other opt-out preferences to be comprehensive and consistent across all customer databases. For example, if you use Salesforce, Marketo and Zendesk, you probably have fields similar to the following across all your systems: • Email opt out • Call opt out • Cookie opt out • Targeted ad opt out • Social media opt out • Direct mail opt out You must keep track of every change to each of these consents over time, and operationalize these consents, taking them into account in your marketing activities. For example, you must have a process to deal with the following scenarios: • Someone calls in to your sales or support department and requests to be removed from all forms of email. The sales / support agent makes that change in the system they regularly use, and that change would then be passed on to other systems. • A user opts out of email and is recorded in your marketing automation system and this must be synced across all enterprise systems to prevent emails from salespeople doing cold outreach out of Salesforce, or vice versa. With multiple systems that could manage your customer preferences, you need one place to aggregate and summarize these requests for processing across all of your marketing databases. Managing this effort manually is a recipe for disaster — wasted resources and potential fines. This is where we rely on our own customer data platform (CDP) to help. Here are a couple of ways to manage it all: • You can build your own system of record for consent, for example in a system like Treasure Data. This would require building logic that synchronizes that data to and from your other systems. • Or, you could use your own consent management system, which was designed to be the system of record for customer preferences across your company. These systems typically have vetted web or mobile device functionality to walk users through configuring their preferences, presenting terms of service and more. Either way, you need to operationalize those privacy preferences across all your marketing activities. Managing those activities from your CDP — like Treasure Data — is the surest way to stay compliant with the GDPR. Once your CDP has your customers’ preferences logged, you can market to each one only in the ways they’ve asked for.
  • 6. Running Opt In Campaigns With an opt in campaign, also known as “permission passing” campaign you will have reached out to your EU audience segments to ask them if they’d like to opt in for communications. If you have not done this before the GDPR has taken effect, it’s best to launch this campaign as soon as possible. At Treasure Data, our list includes all countries in the EU, including the UK. Here are the steps for our opt in / permission passing campaign: 1. Unify all email databases 2. Create an EU / UK segment in email / marketing automation software 3. Exclude all contacts who have previously opted out 4. Customize messaging by vertical (this is not related to the GDPR, but improves open and response rates) 5. Launch a sequence of three emails, ending with a “last chance to opt in” call to action While many of these steps are common sense, pay special attention to step 3. Honda and Flybe were fined by the UK Information Commissioner’s Office (ICO) for emailing citizens who had previously opted out of email communication. To quote the ICO, “Businesses must understand they can’t break one law to get ready for another.” In other words, if someone has already opted out, don’t email them to ask if they want to opt in again. Also, bear in mind that opt in must be explicit. For instance, if an opt in form has several checkbox options, you can’t have the opt in box checked by default. The individual must manually check it. You also need to present a legal statement that outlines how the person’s information will be used. See page 5, How to create GDPR compliant consent in web forms. Working with GDPR-Compliant Vendors First of all, the GDPR is prohibitive of list buying in general, but we’ve seen new vendor list services popping up that claim to offer names who’ve opted in to be contacted by the vendor’s customers in accordance with the GDPR. For many marketers, the restrictions on lists may be one of the biggest changes. Basically, buying lead lists with EU contacts, or using a SaaS service to look up contacts carries serious risks for marketing teams. From our research, there are a couple workarounds here. Seek legal guarantees Only work with vendors that legally guarantee their lists contain contacts who have opted in to marketing communications from other vendors. This seems like an obvious solution, but use caution: If you buy a list, send emails and find out a contact was not GDPR-compliant, you’re the one on the hook, not the vendor. Additionally, we are aware of complications whereby if a vendor extends their network, this would affect their terms of service and the vendor would have to reconfirm the contact’s opt in status, further complicating the issue. Even if you are confident of the vendor’s ability to manage this process, and the vendor’s contract states they take liability, you could still wind up with two legal actions – enforcement by EU authorities for a GDPR violation, and your own lawsuit against the lead vendor for damages. 4
