Let’s get specific with GDPR

The General Data Protection Regulation (GDPR) deadline is looming upon us, casting a dark shadow of anxiety over all the marketers in North America. With it comes uncertainty, and with that uncertainty comes lots and lots of questions.

I had the pleasure of attending the Austin Marketo User Group (AMUG) this past month, where GDPR guru and CEO of Inbox Pros, Chris Arrendale, gave us a run down on all things GDPR and how to keep it up and keep it legal.

Make sure your company is GDPR ready before the May 5th deadline.

Here were some of the most helpful Q&A’s from the event

1. When do you have to “purge” your database?

The answer is don’t. They might come back alive. Don’t forget about the right to be forgotten. The person you purged might want to circle back around and ask if they have been forgotten. So, you better have records of that.

Just for a safe bet, send a soft opt-in if they were in your database before May 5th, 2018. Then, if you must purge your database in order to save on storage fees, store their information in a secure, safe place.

2. Let’s say there’s someone from Germany now living in California. When they filled out your form, they put that they’re in California. So do they fall under GDPR guidelines?

Nope, as far as you’re concerned, they’re a U.S. citizen. Just make sure you have record of that. On the other hand, if they put they were from Germany, they would fall under the guidelines. You get it.

The GDPR does not protect an individual’s privacy rights if they personally identify themselves incorrectly or not as an EU/Swiss citizen.

Actually, ReachForce’s SmartForms is configured to infer country information via the IP address detected from the browser, which helps.

3. Ok, so what about a dual-citizen?

Same as #2. It applies based upon residency and how they opt-in. If they have already opted in and are in your system before May 5th, then get an explicit opt-in from them. And of course, keep a good record (are you sensing a pattern here?)

4. Let’s talk about the right to be forgotten. Is this something you could sign away in terms and conditions?

Nope. This must be formally reported. Keep a link to the right to be forgotten form on your website or details on who to email somewhere–like in your privacy policy.

5. What if a person emails a random person at your company asking for the right to be forgotten?

Forward it to your Data Protection Officer, or whoever runs/keeps records on GDPR. He/she will then take the necessary steps to ensure that all the applicant’s data is erased.

6. Can you express the right to be forgotten on the behalf of others? Ex: Let’s say if a CTO of a large company asks another company to stop contacting it’s users and that all their employees want to exercise that right.

Nope. Each person has to individually express that themselves. This is for lots of reasons, but they won’t be covered here.

7. So what about that list you purchased with European contacts?

We recommend running an opt-in campaign to get the people on the list to explicitly opt-in. If they have not opted in by May 5th, opt them out. The other option is the use the list until May 5th, then throw it out.

In conclusion

Keep records of EVERYTHING. Create workflows to timestamp opt-out and opt-in dates and add to a master block list. Make another workflow add a double opt-in at minimum of contacts in the EU.

If you think it’s important, have a record. If you don’t think it’s important, you should probably keep record of it anyways.

Happy regulating!

How well do you know who’s in your database? Get a free data health assessment to get GDPR ready.