The Definitive GDPR Checklist for Marketers

This is a marketer’s guide to GDPR, to ensure you’re completely covered and have your marketing processes in order when dealing with GDPR regulations.

Before you begin

Do you hold and process the personal data of EU citizens?

This guide is for marketers who work in companies in the EU, and who process information about EU citizens. Many companies based outside of the EU may also inadvertently process data relating to EU citizens – so the first step for those companies is to audit their data and discover whether any of it relates to EU citizens. Once that is complete and you have found that you do in fact process EU citizen’s data then you should also follow the rest of this guide. 

Get familiar with your IT team

With the rise of digital marketing and martech solutions, like CRM and inbound marketing software, the marketing team and the IT team have never been closer. The majority of GDPR compliance falls under the responsibility of both marketing and IT. In this guide, we’ll discuss the items that fall under marketing, but you will need to work closely with your IT department or provider to ensure the full picture is complete.

The IT department will need your help to cover highly important elements of GDPR compliance, such as where data is stored (in what country, is it on a server on premises or in the cloud for example). If you migrated to the cloud recently, is there an old server backup lying around somewhere? If old versions of data are stored on a legacy machine, you might not use it, but hackers could potentially still access that data. 

The IT department must also prepare for a security breach and ensure there are security measures along every step of the process through which data is used and shared, so you should be able to provide them with a step-by-step process through which customer data is accessed and used, including any third-party software used.

Step 1. Get your privacy policy page up to scratch

GDPR contains strict regulations regarding your privacy policy – how it must be written, what it must contain and how it must be accessed.

• While you should work with your legal team or legal consultant on the wording of your privacy policy, GDPR regulations stipulate that it must be written in language that is “concise, transparent, intelligible and easily accessible, using clear and plain language,”
• You must give a “meaningful overview of the intended processing” – how exactly will you use the data you collect
• Provide the identity and the contact details of the data controller and the data protection officer in your organisation
• If you intend to share data with third parties, you must identify those organisations and the safeguards put in place to protect the data transferred
• Intended retention periods or the criteria used to determine that period
• Details on rights of access to and correction or deletion of personal data (it’s a good idea to link here to the request for information page covered in step 7 of this checklist)
• Details on the right to withdraw consent for any and all purposes of data processing
• The right to lodge a complaint with a supervisory authority
• Details of any automated decision making, including details of the logic used and potential consequences for the individual. This is the section that relates to third party software providers outlined in step 6 of this checklist.

Step 2. Audit your current databases for opt-in consent

Begin by determining whether you have explicit consent to use the personal details of your current database, and for which exact purposes they have given consent for their data to be used. Ensure their consent for each purpose is documented and then divide your database into separate lists based on documented consent by purpose, and create a ‘next steps’ plan for each list – reaching out to reconfirm consent or request consent for different purposes for which you wish to (or have been) using their data, but for which you don’t have explicit consent. You may need to reconfirm opt-in in the following situations:

• Contact details were sourced from third parties
• No opt-in is recorded
• Unspecific opt-in (doesn’t explicitly give consent for each use of data)
• No opt-in for certain ways you have been using or wish to use the data for
• In cases where opt-in is recorded but you haven’t engaged for an extended period, it may be wise to request opt-in again

Step 3. Re-opt-in campaigns for current databases

Based on the lists you identified in step 1, you must now create engaging campaigns to request contacts to opt-in or re-opt-in for certain purposes for which you wish to use their data.

This is no easy feat – particularly with the recent controversy over Cambridge Analytica and Facebook, consumer sentiment regarding the privacy of their personal data has never been more fraught with tension. So you must clearly convey the benefit to the consumer as to why they should provide you with consent to use their data, as well as conveying that the utmost care will be taken to ensure the safety of their data.

• Create the right messaging for each campaign
• Create engaging landing pages and opt-in forms
• If relevant or possible for your business, follow up the emails with personalised phone calls from the marketing or sales team. Verbal consent to a clear question on a recorded call is a valid form of opt-in. Create a script for team members making these calls.

Step 4. Create a process for opt-in consent

For any new contact details, you add to your database following your audit, you want to ensure there is a process in place to gather the required level of opt-in for each new contact, and that their details are added to the appropriate list based on opt-in for specific purposes. 

GDPR regulations stipulate that consent must now be gathered by customers actively opting-in, rather than that being the default and them having to opt-out. For example, this means that check marks to allow sales and marketing communication at the end of contact forms must be unchecked by default, and users must check the boxes to opt-in. The below are some examples of ways that people can actively opt-in:

1. Checking an opt-in checkbox
2. Clicking an opt-in button or link
3. Selecting from a yes/no option drop down or buttons
4. Choosing settings or preferences in their account dashboard
5. Responding to an email requesting consent
6. Answering yes to a clear verbal consent request – in-person or over the phone
7. Signing a consent statement on a paper form. 