  • 7. 5 Luckily there still seems to be a way to work these lists via cold calling. Check out more on this tactic in the Cold Calling section below. Utilize an email delivery vendor A second tactic is to provide your email copy, a list of target accounts and ideal titles to a vendor that sends emails on your behalf. Working in this way, your vendor would be classified as a ”data controller” and thereby take on the legal risk. This seems like the best way to solve the problem but it’s unclear at this time how popular this kind of model will become. Of course, with this option, you’d be at the mercy of the email delivery vendor to correctly execute, track and report on the campaign. This could slow down the sales process, but that’s still better than getting hit with a fine or eliminating the ability to email market all together. Managing Inbound Leads Managing inbound leads within the GDPR regulations breaks down into two discrete areas: • Inbound leads that come in from web forms you control • Inbound leads that come in from affiliate sites Inbound leads from web forms you control Ensuring that new leads from web forms you control are GDPR-compliant is simple if you use a double opt in process. Most marketing automation vendors provide guides for double opt in, such as: • Adobe • Hubspot • Marketo • MailChimp • Oracle How to create GDPR compliant consent in web forms If you manage a website where you capture any personal data, and there is a chance that any of your web visitors are EU citizens and/or residents, the GDPR applies to you. Luckily, having your top-of-funnel activities become GDPR compliant boils down to simply obtaining positive consent from the users who submit their information.
  • 8. Obtaining positive consent As relevant to capturing information, the GDPR states that controllers must obtain consent from the data subject in order to use their information. The consent needs to be explicitly given by the EU citizen/resident through a manual opt- in. Simply adding a text disclaimer with links such as “Our company values your privacy” or “By submitting this form you agree to our terms” is not sufficient to meet GDPR requirements. As part of a website form, obtaining consent is most commonly achieved by adding an acknowledgement checkbox at the end of the form, positioned above the “Submit” button. The checkbox needs to be accompanied by a statement that specifically outlines how the person’s information will be used. The checkbox needs to be unchecked by default and the user must manually check it to be considered positive consent, rather than having the visitor uncheck a defaulted checked box to opt-out. 6
  • 9. Alternately, and because the GDPR only applies to EU citizens/residents, some controllers prefer to not front-load their forms with consent checkboxes and with what some may consider off-putting language. Instead, they simply ask the user if they are an EU citizen/resident. If the user indicates that they are indeed an EU citizen and/or resident, upon submitting the form, the user is notified via email that they are invited to again opt in to the controller’s intent to send them communications of the stated type. The email usually contains a link to a second web form, where the user completes the GDPR-required step of the form (which was not present in the initial step). In much the same way as outlined above, the consent is usually met by asking the user to check an itemized checklist explaining how the user’s information will be used. Obtaining consent cannot be required for the user to complete their action, which is why the user should be provided with a way to complete their action without providing consent. This approach may seem preferable since it introduces less friction for users at the initial step and serves as verification that the email address supplied by the user is valid. However, data controllers should be careful to correctly label, and make required, the citizenship/residency question so that they can properly identify EU citizens/ residents, including those who don’t reside in the EU, or hold dual citizenship. In addition, the controllers should be able to flag and not use the data of users who submitted the first part of the form, but did not complete the second (GDPR opt-in) part. Incomplete consent scenarios Under the scenario that the user did not provide consent, the consent submission is not complete. The controller has the lead data, but they can’t use it. Therefore, the controller needs a way to follow up on incomplete submissions and ask the lead to consent. Finally, a controller may choose to do a combination of the two approaches above. Under this scenario, the form doesn’t display the consent checkbox by default, but does include the question of whether or not the user is an EU citizen/ resident. If the answer to the EU citizenship question is negative the checkbox remains hidden. If the answer is positive, the checkbox is revealed. This approach is adopted by some as it offers the least friction at first glance. It also eliminates the need to have special follow up processes for users whose data is subject to the GDPR. In either case, the single most important requirement to make any form GDPR compliant is the explicit, positive consent needed from the users to have their data stored and used by the controller. A number of vendors can help you with these techniques, including Treasure Data, so just select the best fit for your business. 7
