Mais conteúdo relacionado Semelhante a Preparing for GDPR: What Every B2B Marketer Must Know (20) Preparing for GDPR: What Every B2B Marketer Must Know2. Housekeeping
• We’ll send out the recording following the webinar
• You can submit questions in the questions pane, we will
answer them in the Q&A at the end of the webinar
• I’m NOT a lawyer or play one on TV!
© 2018 Integrate, Inc. 2
3. What We’ll Cover
• GDPR: Threat or Opportunity?
• Preparing a GDPR-compliance plan
• Putting your compliance plan into action
• Leveraging Demand Orchestration Software to
support your compliance efforts
© 2018 Integrate, Inc. 3
5. GDPR is Serious
© 2018 Integrate, Inc. 5
“For a long time, B2B marketing has been about lead quantity rather
than quality. GDPR is us to renew our focus lead quality vs quantity.
In effect, it’s going to force marketing orgs to prune their databases
so they can focus their skills, resources and time on legitimately
interested prospects”
–Annalisa Church, Sr. Director, Marketing Technology, Akamai
68% of Companies will invest between
$1 and $10 million on GDPR prep,
according to PwC survey of C-Executives.
8. Poll #1
How would you describe your current level of
GDPR preparedness?
• Already in compliance
• Executing plan and will be in full compliance by May, 2018
• Getting our plan together now
• Have a long way to go
© 2018 Integrate, Inc. 8
11. SiriusPerspective:
11 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Demand Creation in a Data Privacy World
The number of countries with data privacy and electronic marketing regulations in
place is constantly growing – and many carry stiff penalties for violations.
mapchart.net©
PIPA/PIPEDA
CASL
CAN-SPAM
La Ley
Ley 1581
Ley 527/99
PDPL
POPI
Privacy Act
SPAM Act
Privacy Act
UEM Act
General Data
Protection Law
APPI
Anti-Spam Act
DPA
No. 38-FZ
GDPR
E-Privacy
12. SiriusPerspective:
12 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Benefits of Adopting Data Privacy Strategy
A genuine interaction is more than just a click or form fill; it is a valuable two way
exchange of information that drives both sides to want to opt-in.
Better nurture
Genuine Interactions
Better Analytics
Better Targeting
Holistic View of Contacts
Clean Prospect Database
Reduced Risk of Regulatory Fines / Complaints
Look beyond the basic requirements of data privacy compliance to identify
new opportunities to drive genuine interactions with prospects.
Better
ROI
Company Prospect
14. 14 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
GDPR: Overview
Personal Data
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
15. SiriusPerspective:
15 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Information about a living individual
which can identify the specific
individual. Includes information that enables
one to identify specific individuals with easy
reference to other information.
Personal Data Definition Varies by Jurisdiction
Organizations must understand the definition of personal data in every jurisdiction they
target with their marketing communications.
Information that on its own can
reasonably be used to contact or
distinguish a person. (Federal Trade
Commission)
Any information about an
identifiable individual.
Any information concerning an
identified or identifiable
individual.
Any information relating to an
identified or identifiable natural
person; an identifiable person is one who can
be identified, directly or indirectly.
Information or opinion about an
identified individual, or an individual
who is reasonably identifiable.
Information about an identifiable
individual; includes information
relating to a death that is maintained by the
Registrar General.
16. SiriusPerspective:
16 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Understand the Types of Personal Data
Understanding the types of personal data the organization collects, stores and
processes is the first step in defining a preference management strategy.
Personal Data in a B-to-B Context
Physical ID
• Full name
• Phone number
• Mobile number
• National ID
• Photograph
• Fingerprint
• Gender
• Age
• Company
• Business Address
• Title
Digital ID
• Online Identifier
o Log-in details
o Email address
o Chat name
o Instant messenger ID
o Social networking ID
• Cookies
• IP Address
o Static
o Dynamic
• Unique Identifier
o UDID - Device
o UUID - IOT
Metadata
• Sender/Receiver
o Location
o Device
o Timestamp
o Content
• Behavioral
o Search history
o Activity history
o Content
• Device Data
o Location
Preference Data
• Topics of interest
• Watering holes
• Language
• Format
• Frequency
• Delivery mechanism
US PII EU Personal Data
17. 17 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
GDPR: Overview
Personal Data
No Home vs.
Business Distinction
Global Reach
Unambiguous,
Purpose linked
Consent
Privacy by Default
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
18. 18 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Consent
Consent should be given by
a clear affirmative act establishing a freely given, specific, informed and
unambiguous indication of the data subject's agreement to the processing of
personal data relating to him or her,
such as by a written statement, including by electronic means, or an oral statement.
Silence, pre-ticked / checked boxes or inactivity should not therefore constitute
consent. Consent should cover all processing activities carried out for the same purpose or
purposes.
