Back to the Learning Center

By: IMPACT User on March 7th, 2018

OMG, it’s GDPR: 6 tips to get forms and consents regulation-ready

Spring is on the horizon, and if we were gardeners, we’d be thinking about planting spring bulbs. But we’re marketers, so instead, we’re thinking about the General Data Protection Regulation (GDPR) that is coming into effect on May 25, 2018.

No wonder GDPR is top of mind, with penalties for non-compliance reaching an eye-watering €20 million or 4 percent of annual worldwide turnover. For marketers who promote products and services to EU markets, falling afoul of the new regulations is a nerve-wracking prospect.

In this blog-post series, we’ll look at the key elements of an effective GDPR strategy, including auditing your existing forms and permissions, auditing the contact data that’s already in your system, and establishing data governance processes to ensure continued protection against a breach of compliance in future.

(Before we jump into our first post… PLEASE NOTE: We are martech practitioners, not legal eagles. While we have some good tips to share based on our own research and practice, we strongly recommend that you seek legal counsel to ensure that your organization is GDPR compliant.)

1. Audit your forms

Your site is likely to contain multiple sign-up forms, including webinar sign-ups, event registrations, gated content sign-ups, and contact forms. All of these forms need to be updated to reflect the rigorous requirements of GDPR. At a minimum, each form must include:

Opt-in language that reflects GDPR standards. The person needs to clearly understand what they are giving their consent to. If your current language includes vague phrases about “receiving communications” from you, replace it with something more concrete, such as “I agree to receiving your weekly newsletter,” or “I agree to receiving information about your products and services.”

A link to your privacy policy. It’s no longer enough to simply mention your privacy policy in your forms. You need to provide a direct link from the form to enable the person to review it before signing up or opting in or out.

An unchecked opt-in checkbox. Building your forms with an unchecked opt-in box as the default is a good marketing practice in any case, but GDPR makes it a legal requirement, so make sure every form defaults to an unchecked box.

2. Update your privacy policy

As part of the form audit, don’t forget to drill down into the associated privacy policies.

The GDPR requires a more stringent approach to privacy, especially around the use of cookies. How you use them to track behaviors and how that data can be used and shared, both within the organization and with any third parties, such as agencies, service partners, or third-party applications, needs to be carefully reviewed.

(This is definitely an area where you will want to rely on a lawyer to help you interpret the regulations and ensure your privacy policy is worded correctly.)

3. Document your records

In addition to front-end considerations, take a look at the metadata that needs to be collected with every new contact.

The rules for GDPR are similar to CASL laws, so the best practice is to ensure that you’re collecting, at minimum:

  • A date stamp to identify the date that the contact data was collected

  • The source that the contact data came from (a gated white paper, a webinar sign-up, an outbound sales call, etc.)

  • The exact opt-in language the person saw before giving their consent.

Keep in mind that if you are using multiple outbound communications systems, you are obligated to ensure that consent is harmonized across all your communication systems. (More on this in future posts.)

4. Verify the lead locations

The GDPR doesn’t just protect EU citizens: it protects anyone who is located within the EU at the time of the interaction. That means that asking people to select the region in which they live and work may not be enough to ensure compliance. If an individual living and working in Asia attends an event in Europe and provides their contact information during their stay, they will be protected by GDPR.

In addition to providing a field for country or region in your forms, you may also wish to record the individual’s inferred location. Tools such as Marketo already perform this action when an individual visits your web pages.

5. Update tracking consent

In the past, receiving an individual’s implicit consent to be cookied was enough to satisfy European laws, but GDPR now requires explicit consent.

If your current tracking process assumes consent when the individual closes or ignores the consent pop-up, you will need to update it. To meet GDPR requirements, the individual must actively give their consent to be tracked by clicking a button or checking a box. If no action is taken, you will not be able to track them.

It’s a good idea to sit down with your development and compliance team to discuss:

  • Which cookies are essential for basic site functionality and which should be activated upon consent only?

  • What should the consent pop-up say, when should it appear, and how does it connect to your privacy policy?

  • Which third-party functionality (such as Marketo’s Web Personalization) is cookie-driven, and how will this affect the user experience?

6. Change your strategy

Your marketing department exists to establish meaningful connections with (and collect meaningful data from) potential leads.

GDPR will make that process more challenging, which means that you may need to rethink elements of your lead-generation strategy.

Let’s take the example of a webinar sign-up:

In the past, when someone signed up, you could assume that they had implicitly consented to receive communications from you. You could follow up with a sales email or add them to your newsletter list, for example.

Because GDPR requires the person’s explicit consent, you will need to rethink the path to conversion. Add a request for consent to the initial webinar sign-up, for example, and include an invitation to download a related (and gated) white paper in the confirmation email, since the gate would give you another opportunity to request, and hopefully obtain, consent.

If you’re a Marketo user seeking more tips, check out Marketo’s comprehensive guide: The GDPR and the Marketer.

And stay tuned for the next installment in DemandLab’s GDPR series…