  • 10. Inbound leads from affiliate sites The guidelines here are similar to when purchasing a list or working with a SaaS database contacts vendor. You need to make sure that any partner / affiliate site from which you collect data is GDPR-compliant. We suggest adding language into any new contract that places liability on the affiliate partners, as well as revisiting any existing contracts. Of course, you should consult with your legal team for more details. Managing Opt Outs and Other Individual Rights The GDPR introduces new complications in how you manage communications preferences for contacts in your database. In short: An EU contact (“data subject”) needs to be able to opt in / out of any communication type at any time. This is actually one of the more complicated aspects of how the GDPR affects marketing, but there’s a foundation we can all recognize: include an “unsubscribe” link in your email that goes to a contact preferences page. From an email-only perspective, this is pretty straightforward. Any marketing automation system you use should contain an easy “unsubscribe” link to allow people to remove themselves from further email communication. With the GDPR, however, it gets more complicated because of new rights granted to individual “data subjects.” Run afoul of any of these and you can get hit with disastrous fines. EU subjects in your database have several new rights: • A “right to data access” — they get to view all the data you have stored about them, how you collected it and how you use it. • Clear description of communications preferences and easy management of them. • The ability to opt out of any communications or of processing of their data, for marketing or many other purposes. • Contacts have the “right to be forgotten,” meaning that your company must delete any and all information you have on the person from all your systems, including downstream systems like email automation systems to which you have sent their data. 8
  • 11. Here’s an example of what opt out pages would look like from an email-only perspective before and after the GDPR: You can see how many variables there are to consider, even on just email preferences. When you add phone contacts, social media, browser and mobile device tracking, chatbots, location tracking, voice systems like Alexa, and more exotic methods of data collection, it pays to centralize management of data, preferences and your interactions with customers. With the ability to pull customer data from multiple sources, unify IDs into a “golden customer profile” and push / write back to the original systems of record, CDPs can help manage this complex issue, especially where marketing operations are concerned. Different CDPs will have different integrations out of the box and most will require some custom setup to work with your specific marketing technology stack. You should also expect to involve your internal web development / management team in order to ensure a page like this displays and functions with your various domains and web properties. Outbound Marketing Tactics Outbound marketing tactics include cold calls, emails, social media outreach and even direct mail. If you thought it was ironic how direct mail has come back into vogue recently, it’s likely to get even bigger with the GDPR in place. One thing to note for outbound marketing is the GDPR’s provisions for “legitimate interest,” which allows for data processing without consent under certain circumstances. Some marketers have viewed this as a potential loophole to be 9 Before: After:
  • 12. exploited; however, extreme caution is advisable. Legitimate interest is one of the most complex elements of the GDPR and it applies differently to different forms of outbound. For further information, see an official interpretation of “legitimate interest.” Cold calls It’s likely that cold calls are going to be popular again. Unlike emails and SMS, which are double opt in, cold calls are “opt out.” At least that’s how things seem to be for the foreseeable future, but the GDPR is still evolving, so stay tuned. Also note that if a contact tells your agent to stop emailing him or her, the agent needs to record that in your system of record (e.g., Salesforce), with the change propagated across all systems. Here are a few tactics we’re trying with our team at Treasure Data: • Ensuring all cold calls or