his post is part of a series in which we explore how GDPR affects the channel especially when using marketing automation tools. As we’re not legal experts, please consult with your own legal experts for specifics about your situation.
Why we’re still talking about GDPR
In the past few months, numerous companies have had their security breached and their customer’s data privacy violated. Authorities are cracking down hard on companies who can’t secure their customer’s data and companies are finding that they need to update their data policies and rethink the way they gather and collect data.
While this is great for the consumer, it’s difficult for companies to actually do. It’s especially tricky in the channel space as more than one company handles a consumer’s data. Vendors, partners, and data processors such as marketing automation platforms all share consumer data. Each of these parties must comply with data protection regulations such as GDPR.
GDPR is the most prominent of these regulations and can be tricky to navigate, especially as it applies to anyone who does business with anyone in Europe. We’ve created a series in which we explore how GDPR affects the channel, especially when using marketing automation tools.
What is GDPR?
The General Data Protection Regulation (GDPR) Act protects data belonging to European citizens and residents. It applies to any company that obtains and/or handles personal data belonging to these citizens and residents. This includes processing, storing, and transferring data as well. This is true regardless of where the company is located. So a software company in the US that handles European personal data would still have to comply with GDPR even though they aren’t located in Europe.
Under GDPR, personal data can only be processed if any of the 6 specified criteria are met. For the channel, those criteria would be
- Consent has been given
- Processing data is necessary for the performance of a contract
- Legitimate interest
Consent
Like a medical consent form, the consent form for data collection must explicitly state why you are collecting the data, what it’s for, how it will be stored, and for how long it will be stored. This consent must be obtained from anyone whose data is being collected. For the channel, consent must be obtained from the customer/prospect, the partner and the vendor if using a data processor, an entity that processes any data you give it according to your instructions. An example would be Mailchimp who processes your contact lists and sends emails to those contact lists.
Once consent has been obtained, it must be stored by everyone who interacts with that person’s data. For the channel, the vendor, the partner, and the data processor must keep the consent authorization for their records. Consent must also be renewed on a recurring basis and may be revoked at any time.
Data Processing
Under GDPR, data processing includes collecting, recording, storing, etc…pretty much anything you do with data would be considered data processing under GDPR. Examples would be
- Collecting emails for a mailing list
- Storing IP addresses for security purposes
- Storing contact information in a marketing automation platform
Data processing must occur for a specific purpose such as collecting emails for a newsletter mailing list. You can’t just process data for whatever reason; it needs to be specific and clearly defined when asking for consent.
Legitimate Interest
This is when your personal data is used in a way you would expect. The data collected for this purpose should be necessary for the organization to collect and the benefits of processing it should outweigh the risks.
An example of this is someone uploading their resume to a job board such as Indeed. In this case, the person who uploaded the resume can expect recruiters, hiring managers and anyone else looking to fill an open position to contact them based on the information provided in the resume.
Why is GDPR important to the Channel?
Under GDPR everyone who handles the personal data of European citizens and residents must obtain explicit consent in order to use, process, store, or transfer the data. In the channel, there are typically 3 parties involved in obtaining, using, and storing this data. They are the vendor, the partner, and a data processor such as Hubspot. All 3 of these parties must obtain consent from the prospect/customer. This obtained consent must be stored in each party’s records. This means that consent must be obtained from all 3 parties even though the vendor may not even be located in Europe.
GDPR is tricky for the channel as obtaining explicit consent means that customer/prospect information has to be shared between the vendor and the partner. This is a large concern when using a through-channel marketing automation system as the partner will be sending the vendors’ campaigns to their (the partner’s) mailing lists. Currently, most marketing automation platforms that the channel uses don’t have the network/software architecture necessary to properly separate the partner’s data from the vendor’s data. This data separation is necessary to be GDPR compliant and since most platforms don’t currently have the separation in place, they run the risk of noncompliance.
What are the consequences of a GDPR violation?
The penalties for violating GDPR are steep. Fines can be 4% of annual global revenue or more than 20 million euros which is roughly equivalent to $24,000,000. These fines are determined by a number of factors such as whether or not the violation was intentional, how soon it was reported, and whether or not the fined company cooperated with the authorities.
Since data in the channel is handled by more than one party, it’s possible that if one party such as a partner is found to violate GDPR, the other parties such as the vendor may also be violating GDPR. This is why it’s important to ensure that all parties involved are GDPR compliant.
How do I know if my partners are compliant?
It’s not just you who has to be GDPR compliant, but your partners too. Rather than leave your partner to navigate GDPR compliance by themselves, you should guide your partners through the process of becoming compliant.
- Be on top of regulatory changes
Make sure to keep up to date with any GDPR and other regulatory changes and inform your partners of them in a timely manner. Be sure to check in with your partner at regular intervals to ensure that they remain compliant. These updates can be sent in your regular newsletter.
- Rework your partnership agreement
Your new agreement will need to include a data-sharing clause as GDPR requires any data sharing to be disclosed to the consumer. This clause should outline what data will be collected, how that data will be used, and how it will be stored. It should also state how long the data will be held for and how it will be removed from both parties’ systems.
- Educate partners
There’s a high chance that none of your partners have lawyers on hand to help them figure out how to be compliant. You should educate your partners on what GDPR is, how it affects them, and what the consequences are for violating it. Make sure to share material like checklists that will help them be compliant, host webinars, and provide additional support and training when necessary.
- Establish compliance procedures and metrics
Make sure to lay out some metrics and procedures so that your partners can show you and others that they are GDPR compliant across all their platforms. These procedures and metrics will establish an audit trail that you and your partners can show the authorities if necessary.
- Know when to let the relationship go
It sucks, but sometimes your partners may not want to be GDPR compliant. If that’s the case and you’ve tried everything to make them see that it’s necessary for their business, then it’s time to let them go. There are steep fines for noncompliance and if your partner gets fined, you might get fined as well. This is the last resort step.
Conclusion
GDPR is the most prominent data protection regulation that affects a large number of companies. Everyone who handles the data of European citizens and residents must comply with it or risk being fined up to 4% of their annual global turnover. Under the regulation, companies must obtain consent to handle a consumer’s data. They must also have a data policy that lays out how they will collect, use, share, store and destroy the data that they obtain.
For the channel, the vendor, partner, and data processor (ex. A marketing automation platform) must be compliant. Each party must hold a copy of the consumer’s consent and have a data-sharing agreement in place. Vendors can help their partners become compliant by educating partners and establishing compliance procedures and metrics.