The European Union's General Data Protection Regulation requirements may profoundly affect the ways Salesforce Marketing Cloud customers use customer data. Salesforce GDPR marketing compliance will require marketers to evaluate and often rethink marketing efforts that touch European customers. And it does not just apply to big companies, either.
GDPR applies to any company that markets to people in the European Union (EU), regardless of the size of the organization, said David Fowler, head of privacy and digital compliance at Act-On Software, a marketing automation provider. That makes GDPR marketing compliance a top priority.
Companies with more than 250 employees are required to have a data protection officer on staff who bears the responsibility to maintain the organization's compliance and act as an extension of the organization's data protection authority. Companies that violate GDPR will be subject to fines of up to 4% of their annual worldwide revenue or €20 million, whichever is greater.
Breeding a better marketing strategy
The new regulations may seem onerous and scary for marketers in the short run. They may also lead to better digital marketing strategies that focus more on customer enrollment rather than promotion in the long run.
"It is a chance for marketers to reassess the data value exchange between business and user," Fowler said. "And I believe it will ultimately lead to better digital marketers."
Under GDPR, marketers will have to honor an individual's right to be forgotten -- fulfilling requests to delete information about them and providing proof that it was done. They must obtain explicit permission to gather data, and they must communicate exactly what they're going to do with the subject's information and the purpose of processing it. They will also be required to allow people to see their own data in a commonly readable format.
These requirements will create a lot of confusion in the beginning. Can you track someone using their data? Can you share this data with third parties? If a customer wants to leave, do they have the right of erasure? Will companies have to return certain data?
"At the moment, it's a very gray area operationally, especially as the definition of personal data has been expanded to include online identifiers, such as cookies and IP addresses," Fowler said.
Attention on all lead-gen channels
GDPR will raise the level of the processes marketers need to have in place, as well as the attention on all the lead-generation channels, including the current database, acquisition processes, emphasis on different channels and the care of current relationships.
Marketers will need to evaluate their current database and see how many of their contacts meet the GDPR standard. Some enterprises may have to start from scratch. Marketing databases will be smaller because it will not be as easy to add names.
Businesses will not be able to acquire leads through events or content syndication and automatically assume they can market to them. This could change the landscape of marketing ROI. Marketers will need to ask lead-gen partners to get leads to opt in and provide proof. This may entail signing an e-contract at a trade show booth before getting a new fidget spinner for the kids.
These changes could drive marketing efforts to emphasize inbound marketing through search engine optimization and promote products and content to communities like product review sites. More care must also be taken not to lose contacts that have been secured. For example, it is important not to oversaturate customers or prospects with too much or off topic communications.
Complexity of marketing stacks
One of the biggest technical challenges will lie in analyzing complex marketing stacks built from best-of-breed components.
"Given that large marketing programs often have 25 or more components within their marketing stack, it's critical to understand how those data sources and distribution channels can be adapted to align with regulations and stay in GDPR compliance," said Jeff Nicholson, VP of CRM product marketing at Pegasystems.
Business owners and marketers should analyze all the partners who collect data in their supply chain and ask for written verification that they are GDPR compliant.
"The responsibility is on the marketer to verify the state of all your data collection partners," said Paul Harrison, CTO at Simpli.fi, an omnichannel AdTech platform.
Watch out for cookies
GDPR touches all the points in the collection, storage and use of personal data -- and this includes all data, not just personally identifiable information. In addition to names, addresses, identification numbers, birthdates, email addresses, etc., GDPR applies to data such as IP addresses and behavioral data collected by cookies or tracking pixels. GDPR covers any information that can be used to directly or indirectly identify an individual -- such as names, photos, email addresses, financial details, posts on social networking sites, medical information or a computer IP address -- no matter when it was collected.
A marketer will need to treat cookie data with the same level of protection as they would a customer's address or birthdate. This means data security and privacy are no longer just IT's problem.
"Marketers need to educate themselves on what data they have, how they can use it and how it is protected, then limit access appropriately," said Matt Harris, co-founder and CEO at Sendwithus, an email marketing service.
GDPR also requires marketers to audit previously collected email addresses to ensure they have obtained proper consent to store and use them. If not, they'll either need to delete the addresses or obtain new consent to keep them -- the same consent they'll need for all new email addresses going forward.
Tighter controls on email
The regulation will affect any marketer with an outbound email program that reaches EU citizens.
"The days of exporting a huge CSV file of user data and uploading it to your email marketing platform are fast drawing to a close," Harris said.
The days of exporting a huge CSV file of user data and uploading it to your email marketing platform are fast drawing to a close.
Matt HarrisSendwithus
One good GDPR marketing compliance strategy for Salesforce users is to make the opt-in language clear. An opt-in form must not only collect consent with a positive action on the customer's part, it should also prompt them to read the privacy policy. That policy should be written in plain, easy-to-understand language that makes it clear to customers what data is being collected, how it will be used, as well as how they can opt out and have their data deleted.
Another good practice is to consider a double opt-in where the user must take an extra step to confirm their email address and provide consent. This adds another layer of protection for businesses. Regular maintenance of email lists should also be conducted to remove stale data.
It's also a good idea to have a draft breach notification drawn up.
"Customer communications in this kind of circumstance often fall to marketers, so while no one wants to anticipate a breach, it's wise to make sure you're ready," Harris said. "Have a draft of your message written and coded, ready to be edited, approved and sent on short notice.
"You should also create a process for quickly identifying the affected email addresses so your message isn't delayed while you figure out who needs to receive it."