voicemails to EU contacts include an opt out: • For voicemails, we’ve added, “if you’d like to stop receiving calls, just let me know.” • For live calls in which we’ve generated interest, we simply ask to schedule the next call right then, which should put follow up calls within “legitimate interest.” • If a call does not generate interest, we’re testing versions of “If I think of something I think you’ll like, mind if I call back?” This verbal opt out should be compliant. • Tracking opt outs: • We’ve added an “opted out of voice contact” field to call disposition records. Here are some examples of what we log in the task history in Salesforce: • Voicemail with opt out • Called, qualified, scheduled follow up • Called, incomplete, scheduled follow up • Called, sent [asset name], scheduled follow up • Called, sent [asset name], • Called, incomplete, opted out of calls • Called, incomplete, opted out of all communications You also need to make sure sales agents check the “call opt out” check box described earlier in the contact preferences section. This will ensure these EU contacts are not included in any call lists your sales ops team might create. Again, this area falls under “legitimate interest,” which is still being interpreted and may be updated. For the foreseeable future, however, we think this is a safe way to engage in outbound calls. An additional tactic we’re trying is having inside sales agents ask for verbal consent to email the contact a link to a particular asset, which is contained behind a GDPR-compliant “gate.” If the prospect opts in with verbal consent to email, you’re good for future marketing emails. If the contact doesn’t give verbal consent to email, but does download the gated asset, the sales person can follow up via email as part of “legitimate interest,” though the email would need to pertain to the specific asset the contact downloaded. 10
  • 13. 11 Cold emails Cold outbound emailing has been widely used in both B2C and B2B marketing for many years, but the GDPR has changed the game. Cold outbound emailing is now a very risky tactic. Some marketers claim they’ve uncovered a “secret way” to cold email and still be GDPR-compliant. They argue that you can send a cold email introducing yourself and encourage interaction based on some contextual or real world event that arguably qualifies as “legitimate interest.” By this thinking, you could send one email, which can’t include a product but must include an opt out link. If the contact responds, great, you can continue to email the contact on the given subject. If not then you are prevented from further follow up. We see a big flag in this: Under the GDPR, it’s illegal to buy a cold list of emails unless the list vendor can provide proof that the list is made of people who’ve opted in. If a complaint is filed, however, you and your company will be on the hook, not the list provider. From Treasure Data’s perspective, the only way to safely do cold emails may be to have a vendor send emails on your behalf (like an outsourced sales development team) and provide you with any warm leads it uncovers. As long as you’re only providing email copy to the vendor, and don’t have the contact information from the vendor’s list, you should be safe. However, we will be holding off on this tactic for the remainder of 2018 to see how the rules are being enforced. If other companies prove that it works, you could consider joining the bandwagon. Social media outreach Social media marketing is largely unaffected by the GDPR (except advertising, see more on that below) since the terms and conditions of sites like Facebook, LinkedIn and Twitter cover you. Additionally, anyone you’re connected to, or who has liked your page, can sever your connection simply by un-following you, etc. This kind of control on the contact’s side is exactly what the GDPR is trying to enforce across all marketing channels; it just so happens that social media already has this built-in. What this likely means is that social media marketing is about to get even more sophisticated as companies learn to leverage it more in the absence of more traditional techniques like cold email. Direct mail What’s old is new again. Direct mail is seeing a resurgence as marketers look for ways to cut through the digital noise and reach contacts higher up in the org chart. With the GDPR, this tactic will likely become even more popular as it’s not as regulated as much as most digital forms of communication. Like cold calls, direct mail is opt out vs. opt in and falls under “legitimate interest” so you’re free to send packages, etc., so long as you can show that it’s related to the contact’s interests and minimally intrusive to his or her life. Of course, if you receive a notification to stop, then you must. There’s still a risk, however, and that comes in how well you track these opt out requests. Again, like cold calls, it’s recommended that you log direct mail activities in your CRM and create a disposition status that tracks the opt in / out status.
