As of May 25th, all organizations working with the data of EU citizens will need to be GDPR (General Data Protection Regulation) compliant.
By this point, many businesses have added similar resources to their websites, with the best ensuring that they’re also easy for customers to read and understand. For those still honing their digital marketing approach, we'll share how we went about updating our customers about our new policies — and managed to write them in plain English.
A year later, in September 2017, we really started getting serious about the details of each clause about the protection of personal data. Like many of you, we also attended webinars and read voraciously.
Still, we weren’t as airtight as we'd need to be by May 2018. It was only a matter of time before a customer asked if we had a Data Processing Agreement. So as a data controller (our customers are data processors), we ventured to write our DPA based on the GDPR’s Article 12, emending the language of several auditing clauses to better suit our business. Upon publishing our DPA on the legal section of our website, we also distributed versions to existing customers and new customers alike, making sure to keep our signed/countersigned copy safe. To our delight, customers were happy we’d reached out, and most signed the DPA almost immediately.
By early 2018, we began to identify all the customers in the EU and European Economic Area whom we would need to ask for reconsent by May. As this was about 15% of our customer base, we chose to immediately opt some people out and contact a smaller number of folks.
Around this time we sent out an email to customers regarding our policy updates, glad that the only real to-do’s were to implement copy updates on our web forms. The timing was perfect, aligned well with a website redesign we’d been planning for months. If our website was going to look good, our copy would look good asking for permission to collect data, or else allow folks to opt out.
During the stage of updating language on our website, we knew that forms and any other lead entry points for unambiguous consent must be logged and time-stamped if for forms with a checkbox. A lot of our discussions focused on how to create the best customer experience. Would customers prefer copy that read “by clicking accept I agree to…”? Or would they prefer a check box? And since we have Drift on our website, we would want clear language about how any data from a prior Drift conversation might be used later on.
Looking back on the entire experience of how we became GDPR compliant, I now recall a piece our CEO, Taylor Barstow, wrote for Database Trends and Applications (also available here in the DBTA 2018 CyberSecurity Sourcebook), called “Is GDPR a burden or a blessing?”. At first, GDPR feels like a burden. But it also forced us to be the change we wanted to see in the world: a world of clear privacy policies, data processing agreements, the right to be forgotten, the right to opt out, and the right to feel respected. Thanks to GDPR, we’ve improved our transparency far more than would’ve been possible without it.
The GDPR also seems rather pat for a business like ours. Bedrock Data’s new product, Fusion, aims to make the right data easily available to the right people. For some, GDPR may seem like a burden if they must provide records of the customer’s consent, including the conditions under which each customer has given their consent and the specific purpose for which consent was obtained. If your business must say — in simple language — where customer data resides, what the data is used for, who has access to it, and why, GDPR is a good thing if all that consent data (cookies, metadata, billing information, phone numbers, etc.) are all under one roof.
GDPR, in other words, is the best of both worlds. All of us, as human beings, want our emails and online messages to remain confidential. And all us, as human businesses, want to see clear privacy notices and justification for why someone is collecting data. The transparency GDPR strives to enforce can only foster greater trust and customer loyalty to brands. And although GDPR will render personal data harder to collect — and therefore scarcer— it will also make the data we do collect more valuable.
So as you email your own customer base to let them know how you treat data privacy and security seriously, be sure to emphasize greater visibility into how you process data that they can review at any time. The takeaway should be that they own their personal data. And should they have questions about how GDPR affects them, that they can easily contact you. Be sure to publish your new policies on your site, usually in your legal section. And trumpet your updates: blog, tweet, and triple-check your CRM’s automated email lists are accurate and that you do, in fact, have permission to contact everyone captured in these systems. Audit your CMS to ensure all forms that prospects, leads, partners, and customers fill out include the option for them to confirm that they wish to be contacted. These forms must proactively seek permission to send emails and product updates by offering a visible opt-in on the UI. So nix that pre-checked box. Make the ability to unsubscribe more prominent. And if customers have opted out of being contacted, don’t ever contact them again unless they contact you.
Overall, though, view GDPR as a blessing. After all, it’s one of the biggest wins for customer experience in decades.