"Aaaaarrrrr, don't talk to me about GDPR" or "that doesn't apply to us" or "what's GDPR?". All very common responses when I talk to business owners in Automotive. Now that the 25th of May has been and gone - think millenium bug of data - I wanted to tell you what I've learned with some practical advice and 'how to' information in this GDPR overview with regards to being GDPR-friendly and approaching it in a sensible fashion that actually helps improve your business and sales.
Also, yes, the deadline to become GDPR compliant has been and gone, for EVERYBODY, but, what I'm seeing is that most Automotive companies haven't understood what they should do and mostly haven't done that much or anything at all.
I'm not a GDPR expert but I have spent at least 3-weeks solid researching GDPR and coming up with sensible updates, processes, and procedures for our clients so here's your chance to get everything I've learnt in our new blog post series.
So, here goes, part 1
First, this is not legal advice. It’s just what I think you could do to help become GDPR-friendly based on a lot of research. It’s up to you what you want to do. And, I’m also only considering B2B. If you have questions about what data you store and how to create all the correct legal policies then I'll put my hands up and say take a look here at our GDPR page and book a short consultation, then I'll put you in contact with our GDPR partner that handles that side of GDPR.
Also, GDPR isn’t the death of B2B sales and marketing if you know the different forms of Lawful basis for processing that can be used and you treat your contacts in an ethical way.
Considerations to help you be GDPR-friendly
- You can’t easily differentiate private and business data
- You can’t easily know if you’re contacting an EU citizen
- You need the ability to capture and audit ‘Lawful basis for processing’ for EVERY contact
- You need to update ‘Lawful basis for processing’ for EVERY contacts you already have in your systems
- How easy is it for you to manage all the above in your current systems?
- When you contact somebody for the first time, you should tell them GDPR-friendly information
- Do you have processes so all staff know how to comply with GDPR-friendly requests like (1) unsubscribe, (2) update, (3) request data, (4) delete data?
- Do you have a process to comply with your Retention policy?
First, lets cover private and business data, and EU citizens
Questions I hear a lot are: Is private and business data different? Do I need to comply with GDPR even though I’m not in the EU and/or don’t sell to the EU?
There’s no easy way to separate private (home) and business (work) data. And, there’s no easy way to know if your contacting an EU citizen. For this reason, I’d plan to be GDPR-friendly with ALL activity.
- If a person uses their business email in their personal bank account = private...
- You contact somebody in the USA; however, they have a French passport = EU citizen...
What to record for EVERY contact
- Lawful basis of processing contact's data (type of consent being used)
- Lawful basis for communicating (what you're allowed to send)
All our clients use HubSpot CRM so capturing the above is made a lot easier as they have a central place to capture, track, and update this information. I'll go into more detail about that in future posts.
Explaining the different types of ‘Lawful basis for processing’:
- Consent (opted-in) - Of most interest to B2B companies
- Contract (customers) - Of most interest to B2B companies
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests - Of most interest to B2B companies
Here’s the ICOs description of Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests. Private-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someone’s personal data without their consent – but you must ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable.
That's it for this post. In the next blog posts in this series, I'll walk you through various steps to help you become GDPR-friendly and they'll include:
- Updating your systems
- Synchronising data between your systems
- Data cleansing of your current contacts
- Notice on future outreach
- GDPR considerations for future outreach
- Processes to make it easy to be GDPR-friendly
- Ongoing work to help stay GDPR-friendly
- Making it easier to be GDPR-friendly