  • 14. Field events Field events take place in many geographies, not necessarily only within the EU. So let’s say an EU citizen gets her conference badge scanned at a trade show booth in Tokyo, and the lead data is then uploaded into a CRM in Denver – those GDPR rules still apply. It will not matter where the data was collected or uploaded or where a marketing campaign is launched – as long as the data represents an EU citizen, you’re a “data controller,” subject to the GDPR no matter where data is stored. Within the GDPR, managing leads collected at trade shows, conferences and other events (summits, meetups, networking events, etc.) comes with its own set of considerations. Here are some general guidelines to consider: Review and update all of your event contracts. Make sure the organizer has updated their terms and conditions to include opt-in language like “by attending this conference you agree that our sponsors may contact you for marketing purposes.” If they don’t, you should reconsider your sponsorship of the event. Most events make lead retrieval units available for sponsors and you usually have the option to customize the questions. One question should be “by getting scanned you agree to receive marketing material from us” and your booth staff should be trained to ask this question EVERY TIME THEY SCAN someone (and mark the box!). Even if the event includes the opt-in in their T&Cs you should obtain consent at your booth as well in case you get caught on the wrong side of an audit. This gives your company additional protection. Your method for GDPR compliance at field events should be codified in a formal internal process and documented. Your staff should sign off that they have received training on how to correctly obtain consent and capture leads. Talk with your legal council about where / how to best store this documentation. An option is to have event / booth signage notifying attendees that by attending they are consenting to marketing of any type. Your staff should point out the signs during the event when collecting business cards, scanning badges, etc. To be fair, this has questionable value in an audit, but, if you take a photo of the booth and document the signage, then it could help. Obviously with the GDPR, gone are the days when you stood in the aisle saying, “Hey, would you like this cool pen? Oh, can I scan your badge?” But on the bright side, we expect to get more qualified leads and improve our performance metrics in the end. Advertising Digital advertising in the EU is now a lot more complicated under the GDPR, so we’ll look at how different forms may be affected, and what you can do. The sections below will cover retargeting, lookalike audiences, IP targeting and DMPs. One fundamental first step is to use an ad tracker like Ghostery that shows you all the pixels and cookie tracking on your website. That’s important because many websites have pixels and cookies left over from software they no longer use. Scrubbing those residual elements is a sound move for GDPR alignment. Contact- and cookie-based retargeting How retargeting is affected seems to depend on what kind of retargeting you’re doing: contact-based or cookie-based. 12
  • 15. 13 • Contact-based retargeting. Contact-based seems to be easy to comply with, provided you include this as part of your “double opt in” process when downloading an asset. Two steps you need to take: 1. Make sure you use double-opt in (opt in on the download form, and by contact confirmation to a follow-up email), and that the terms and conditions include language that contacts are opting in to retargeting. 2. Make sure you have an option to disable ad retargeting on your opt in / opt out page (see the “managing opt out requests” section above). • Cookie-based retargeting. Cookie-based retargeting is trickier. The common interpretation seems to be that you need to secure opt in for all cookies on your website via an opt in pop-up box, even if you don’t track personally identifiable information through Google Analytics or other means. When someone chooses not to opt in to cookies, you need to obey their wishes and not track them. You also need to make them aware that they may experience reduced functionality on your website. If a contact does opt in for cookies, any retargeted ad needs to contain a link that allows the data subject to opt out from further retargeting. Retargeting based on social media activity Right now this looks like it will be a safe tactic as the social media platform is essentially acting as a data controller, and permission to retarget is covered by their terms and conditions. If someone likes or follows your page on Facebook, they are “opting in” based on Facebook’s terms and conditions. If a contact wants to opt out of seeing your ads, all they need to do is opt out on the ad itself or unfollow your page.
