The EU’s General Data Protection Regulation and Y2K share some surprising similarities. Columnist Scott Vaughan breaks them down and outlines four ways to prepare your organization for GDPR.
Buckle in. Marketing — and your entire organization — is about to be overwhelmed with stiffer data privacy regulations around the globe. The poster child for this movement is GDPR, the European Union’s General Data Protection Regulation. As a marketing leader, you’ll be spending hundreds of hours with the legal eagles and the data teams on what many analysts are calling the biggest thing to hit B2B marketing in a generation.
As we’ve been preparing for GDPR these last few months, I’m having flashbacks to my time in the IT world as we counted down to Y2K. The similarities between GDPR and Y2K are striking:
- Hype, hysteria and confusion that builds during countdown to enactment while people wonder about what’s really going to happen.
- Antiquated legacy tech and processes to figure out and deal with, which leads to discovering how messed up the systems and data are.
- A ton of money and resources spent — some valuable, most wasted — on trying to understand its impact and what to do.
By January 1, 2000, most organizations had found that the Y2K scare had unintentionally improved core business systems and processes. It helped companies reassess their tech and data efforts after the bloat created by the dot-com era. At what cost is debatable. This article is not about the nuts and bolts of Y2K or the definition of GDPR; there’s already plenty of information available on those topics. Rather, this is advice about areas to focus on as you prepare for GDPR.
A quick primer on GDPR:
The EU General Data Protection Regulation replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the ways organizations across the region approach data privacy.
Scheduled to go into effect May 2018, it applies to any company that processes the personal data of individuals residing in the EU. I say scheduled because pieces of the regulation are still being developed. The non-compliance consequences are steep. Companies can be fined up to €20 million or 4 percent of their annual revenue for violations.
GDPR will change the way we market and use prospect and customer data. I believe that those who understand, prep for and embrace GDPR will see a mid- to long-term net gain for marketing, businesses and their customers, as it will ensure that we:
- reach out, engage and communicate with those who are actually interested in hearing from us.
- execute true permission-based marketing, which should require fewer people, tools, time and budget.
- get our prospect and customer data in order, including streamlining data bloat and building trust with customers and prospects.
My analogy with Y2K isn’t intended to stoke the fear of mass chaos. Rather, it’s to show how we can and should learn from a past event and appropriately prep for the potential impact to our business.
The analogy also conveys the amount of time you’ll likely spend in conference rooms and away from marketing tasks, wading through emails and voicemail from companies offering you a GDPR miracle cure. To get it right, this change-management effort should be a calculated game of risk management and mitigation.
Based on our Y2K experience, here are four things you can do to ready your organization for GDPR.
1. Identify required company roles, resources and expertise
Understanding which resources are required to prep your organization is critical. As part of the regulation, GDPR requires organizations to have a dedicated chief privacy or data officer. If you don’t have this role, you need to hire or get the right person(s) certified.
You also want to make sure you have the right committee or working group assembled to tackle this compliance effort holistically. IT, data, legal/risk, marketing, customer and compliance pros should all be part of the group.
Make sure a C-level exec is part of the team. You’ll want board of directors access if needed. Once you have your game plan documented and in motion, you can beef up or trim down the team.
2. Assess your data, technology and process readiness for data protection
Getting a firm understanding of the “state of your data” and how you use, store and secure customers’ personal information is another important part of prepping for GDPR. Key to this effort is capturing your process (e.g., how the data is being secured) and what security and privacy technology you’re using to ensure compliance. Once you have your current state, you can identify the tech, data and process gaps and needs to compile your game plan.
There are also firms that offer these services (and you’ll be hearing a lot more from them, if you haven’t already had them knocking on your door) to augment your team’s effort. This way you can keep as many resources as possible focused on running the business.
3. Create or amend a database management plan
Like Y2K before it, GDPR is a good motivation to get your database in check with a data compliance and protection assessment plan. To underline how bad databases have become, in the recently published “2017 State of Pipeline Marketing report,” a mere 6.6 percent of B2B marketing organizations reported that their data was up-to-date and complete.
This challenge is amplified because it’s very hard to for C-suite executives to determine clear ROI from resources being applied to maintaining database health. As a result, this problem often doesn’t receive the attention that it requires. GDPR is a good opportunity to remedy this.
4. Begin adding appropriate language to all your vendor and data agreements
As you conduct your audit, you should also attend to your data and technology providers to make sure you have the right compliance language in your agreements. GDPR is very specific about the accountability of both controllers and processors of data. Everybody stands to lose if your data “house” is not compliant with specific personal data protection.
From a marketing standpoint, this effort may include compliance language in agreements with your database providers, data append/cleanse vendors, media providers (such as event, webinar and third-party content syndication partners), as well as looking at your first- and third-party data agreements.
Avoid the Y2K drama and drag on your business by preparing for GDPR now. Don’t procrastinate. A diligent approach will not only benefit your business and give your marketing effort a boost by a more focused, permission-based effort, it will avoid the hefty monetary fines your organization will face if you get it wrong.
Some opinions expressed in this article may be those of a guest author and not necessarily Marketing Land. Staff authors are listed here.