The new General Data Protection Regulation (GDPR) is fast approaching, and there are probably a lot of nervous inbound marketers out there, wondering what their agency or business needs to do to be compliant with these strict new rules on personal data. In a recent blog, we outlined the 12 main things you need to know about, from data auditing to data security and breach reports, but here, we take a closer look at the two big areas of concern for inbound marketing: legitimate interest and consent.
A Very Brief Overview of GDPR
That previously mentioned blog gives a great outline of what GDPR is, but in short, it’s a new regulation that aims to enhance the protection of every EU citizen’s personal data, and increase their rights to have better control over it, and what it is used for. The legislation comes into effect on May 25, and the fines outlined for non-compliance are potentially crippling, so it is imperative that every company and every inbound marketing agency, gets to work on it very, very soon.
Those inbound marketers using the HubSpot portal will be pleased to know that as data processors working on your behalf, HubSpot needs to ensure that all users are compliant, so they are working hard to ensure across the board compliance is set up. You can find more details here, and we will also take a look at this as our discussion goes on.
Gathering consumer data is central to inbound marketing. We need it in order to engage with leads so that we can drive them down the conversion path from an initial click on a CTA or landing page towards becoming a customer or client, to tailor informative and engaging content for them, and to create the strategies that will help us succeed.
However, the new regulations will mean we have to be much more transparent in our data gathering – clearly outlining why and how we are using the data – and we must have a solid legal basis for doing so.
This is because EU citizens (or data subjects, as they are referred to in the legislation) will now have the right to know who holds personal data about them, and what they are doing with it, while also giving them the right to object to this if they feel their rights – to privacy, avoiding intrusion, etc – are being infringed upon through profiling, automation, etc.
All inbound marketers will now need to be able to track, access, and communicate to data subjects that lawful reason. HubSpot will be adding a new function that enables you to do just this, which will be available in late April, but for those without that platform, a lot of work will need to be done to ensure you can adequately identify where, when, how and why you hold the data of any EU citizen, and share it with a data subject upon request.
Lawful basis for inbound marketers really comes down to two things: legitimate interest and consent. Let’s take a look at the first of these:
This is one of the main reasons inbound marketers will give as a reason for holding and processing a person’s data. They will, for instance, argue that storing and processing the data of individuals will enable them to better understand their market, and provide more accurate and relevant content to those people. After all, bad data leads to bad content creation and inbound strategies.
Similarly, if a person shows an interest in your online content by visiting your site frequently, downloading an offer, etc, it can stand to reason that they will be legitimately interested in other similar content, or offers that bring them further into the buyer journey.
However, the tricky part comes with the caveat that legitimate interest can be overridden ‘by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data’. In other words, it is their right not to be targeted repeatedly with marketing messages they don’t want.
At the very least, marketers will have to prove it is reasonable to assume their audience will find their content compelling, and that it will have no impact upon a person’s rights.
Diving into the legislation, we can find three good examples of where a marketer can prove legitimate interest:
- Direct marketing: The GDPR states that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’, so if a person subscribes to your blog or newsletter, or signs up to receive emails, the rules are pretty straightforward.
- Relevant and appropriate relationship: A direct relationship, such as sharing content or useful information with an existing client (or potential one), so that they can make an informed decision, is also straightforward.
- Reasonable expectations: If a person submits their personal data via a landing page form, for example, it can be understood that they will have a reasonable expectation that this data will be held and processed, and will be used by a marketing team to further engage.
What is HubSpot doing?
The good news is that, championed by HubSpot, inbound marketing, as opposed to traditional intrusive marketing, is essentially a form of marketing that has legitimate interest at its core. Providing useful and relevant content on your website attracts visitors to you, and if they are interested in finding out more, they provide their personal information with the understanding that it will be used to contact them with further offers and engagement. If they don’t want further engagement, they don’t provide their details.
Of course, overlapping with the subject of consent, there is still the issue of cookies, whereby a person’s data is gathered by way of tracking their activity, rather than through direct provision of their information through forms, etc. Each visitor to your site must be informed in clear language they can understand that you are using cookies to track them, and needs to consent to this. In other words, you can’t just eat up all those cookies, you have to get agreement to do so first.
HubSpot is, thankfully, working to update the default language for enabling cookies to reflect affirmative opt-ins, and to make it possible to display the cookie consent message in the right language, based on the website visitor’s location. This should be available very soon.
In summary though, inbound marketing can be seen to be relatively compliant when it comes to legitimate interest, because it uses the concept of attracting visitors to you, generating qualified leads through gated content, with every engagement consensual, and that brings us on to the next issue: consent.
The GDPR has the same core rules as the existing Data Protection Directive, but there are some significant changes. The new definition of consent is as follows:
‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’
Let’s take a look at each part of the definition to understand exactly what sits behind the wording.
- Freely given – The data subject must have made a genuine choice to provide their information and thus be engaged with, and not have been misled or face negative impacts of not providing consent. Current guidance on freely given consent takes the approach that there should be a genuine choice made on the part of the data subject when they provide their data, and that they should not have been misled, intimidated or negatively impacted if they withheld consent. In other words, you can’t force a person to give their personal data and be marketed to. They have to have a choice.
- Specific – Consent must be obtained in a way that makes it very clear to the data subject what they are agreeing to, so you need to explain fully what you will do with their data. It can’t be ambiguous, so you can’t assume that consent given to receive a newsletter gives you licence to bombard somebody with email marketing and offers
- Informed – The data subject must be aware of you are and why you are engaging with them, and must also be informed of their right to withdraw consent at any time, before they are required to give consent
- Clear affirmative action – this means that there needs to be a clear indication that the data subject agrees to your having and using their data. Silence, pre-ticked boxes or inaction (which have all been used in the past to assume consent) won’t cut it anymore.
What is HubSpot doing?
New features will soon come on board in the HubSpot platform to address the issue of consent. In common marketing tools such as forms, conversations or direct messaging, you will be able to provide proper notice to consumers before they provide their data, and transparently collect the appropriate consent when they agree to it.
The HubSpot subscription preferences page is also being updated to support opt-in preferences.
Yes, there is a lot to take in, which is why we have left some of the other important considerations such as data requests, opt-outs, data deletion and modification, and security, for another day. Keep an eye on our blog for an outline of what you need to know about these areas of the GDPR, and what HubSpot is doing to make things easier.
If you are interested in learning more about GDPR and the steps you need to take to be compliant, find out how we work with our partners to help you assess how much you need to do to meet regulatory requirements.
Send an email to firstname.lastname@example.org and we will get back to you as soon as possible, giving you a clear idea of how we can help your organisation.