  • 16. Lookalike audiences and social media It appears that social media lookalike audiences will be safe for marketers as the social media platform (e.g., Facebook) assumes the role of the data controller. (For lookalike audiences through a digital ad partner, like a DMP, please see the DMP section below). You as the advertiser never get access to the individual contact details of the audience members, so are not a data controller and therefore should be exempt from the GDPR. That being said, if you are uploading lists of lookalike audiences based on contact information or web cookies, then that usage needs to be clearly stated in your terms and conditions, and you need to allow contacts to opt in (vs. opt out). For more on this, please refer back to the section on lead forms, or cookies, above. IP targeting IP targeting comes in two forms: 1. Targeting the IP address (or device ID) of the individual user 2. Targeting the IP address of a corporate office In the case of targeting an IP address (or device ID) of an individual user, you need to refer to how you handle cookies: an opt in pop up, with a link to terms and conditions outlining what the data will be used for, and linked to a page at which contacts can opt out or ask that you delete their information entirely. IP targeting on a corporate office is still OK, but there seem to be some nuances. The current interpretation seems to be this: If you’re simply targeting the IP address (or a range of them) for a corporate office, you’re OK. Since this is a common tactic, this should come as a relief for many marketers. If, however, you are using both IP targeting for a corporate office and using filters like “job title,” then it becomes a bit of a gray area. The rules on this are not 100% clear, but the GDPR is built to protect personal information. It could be argued that a combination of IP address and professional titles can be traced back to an individual, so you might be in trouble. Our opinion is that you should take a “wait and see” stance for now and revisit this tactic once its application becomes clearer over time. Data management platforms (DMPs) By most accounts DMP service providers will need major changes to their operating procedures because of the GDPR. From our interpretation, they carry a lot of additional risk because they frequently serve as a data processor for your data versus a data controller. Let’s look at a few common scenarios for DMP service providers and how this might play out with the GDPR. Programmatic advertising and DMPs If you provide contacts to your DMP partner for programmatic advertising and you remain the data controller, the GDPR compliance burden is on you, not the DMP. So, if you’re going to do this, you need to make sure that you 1) outline the use of this data in your terms and conditions 2) provide only “opted in” contacts to the DMP and 3) have a mechanism for processing opt out requests that come from the contact through the DMP. In addition to that, DMP service providers often also work with demand-side platforms (DSPs) and trade desks to source and fill ad inventory. Again, each one of these handoffs extends the data processor network and introduces a potential point of failure for which you, as the data controller, will be responsible. If you’re going to go down this route, you should ask for an outline of the DMP’s data network, including where the data is stored for each part in the chain, what kind of encryption is used, and how opt outs will be passed back to you. 14
  • 17. 15 There are a lot of moving parts to this type of advertising and a lot of potential risk, so we at Treasure Data are taking a “wait and see” approach. Lookalike audiences and DMPs This seems like the safest way to engage with a DMP service provider for the short term as you’re not passing any personally identifiable information to the DMP and therefore forcing the DMP to take on a role of a data controller. The flip side to this is that the data received back from the DMP will be high-level and general, which will prevent you from further targeting any individual contained within the DMP audience segment. Of course, a DMP could provide more detailed information to you from contacts that went through an “opt in” process so that you could do more accurate targeting. This assumes, however, that the data from the DMP is clean and that’s a big risk as you’re going to be the one targeted by a fine if you retarget someone who did not opt in. Given that, it seems like this is another area where you’ll want to wait and see what happens. DMPs and data breaches GDPR mandates that any data breach of personally identifiable information (PII) must be communicated to anyone who might have been affected within 72 hours. When dealing with a DMP partner and its larger network of partners and data processors, you need to make 100% sure that the DMP is as secure, if not more, than you are, and that the DMP has processes in place to communicate a data breach in time for you to meet the 72-hour deadline. Remember, you’re the data controller in this scenario, so you carry all the risk. Conclusion The GDPR will require dramatic changes across cold emails, programmatic and targeted advertising, as well as how opt in / opt out processes are managed. However, cold calling, direct mail and lookalike advertising should remain “business as usual” for now. The most important things you can do now are the following: • Ensure all your different prospect and customer databases have consistent communications preferences fields that are synced daily • Run an opt in / permission passing campaign for your current EU / UK contacts • Update your lead capture forms and cookies to be opt in • Revisit your programmatic advertising and strongly consider stopping any channel that relies on PII that you do not directly control • Create a landing page on which contacts can see what data you’ve collected, and which automates opt in, opt out and “forget me” requests from a central location. If you need help on this one, you should talk with Treasure Data.