3 Things Marketers Need to Know about GDPR

  • by Noah Ramirez, JD / CIPP
  • · posted on October 25, 2019
  • · 5 min read
3 Things Marketers Need to Know about GDPR


What You Don’t Know Can Hurt You

The GDPR. Heard of it? If you’re in HR or the CIO, likely so. If you’re in marketing, perhaps not, at least as not as much as you should. Even with basic GDPR knowledge of things like GDPR cookie consent, how much do you really understand all of the requirements of the GDPR and how your marketing efforts are impacted?

As a CMO or marketer, it’s your job to track website traffic and launch marketing campaigns to increase awareness of your company brand, boost sales, and build a reputation. It’s not uncommon, however, for the pesky legal stuff to take a back burner. As long as you’re not falsely advertising and following the basic laws of marketing, you’re doing all you need, right?

Not so fast. The GDPR is all about data privacy and transparency. The requirements within it are constantly evolving and these laws and changes don’t always make it onto the marketer’s radar. The GDPR, however, doesn’t care much whether you knew you were responsible for the customer data your company collected or not.

For the powers that be, it’s your responsibility to understand and adhere to the GDPR no matter your job title. If you fail to comply, you put your company at high risk for penalties that can include hefty fees and the inability to continue collecting valuable customer data.

1. How The GDPR Affects Marketers

According to the American Marketing Association (AMA), all that customer data marketers collect and covet may help marketers better understand their customers, but it also creates vulnerability. Whose data is being collected and where is all that data going? Is it absolutely necessary to collect and did the customers agree to have it processed?

The GDPR is complex but clear. Companies who do any business in the EU or with EU residents must “ensure they have demonstrated clear compliance and consent.” That means CMOs and marketers must be able to prove the data subject residing in the EU agreed to allow the company to collect and process their personal data. Even more, “marketing databases have to be cleansed and reviewed to ensure that the organisation can identify consent which has been granted lawfully and fairly.”

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Let’s define “consent” because it’s the lynchpin when it comes to the GDPR. The regulation explains it as:

“The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear plain language. It must be as easy to withdraw consent as it is to give it.”

For a marketer, that means before any of your customer-facing forms can be completed or website cookies do their thing, you must inform the data subject that you are collecting their data, using cookies and why you are collecting it. You must then give them the option to consent or decline. For cookies, it may be as simple as a Website Cookie Notice that allows them to opt in or out.

Even if they initially give you consent, data subjects have the right to later request the information you collected be erased and no longer used (a.k.a. “Right to be Forgotten”). They can also request to be given the personal data you collected on them and you must provide it in a timely manner. In essence, they have the control, not you.

2. The Marketing Team Can Be A Weak Link

As the saying goes, “A chain is only as strong as its weakest link.” Even if the CIO is running a tight ship when it comes to the GDPR, the marketing team can put the organization at high risk if they’re not following all of the guidelines. From tags and cookies to embedded forms, digital marketers are continually collecting visitor data, often sharing it with third parties.

Today’s marketing teams are on the hook to use personal data responsibly. They must know what data is being collected, where the data is going, who has access to that data, and how that data is being processed and used. Not only that, but they must incorporate into their marketing strategies a clear way to notify data subjects of the company’s data collection activities. Even though tags can bypass cookie consent requirements, companies must still adhere to the GDPR Cookie Consent on their marketing forms.

Every CMO should make it a priority to set the stage for how the entire marketing team will approach data privacy. Each marketing campaign must build into it a systematic process to notify data subjects of data usage, provide an opt-in/out feature for both tags and cookies, and clearly define its privacy policy. Further, marketing efforts must be reviewed on a regular basis to ensure compliance.

Try Osano Free!

3. Keeping Up with GDPR Regulations Can Be Automated

Marketers are challenged to strike a perfect balance between protecting data subjects’ right to privacy and getting the marketing data they need to develop more effective marketing campaigns. With all of the evolving data privacy laws and different affected geographies, this is not an easy task.

As the need has increased, solutions are coming to market to help organizations stay GDPR-compliant without so much effort. Cookie Consent Tools enable marketers to customize their own cookie consent pop-up boxes specific to a data subject’s geographical location. This is uber-helpful since the GDPR laws can be different depending on the country.

Paid versions of this solution handle the geolocation thing automatically, even detecting language to ensure data subjects see the pop-up box in their spoken language. It will also track user consents over time, providing reliable cookie consent record keeping.

The language issue is an important factor because unless the consent dialog isn’t in your visitor’s preferred language, it is not considered consent. Basically, unless the visitor can read and understand the cookie consent, their permission is null and your company is liable for non-compliance. Further, any website that uses third party scripts is liable for obtaining those consents as well. The paid version of the automated solution blocks and unblocks third-party scripts to ensure unsanctioned third parties don’t get your company into trouble. Automating this portion not only saves time, but it prevents your company from being penalized.

But what if you don’t know about third-party scripts trying to load on your website? Maybe the marketing team created a new landing page that isn’t searchable. That’s when you need automated alerts that notify you of third-party scripts and hidden pages. With the GDPR, it’s critical your company, including your marketing team, knows what’s loaded where and which visitors have consented to what. Only then will your company be able to provide data subjects with the personal data they may request of themselves and regulators with the proof your company is compliant in the event of legal action.

By investing in such solutions, you can potentially save your company millions of dollars of GDPR penalty fines and of the required resources to manually maintain compliance. Automation is key to bring visibility and transparency, but also to bring peace of mind that your company is being a good steward of your users’ data.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.