How To Get GDPR-Compliant
Leads In 2019

Sara Hs

Written by Sara Moulton 5 May 2019

GDPR (1)

If you are trying to generate leads anywhere in the EU in 2019, then you need to understand how to properly collect, hold, and process personal data.

Every marketer targeting a European audience should already be aware that the European Union’s General Data Protection Regulation (GDPR) is now in effect. In fact, it came into effect back in May 2018, and it impacts aspects of how businesses interact with data.

Companies and businesses found in breach of GDPR can be assessed administrative fees up to €10 million, or two percent of their annual revenue, whichever is higher.

On January 21, 2019, France’s National Data Protection Commission, CNIL, fined Google  €50 million for violation of GDPR compliance because of lack of transparency, lack of requesting valid consent regarding personalization of ads, and providing inadequate information to users.

Here’s what marketers need to know about GDPR–

What is GDPR and how does it affect lead generation for your business?

GDPR is a recent privacy law that applies to the collection and processing of personal data and how a company uses, stores, and shares that data.

GDPR encompasses all of the personal data that a business collects and uses during lead generation and marketing activities, including (but not limited to):

  • Name

  • Date of birth

  • Phone number

  • Email address

  • Physical address

  • IP address

  • Any information collected automatically through analytics software

  • Any information gathered from an opt-in, lead magnet, or other offers

  • Any information added to your database or CRM system

Also under the new GDPR law, businesses are now required to communicate exactly how:

  • They collect the personal data

  • Why the data is collected

  • How the data will be used

  • Who else will have access to the data

Businesses collecting personal data with lead generation techniques must also clearly provide information on:

  • How someone can request their personal data be removed

  • Details of who they need to contact

  • An outline of the process on how to do so

One way to do this is to simply add the new GDPR requirements to your privacy policy and/or terms and conditions. In addition, be sure to provide links to the privacy policy and/or terms and conditions page anywhere user data is collected. The language used when explaining the policy needs to be accessible. The GDPR standard requires that the language used to ask for consent must be specific, clear, granular, and prominent. In addition, individuals need to opt-in and be able to easily withdraw their consent.

How to become GDPR compliant with marketing and lead generation

GDPR has changed the way businesses communicate with prospects and engage with customers in the EU, and this means that marketers need to adjust their practices.

Here are 12 important factors to make sure your business is generating leads that are GDPR compliant:

1. Create awareness with relevant people within your company

Make sure you are up-to-date with GDPR laws and be sure to inform the key people within your organization (who are involved with marketing and lead generation) about the essential requirements of the EU General Data Protection Regulation (GDPR).

2. Accurately document information you collect, store, and use

Make sure you are accurately documenting what personal data you are in possession of, where it comes from, and who you share it with. This involves a full audit of the personal data you collected before the introduction of the new GDPR.

3. Communicate privacy information clearly

Review your current privacy notices, statements, and policies to incorporate GDPR best practices. Your privacy notice should disclose clearly and concisely your intentions for the personal information you collect, use, and share when collecting data.

4. Ensure individual’s rights are detailed in your policies

Check to make sure your operational procedures and privacy notices, statements, and/or policies cover all of the rights individuals have regarding the information you collect.

The main rights for individuals under the GDPR are to:

  • Have access to data

  • Be informed

  • Have inaccuracies corrected

  • Have information erased

  • Prevent automated decision-making and profiling

  • Have access to data portability, or be able to copy or share one’s own data for their own purposes

5. Update policies to consumer access requests

The rules for dealing with information requests from individuals has changed under the GDPR. In most cases, you will not be able to charge for complying with a request to personal information from an individual. You will also have just one month (30 days) to comply with a request of information, rather than the previous 40 days. You will also need to provide additional information to individuals making a request such as your data retention periods and their rights.

6. Examine and document your legal basis for processing personal data

You need to examine and document the various types of data you collect, process, and share with third parties. You also have to explain your legal basis for processing such personal data in your privacy policy and/or terms of conditions, and when you answer a subject access request. Under the new GDPR laws, some individuals’ rights might need to be modified depending on your legal basis for processing their personal data.

7. Seek, obtain, and record consent

Under the new GDPR laws, you may need to review and change how you are seeking, obtaining, and recording consent when generating leads. The GDPR is clear that businesses must be able to clearly demonstrate that consent was given to collect, use, and share personal data. Consent also needs to be a positive indication given by an individual – it cannot be inferred from silence, pre-ticked boxes, or inactivity.

8. Process children’s data

The GDPR will bring in special protection regarding the collection and use of children’s personal data (children can be defined as young as 13-years-old in certain member states). You must put systems in place to be able to verify an individual’s age and to gather parental or guardian consent for any data processing activities of children’s data.

9. Be proactive with possible data breaches

The GDPR will introduce a new breach notification duty that requires businesses to notify the Information Commissioner’s Office (ICO) whenever they suffer a personal data breach. This will be new to many organizations and can result in hefty fines if they fail to report adhere to this rule.

However, it should be noted that not all breaches will have to be notified to the ICO – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. Try to be proactive with possible data breaches and start to put procedures in place now to detect, report, and investigate a personal data breach in the future. This could simply involve assessing the types of data you hold and identifying which individuals would fall within the notification requirement if there did happen to be a data breach. In some cases, you may also have to notify directly the individuals whose data has been compromised.

10. Adopt data protection by design and data protection impact assessments

It has always been best practice to adopt a privacy by design approach when generating leads and to carry out a privacy impact assessment as part of this. The GDPR now makes this an express legal requirement. You do not always have to carry out a PIA (privacy impact assessment) – a PIA is only required in high-risk situations. Whenever your DPIA (Data Protection Impact Assessments) indicate high-risk data processing, you will be required to consult the ICO to seek its opinion as to whether your data processing procedures comply with the GDPR.

11. Designate Data Protection Officers

The GDPR will require some organizations to designate a Data Protection Officer (DPO), or someone to take responsibility for data protection compliance, reporting, and ongoing assessments. You need to make sure that someone in your organization (or an external data protection advisor) takes proper responsibility for your data protection compliance – and has the appropriate knowledge, support, and authority to do so effectively.

12. Think through international considerations

The new GDPR laws contain complex arrangements for identifying which data protection supervisory authority is responsible for investigating a complaint with an international aspect. Put simply, the authority in charge will be determined according to where your organization has its main administration (or where the majority of decisions about data processing are made). For a traditional business with one physical location, this is easy to determine. It is more difficult for complex, multi-site companies where decisions about different data processing activities happen in different locations.

To avoid confusion and uncertainty over which supervisory authority would be responsible for investigating a data protection complaint against your organization, you should try to map out where your organization makes its most significant decisions regarding data processing. This will help to determine your ‘main establishment’ – and therefore the lead supervisory authority responsible for investigating complaints.


Preparing for the GDPR – 12 Steps to take now

GDPR: 12 Steps

This guidance should not be construed as legal advice; it is being provided for informational purposes only. Please consult with your legal counsel for application to your business practices to ensure that your program is meeting appropriate legal requirements.


Want to learn more from LeadFamly?

Click here to get access to our e-guide The True Value of Gamification.

Sign up for LeadFamly FREE

  • Build unlimited game campaigns.
  • Engage your audience.
  • Capture new leads.
  • No credit card required.