The How and Why of GDPR Compliance for B2Bs
Change was/is/will be the only constant! Change-resistance in any sphere of life hinders progress. And, for marketers, there is a ‘massive change ahead’. The EU’s General Data Protection Regulation (GDPR), which will be effective from May 25, 2018, is set to be the biggest upheaval in European data privacy laws over the last two and a half decades or so. The US-based B2B organizations operational in Europe will have to comply with the strict boundaries around data privacy, integrity, and broadcast.
GDPR will arrive as a replacement for EU Data Protection Directive 95/46/ec, which prevailed since 1995, a time when the internet was an infant (dial-up) and smartphones didn’t exist. From then on, data collection and processing have witnessed a sea change. Therefore, some of the data privacy laws have been rendered outdated or/and obsolete.
An important aspect to consider is that GDPR is a regulation, not a directive. So, when it comes to effect, it applies straight away to the entire EU and is not subject to country-wise legislations. A breach of the regulation, which arguably, has been the talking point, calls for cumbersome sanctions — almost $24 million, or 4% of worldwide turnover. In lesser degrees of noncompliance, approximately $12 million, or 2% of worldwide turnover.
Impact on B2B marketing data
The GDPR didn’t have any direct mention of B2B or B2C data. Thus, until recently, marketers thought it’s business as usual. But that was a short-lived. Along came the change, wait, sea change, in ‘Privacy and Electronic Communications Regulation’ (PECR), also called ePrivacy Directive. ePrivacy Regulation will come into being in accordance with GDPR.
The draft for ePrivacy Regulation is not yet finalized. Though, it already includes some crucial areas concerning electronic communications which will impact both B2B and B2C businesses.
Wider applications’ umbrella
The new regulation encompasses social and instant messaging, IoT, and email (web-based) into the same umbrella of laws as SMS, email, and telephonic calls.
No more cookie force-feeding
Come GDPR, cookies will no more be a mandate. This is a welcome break for users as it was like a situation where that dessert you dislike comes forcefully with a combo meal, and if you say no to the dessert, you won’t get the meal. Cookie consent banners will be offered to users through their browsers. A user, on opting out of cookies, can’t be prohibited from a service or website. However, there is a small list of exceptions to this, namely, government sites which require personal data.
In lines of the previous PECR, soft opt-in, which allowed businesses to send promotional messages to their existing customers remains intact. But, a small tweak will come into play. The context of the messages needs to be limited to the product/services sales only. In this regard, you’d be well-served to treat SMBs as exclusive traders and partnerships as individuals, and send emails to them only on their express consent or, if they have made similar purchases from you in the past and didn’t opt-out. Your CRM needs to be updated with the list of opt-outs.
Get prepared, be ready!
The best way to handle regulatory changes is to prepare for them and be ready to accept them when they arrive. It’s the secret ingredient to that perfect change management recipe! And, that’s exactly what B2B marketers need to do for GDPR and ePrivacy Regulation.
To begin with, start spreading the word among all relevant stakeholders. The fines for noncompliance are heavy and you shall quickly sync your data management practices with the new regulations. It’s also a great time to review all your processes that are predominantly data-based. Detection, reporting, and investigation of data breaches need to be fast and specific. Anything like what recently happened with Equifax (almost 3–4 months of delay in reporting data breach) can be fatal in terms of data pertaining to European customers/clients.
Privacy notifications need to be simpler with clear information about your business, the personal data that you access, and your plans of using that data. A good habit here would be to allow individuals to flag instances when the way you’ve used their data has annoyed them (A new perspective on crowdsourcing and user-generated content?!). The GDPR is controlled by the International Commission’s Office (ICO), and therefore, practicing/implementing the norms of the existing ISO 27001 is another good spot to start.
Till the GDPR actually hits the ground running, pinpoint impacts can’t be derived. But, rest assured about the fact that the ICO is now more powerful than before. Getting flustered by all this won’t hold you in good stead as a marketer. Look at the greener side of the grass here! With customers at the forefront, unproductive data gets aborted. This leads to better value creation around data assets which results in creative innovation. B2B (or B2C) marketers can succeed through GDPR and ePrivacy Regulation by staying data smart and ensuring they reach their targets in better-than-before ways.
Cometh the hour, cometh the data! Cometh GDPR, cometh the survival of the smartest.