This post is part of a series in which we explore how GDPR affects the channel, especially when using marketing automation tools. As we’re not legal experts, please consult with your own legal experts for specifics about your situation.
Through Channel Marketing Automation (TCMA) platforms make GDPR compliance trickier as partners market their vendors to their (the partner’s) customers. Partners of vendors may resell their vendor’s products to the partner’s own customers or may service their vendor’s products. Depending on the type of relationship the partner has with the vendor, the partner’s customers may not know about the vendor. This is most common in reseller relationships in which the partners resell the vendor’s products to their own customers.
Depending on how the TCMA platform is set up, this could mean that to be GDPR compliant, all the parties including the partner and vendor must get consent from the contact in order for the platform to process their data. In this case, the platform is acting as the data processor meaning that it is handling the contact’s data on behalf of the partner and vendor.
What is GDPR? A quick refresher
The General Data Protection Regulation (GDPR) Act protects the personal data of European citizens and residents. It applies to everyone handling this data even if they aren’t located in Europe themselves. The key aspect of this act for the channel is that consent must be obtained before anything can be done with the personal data of European residents and citizens.
Why does GDPR matter to the Channel?
In the channel, there are typically 3 parties involved in obtaining, using, and storing this data. They are the vendor, the partner, and a channel marketing automation company, such as xAmplify. Typically, this means that the party marketing to the contact must obtain the contact’s consent. In this case, this responsibility would fall on the partner. This obtained consent must be stored in each party’s records.
For more information on this, see our Why GDPR is Important to the Channel post.
What is TCMA and how does the Channel use it?
Marketing Automation is the process of using technology to automate repetitive tasks such as sending emails, posting on social media, and more. It can also be used to personalize marketing campaigns such as addressing each campaign to a specific person. All of this personalization and automation make it easier to keep in touch with existing customers and to reach new ones. This makes marketing operations easier and frees up your sales and marketing teams to spend their time doing more important things such as market research and selling.
Through Channel Marketing Automation is marketing automation for the channel. It allows vendors to share their marketing content via their partners to their (the partners’) customers. It also allows partner leads to be shared with vendors.
How GDPR matters with TCMA
Depending on how data is stored in a TCMA platform, customer data could be potentially visible to people who don’t have consent to view that data. This could be due to permissions being assigned incorrectly where users of the platform can see data that they shouldn’t have access to or the appropriate consent was not obtained from the customer
When a partner uses a TCMA, they are marketing their vendor’s content to their customer. This means the customer must provide clear consent to receive marketing communications. Depending on the platform architecture, terms of service, and privacy policy, the customer may need to opt-in to receive communications from both the partner and vendor.
Under GDPR, the customer must be aware of how their data is being used, stored and how it will be removed if requested. Therefore, the partner-vendor relationship has to be described in the terms of service and privacy provided to the customer. This ensures that the customer understands who could potentially have access to their data and how it will be used by the partner, vendor, or both.
Contacts need to know what their data will be used for and the process for removing it if they ask. They also need to know how their data will be linked to analytics such as open rates.
When looking for a TCMA platform, vendors should consider the following factors.
- Is customer data isolated? Who can access the data and how?
- How long is consent valid for? Does the consent have to be renewed? Is consent by the person uploading data into the platform?
- How long is data stored on the platform? How are removal requests processed?
- How can contacts opt out of having their data stored on the platform? How is data scrubbed?
- Are unsubscribe links embedded in all marketing materials and communications? Do customers have an easy way to remove themselves from the list?
- How is data audited?
- What is the process for transferring data?
All of these factors should be considered before the vendor moves forward with selecting a TCMA platform. If the vendor selects a platform without thoroughly considering these factors, they may run the risk of violating GDPR. The vendor also needs to ensure that they and their partners are implementing GDPR best practices such as:
- Creating an audit trail for customer consent
- Establish compliance procedures
- Understanding the data processing infrastructure
The partner-vendor contract with GDPR
Under GDPR, both the partner and the vendor need to get the customer’s consent before doing any marketing. This will depend on the terms of service, the platform used, and the data architecture of the platform. As a result, both the vendor and the partner may be responsible for that customer data. The partner-vendor contract should clearly convey this as since both parties are responsible for customer data, they are responsible for any potential GDPR violations as well.
Conclusion
Under GDPR, TCMA platforms must isolate customer data and only allow those authorized to access it. When obtaining customer consent, it must be made clear that the customer’s data will be processed/stored in a TCMA platform and they (the customer) may be marketed to by both the vendor and the partner. Finally, the partner-vendor contract must be adjusted to convey that both the partner and the vendor are responsible for the handling of customer data.