How To Get GDPR-Compliant
Leads In 2019
Written by Sara Moulton 5 May 2019
If you are trying to generate leads anywhere in the EU in 2019, then you need to understand how to properly collect, hold, and process personal data.
Every marketer targeting a European audience should already be aware that the European Union’s General Data Protection Regulation (GDPR) is now in effect. In fact, it came into effect back in May 2018, and it impacts aspects of how businesses interact with data.
Companies and businesses found in breach of GDPR can be assessed administrative fees up to €10 million, or two percent of their annual revenue, whichever is higher.
On January 21, 2019, France’s National Data Protection Commission, CNIL, fined Google €50 million for violation of GDPR compliance because of lack of transparency, lack of requesting valid consent regarding personalization of ads, and providing inadequate information to users.
Here’s what marketers need to know about GDPR–
What is GDPR and how does it affect lead generation for your business?
GDPR is a recent privacy law that applies to the collection and processing of personal data and how a company uses, stores, and shares that data.
GDPR encompasses all of the personal data that a business collects and uses during lead generation and marketing activities, including (but not limited to):
Date of birth
Any information collected automatically through analytics software
Any information gathered from an opt-in, lead magnet, or other offers
Any information added to your database or CRM system
Also under the new GDPR law, businesses are now required to communicate exactly how:
They collect the personal data
Why the data is collected
How the data will be used
Who else will have access to the data
Businesses collecting personal data with lead generation techniques must also clearly provide information on:
How someone can request their personal data be removed
Details of who they need to contact
An outline of the process on how to do so
How to become GDPR compliant with marketing and lead generation
GDPR has changed the way businesses communicate with prospects and engage with customers in the EU, and this means that marketers need to adjust their practices.
Here are 12 important factors to make sure your business is generating leads that are GDPR compliant:
1. Create awareness with relevant people within your company
Make sure you are up-to-date with GDPR laws and be sure to inform the key people within your organization (who are involved with marketing and lead generation) about the essential requirements of the EU General Data Protection Regulation (GDPR).
2. Accurately document information you collect, store, and use
Make sure you are accurately documenting what personal data you are in possession of, where it comes from, and who you share it with. This involves a full audit of the personal data you collected before the introduction of the new GDPR.
3. Communicate privacy information clearly
Review your current privacy notices, statements, and policies to incorporate GDPR best practices. Your privacy notice should disclose clearly and concisely your intentions for the personal information you collect, use, and share when collecting data.
4. Ensure individual’s rights are detailed in your policies
Check to make sure your operational procedures and privacy notices, statements, and/or policies cover all of the rights individuals have regarding the information you collect.
The main rights for individuals under the GDPR are to:
Have access to data
Have inaccuracies corrected
Have information erased
Prevent automated decision-making and profiling
Have access to data portability, or be able to copy or share one’s own data for their own purposes
5. Update policies to consumer access requests
The rules for dealing with information requests from individuals has changed under the GDPR. In most cases, you will not be able to charge for complying with a request to personal information from an individual. You will also have just one month (30 days) to comply with a request of information, rather than the previous 40 days. You will also need to provide additional information to individuals making a request such as your data retention periods and their rights.
6. Examine and document your legal basis for processing personal data
7. Seek, obtain, and record consent
Under the new GDPR laws, you may need to review and change how you are seeking, obtaining, and recording consent when generating leads. The GDPR is clear that businesses must be able to clearly demonstrate that consent was given to collect, use, and share personal data. Consent also needs to be a positive indication given by an individual – it cannot be inferred from silence, pre-ticked boxes, or inactivity.
8. Process children’s data
The GDPR will bring in special protection regarding the collection and use of children’s personal data (children can be defined as young as 13-years-old in certain member states). You must put systems in place to be able to verify an individual’s age and to gather parental or guardian consent for any data processing activities of children’s data.
9. Be proactive with possible data breaches
The GDPR will introduce a new breach notification duty that requires businesses to notify the Information Commissioner’s Office (ICO) whenever they suffer a personal data breach. This will be new to many organizations and can result in hefty fines if they fail to report adhere to this rule.
However, it should be noted that not all breaches will have to be notified to the ICO – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. Try to be proactive with possible data breaches and start to put procedures in place now to detect, report, and investigate a personal data breach in the future. This could simply involve assessing the types of data you hold and identifying which individuals would fall within the notification requirement if there did happen to be a data breach. In some cases, you may also have to notify directly the individuals whose data has been compromised.
10. Adopt data protection by design and data protection impact assessments
It has always been best practice to adopt a privacy by design approach when generating leads and to carry out a privacy impact assessment as part of this. The GDPR now makes this an express legal requirement. You do not always have to carry out a PIA (privacy impact assessment) – a PIA is only required in high-risk situations. Whenever your DPIA (Data Protection Impact Assessments) indicate high-risk data processing, you will be required to consult the ICO to seek its opinion as to whether your data processing procedures comply with the GDPR.
11. Designate Data Protection Officers
The GDPR will require some organizations to designate a Data Protection Officer (DPO), or someone to take responsibility for data protection compliance, reporting, and ongoing assessments. You need to make sure that someone in your organization (or an external data protection advisor) takes proper responsibility for your data protection compliance – and has the appropriate knowledge, support, and authority to do so effectively.
12. Think through international considerations
The new GDPR laws contain complex arrangements for identifying which data protection supervisory authority is responsible for investigating a complaint with an international aspect. Put simply, the authority in charge will be determined according to where your organization has its main administration (or where the majority of decisions about data processing are made). For a traditional business with one physical location, this is easy to determine. It is more difficult for complex, multi-site companies where decisions about different data processing activities happen in different locations.
To avoid confusion and uncertainty over which supervisory authority would be responsible for investigating a data protection complaint against your organization, you should try to map out where your organization makes its most significant decisions regarding data processing. This will help to determine your ‘main establishment’ – and therefore the lead supervisory authority responsible for investigating complaints.
This guidance should not be construed as legal advice; it is being provided for informational purposes only. Please consult with your legal counsel for application to your business practices to ensure that your program is meeting appropriate legal requirements.