GDPR compliant lead generation means collecting, processing, and storing leads according to the GDPR. This means putting lead qualification materials in place. These materials, consist of relevant content, and touch-points. Touchpoints range from downloads, trial sign-ups, contact forms and logins through newsletters, emails, and social media. A third element is data-processing, which consists of CRM (customer relation management) software and audience segmentation, which allows you to monitor sales cycles, and identify upsell opportunities. Click here to read an in-depth treatment of touchpoints for sales and marketing purposes.
In May 2018 GDRP compliance arrives. What this essentially means is
1. you need to have your data secured properly and
2. the (general) Privacy disclaimers most websites currently use will no longer be sufficient.
What do I actually need to do?
1. Perform a serious audit on how your data is stored/ secured/ encrypted, and improve where necessary
2. Customize your Privacy statement – which should not be generic boilerplate, but needs to be tailor-made for your business.
3. Assign a person responsible for communications
What is the GDPR?
GDPR stands for General Data Protection Regulation
In this article we try to explain and what it is, and how to comply.
If you use LeadBoxer, click here for a GDPR compliant-Privacy statement, which includes a specification of the data we collect.
The GDPR regulation was adopted in April 2016, and takes effect in May 2018. It replaces the previous Directive, covers all EU member-countries, and does not require individual countries to implement, interpret, etc.
The GDPR applies to the collection and storage of data regarding people residing in the EU, even if your organisation is outside of the EU
Definitions / roles
Any tool or service that collects and stores data from your online customers, leads, prospects, visitors, etc (on your behalf) is called the data processor, and your organisation is defined as the data controller.
What does it all come down to?
In terms of communication with people in your database, two things:
As a company that collects data from your online users, you are the Data Controller. As such you have the following main responsibilities;
- Make it clear what you are collecting and why.
According to the European Commission “personal data is any information that can be used to identify an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information”, or even a computer’s IP address, if it can be used to identify an individual.
- Grant the person rights to control their personal data
Give people the opportunity to file a complaint, have their data removed (deleted), stop tracking this person and provide a point of contact to a real person who can be contacted through your company website. In other words: the public now has the right to ask you – what information do you have about me?, and to request that you delete the information. Therefore, you need to appoint people to communicate with the public (within 72 hours) and process “right to forget” requests. The public may ask or communicate things such as –
- what information do you have about me?
- i want you to delete me from your system(s)
- i don’t want you to store my data – going forward
- Secure your data
Additional (important) aspects: encrypt personal data, and have data in a format that can be exported. Put consent documentation in place, and ensure that you are able to quickly announce breaches.
GDPR in depth
The General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. It also addresses the export of personal data outside the EU. Click here to read about GDRP in wikipedia.
Informing the public what data is collected.
Article 13 of the GDPR specifies what information must be provided to the public when their personal data is collected. Similarly, Article 12 states that you need to provide:
an “easily visible, intelligible and clearly legible….and meaningful overview of the intended processing”. In other words, as we mentioned above, no blanket Privacy principles. Everybody has to be able to read and understand your Privacy statement.
In short, The GDPR increases the scope of information required in your Privacy notice while demanding that the notice be “concise” (detailed).
Telling the public how & why the data is collected and processed
The question you are expected to answer on your website is: what are the purposes and legal basis for the processing data (for example, for purposes of lead generation). You (also) need to explain why the data is processed. For example, the purpose is to improve communication with customers. There needs to be some legal basis meaning, for example, that the processing is based on legitimate interests, details of which should be explained.
To repeat; this needs to be present in you publicly visible privacy statement
Meet your new Data Protection Officer (DPO)
You will need to appoint (identify) a person in your organization who can be contacted directly by a member of the public, and who can provide and delete personal data upon request. This is called ‘right to forget’ – it is the right for consumers to have their data erased.
- you need to provide the identity and the contact details of the controller (your company) and
- the (contact) details of the data processor – being LeadBoxer if you are a client of ours
The point is you need to provide details of persons whom the public can contact.
A key element in being GDPR compliant, is making sure your data is protected properly. This includes but is not limited to:
- The storage of your customer data
- The transfer of this data between servers, computers, browsers, etc.
- The encryption of this data
- How long will the data be stored for
- Where is the data stored (geograpically)
- How customers can obtain the data.
You don’t have to publish these in the policy, but make sure they are being taken care of.
Conclusion – Plan well and Avoid Stiff Fines
As a company specialized in B2B lead qualification for Sales and Marketing, we take the GDRP very seriously.
We recommend that you plan well do not underestimate the amount of time / resources needed to properly assess and implement your responsibilities. In terms of time – you will probably need 40 hours to completely research and document your tasks and requirements. Do not wait – begin planning as soon as possible.
Fines for GDRP non-compliancy are serious, from a lower level of €10 million and 2% of last year’s annual revenue, to an upper limit of €20 and 4% of last year’s annual revenue.