Opt-In Consent

• You also need a separate opt-in consent for EACH way in which you wish to use their data – whether that be sales, promotions, market research, email list retargeting etc.
• Once you have decided on your new opt-in process, adjust the blog or newsletter subscription form on your website to include specific and explicit opt-in for EACH way in which you wish to use data
• Adjust all forms (contact, quote request, demo request etc.) on your website to include specific explicit opt-ins
• Link to your privacy policy from all forms
• Offer clear ways of unsubscribing for each type of contact
• If you keep duplicated copies of databases for whatever reason, document a process by which ALL customer information can be deleted from each copy if opt-out is requested for all or specific types of contact
• Train all existing and new team members on the importance of following this procedure.

With any new marketing tool, innovation, strategy or idea there will always be a discussion as to how that will impact the bottom line of the business. You now need to get into the habit of also asking how every new project, tool or process will include and impact your collection, processing and storage of personal data.

Step 5. Get the sales team on board

If yours is a lead-gen business (as opposed to retail or ecommerce), marketing will likely bring the leads in and pass them on to the sales team for conversion.

In the past, your sales team might have taken databases who provided their email in order to download gated content or subscribe to the newsletter and contacted them with a sales pitch or offer of a free trial or demo, but under GDPR, unless they give explicit consent for the sales team to contact them, this practice is no longer permitted.

The sales team may not be as switched on to the upcoming GDPR regulations, thinking that they won’t impact on their daily working lives, but when there is now a significant portion of the company database they are not permitted to contact, their leads numbers will be looking much thinner. And they must understand the consequences of going against these rules and contacting those people anyway.

Hold GDPR training for the sales team to:

• Prepare them for reduced lead numbers
• Educate them on the consequences of non-compliance with GDPR
• Let them know which leads they can engage with. Help them understand your opt-in process and know where to find that information
• Educate them in how to obtain and record opt-in consent when networking, engaging with a cold lead or on LinkedIn
• Review the process of how leads are transferred from marketing to sales and work with IT to ensure all steps on that path are secure

Step 6. Review third-parties who have access to your databases

What third parties do you share data with? How do they use it? What are their GDPR policies?

• Review all partners that access your customer data. Do they need access? What do they use it for? Revoke access if required
• Contact all external partners who still must access your databases and confirm that their work processes are secure and compliant with GDPR
• The same applies to software providers into which you input or through which you collect customer data. Ask where they store the data (country) and if there is anything you need to add to your privacy policy regarding the software

For Marketing Agencies

This works in reverse too. If you’re a digital marketer in an agency as opposed to in-house, you are likely one of those third parties who handles many companies’ databases.

You may, for example, have clients who share with you documents, excel files, CRM access or website CMS access that shows you the personal data of their customers – email addresses, transaction information, name, address, email, phone number. This could be for reporting purposes, or you may, for example, upload their database email lists to their AdWords remarketing campaigns or RSLA campaigns.

Audit your dealings and levels of access for each client, and where you find you have access to personal data:

• Request that your level of access to software where you can access personal data is modified to only allow you to see what you need – e.g. transaction numbers and revenue without any personal data attached
• Give clients owner access to things like AdWords (if they don’t have it already) and train them to upload their own database lists so that you no longer have to handle and process that data.

Step 7. Have a streamlined process for information requests

GDPR rules stipulate that you must be able to provide a full response to a request for information within one month at the latest. By ‘full response’ this must include:

• What data is being recorded about the individual
• Where that data is stored
• For what purposes you’ve recorded and used the data
• For how long you intend to keep it
• Rather than fearing these requests, set up a streamlined process for retrieving this data. If you use a CRM or marketing automation software, with the help of your IT department you should be able to simplify and automate the process
• Create a landing page on your website with an information request form
• Assign a member (or members) of the team who is responsible for checking requests, pulling the data (from the automation tool if possible) and responding within one month
• Draft a template response email into which the individual data can be added, which also includes the option to unsubscribe or manage levels of consent, as well as the option to have data updated or deleted

Step 8. Prepare for a security breach

While your IT team will take on the lion’s share of the work in preventing, preparing for and handling technical security breaches, often marketing and customer service are on the front line to field customer complaints and questions when a security breach makes the headlines.

• Prepare boilerplate crisis communication documents that deal with the eventuality of a security breach, including:
• Process document including points of contact, emergency contact numbers, spokesperson etc.
• Draft media statement, blog and social media updates
• Draft script and brief responses to field customer questions over the phone or social media
• Once pager outlining the steps taken by all departments to comply with GDPR and IT security
• Q&A document

Don’t Panic. Document Your Process.

While there has been a lot of alarming headlines about GDPR, mainly that the fine for non-compliance with GDPR regulations is equal to 4% of annual global revenue or €20 million, remember that this is the maximum fine, and will likely be reserved for repeat offences. 

If you follow the guidelines above and document your process, you can show you are doing the utmost to comply with the regulations. We also recommend that you do not take this checklist as legal advice - you should work with your IT team and legal team to ensure there are no loose ends regarding compliance.