19. 19 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Consent Considerations
Web
Forms
Consistent
form
strategy
Mandatory
country field
Compliant
verbiage
List
Append
3rd party
opt-in
misnomer
Contract
compliance
check
Anon to
personal
Channel
Partners
Separate
legal
entities
Name 3rd
parties
Lead flow
and deal
registration
Sales
Record
contact
source
Consider
confirmed
opt-in mail
Adhere to
privacy
regulations
Events
Attendee
segment
strategy
Consider
confirmed
opt-in
Context
brings
quality
20. 20 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
GDPR Verbiage: Client Example
I would like to receive marketing communications from Client Name and consent to the processing of the
personal data that I provide Client Name in accordance with and as described in the Privacy Policy.
I consent to the processing of the personal data that I provide Client Name and I would like to receive
marketing communications from Client Name in accordance with and as described in the Privacy Policy.
I consent to the processing of the personal data that I provide Client Name and I would like to receive
commercial communications in accordance with and as described in the Privacy Policy.
I consent to the processing of the personal data that I provide Client Name and I would like to receive
business communications in accordance with and as described in the Privacy Policy.
I consent to the processing of the personal data that I provide Client Name and to receive marketing
communications in accordance with and as described in the Privacy Policy.
21. 21 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
GDPR: Overview
Personal Data
No Home vs.
Business Distinction
Global Reach
Unambiguous,
Purpose linked
Consent
Privacy by Default
Legitimate Interest
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
22. 22 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Such legitimate interest could exist for example where there is a relevant and appropriate relationship
between the data subject and the controller in situations such as where the data subject is a client or in the
service of the controller.
The interests and fundamental rights of the data subject could in particular override the interest of the data
controller where personal data are processed in circumstances where data subjects do not reasonably
expect further processing.
Controllers must be clear and transparent about which Lawful Basis they are using as;
i) different Lawful Bases give rise to different obligations under the GDPR;
ii) Controllers should record which Lawful Basis they are choosing for their different processing activities and their
reasons for choosing that Lawful Basis
It is also important to note that, in addition to satisfying one of the Lawful Bases for processing Personal
Data, Controllers must comply with the data protection principlesin the GDPR. Under the transparency
provisions in the GDPR, Controllers must set out what their Legitimate Interests are when they rely on this
as their Lawful Basis for processing.
Legitimate Interest
23. 23 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
GDPR: Overview
Personal Data
No Home vs.
Business Distinction
Global Reach
Unambiguous,
Purpose linked
Consent
Demonstrable Proof
Privacy by Default
Legitimate Interest Penalties
Prospect Rights
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
25. 25 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Services
Legal Counsel
External Agencies
Risk Office
Team Members
IT
Sales and Marketing Operations
Training
Executive Sponsors
C-Suite
Finance
Sales and Marketing Leaders
Stakeholders
Regional and Local Marketing
Regional and Local Sales
Web and Events Teams
Data Privacy Compliance Team
Data Privacy
Compliance
Program
Lead
Legal interpretation, risk analysis and
specialist support
Corporate strategy, budgetary control and
process sign-off
Global / local execution knowledge Data process and system knowledge. Skill
roll-out
26. 26 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
The Data Privacy Compliance Model
People
Corporate Data Privacy Compliance Strategy
Data Intake Data DisposalData Storage Data MaintenanceData Usage
• All ports of entry
• Data appending
• Individual capture
• Online capture
• Event capture
• Data purchase
• Deletion Request
• Expiry
• Merger /
Acquisition
• Data access
• Data security
• Geographic
location
• System location
• Consent Renewal
• Change of status
• Data verification
• Audit processes
• Segmentation
• Predictive
analytics
• Outbound
• Inbound
• Profiling
Technology Measurement
27. 27 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Data Privacy Compliance Implementation Framework
Objective
Participants
Inputs
Tasks
Deliverables
Understand
regulations by
jurisdiction
Marketing, sales,
IT, legal, BUs,
regions, finance
Regulatory bodies,
technology vendor
capability
Establish base
interpretation of
law
•Documented
legal view, and
implications for
the business by
function
•External-facing
reports
•Internal
compliance
reports
Conduct audit
checks, external
requests, training,
Escalation process,
compliance
dashboard
Marketing, sales ,
legal, risk function,
IT
Demonstrable proof
of compliance
Determine current
practice / tech
assessment
Marketing and
sales ops, regions,
events, web team
Privacy related
content, capture,
storage processes
Identify gaps
between current
and ideal practice
•Gap analysis
•Risk exposure
analysis
•Process
assessment
Agree risk profile /
align privacy and
business strategies
Legal, C-suite, sales
and marketing
leadership
Legal guidelines,
corporate goals,
Impact analysis
Assess and agree on
business impact,
threat, opportunity
•Compliance
strategy
•Value vs. cost
analysis
•Function strategy
Create and agree
compliance
roadmap
Sales, marketing,
finance, IT
Compliance
strategy,
Gap prioritization
Define work
packages and
implementation
phases
•Project plan
•Budget
•Staffing model
•Executive sign-off
Marketing ops,
marketing, sales,
risk function, IT
Design detailed
operational function
plans
Ensure adoption
and commitment to
procedures
Sales, marketing,
risk function
Train employees,
Process and
system go-live
•Compliance
feedback
•Compliance
dashboards
Educate OperateAuditDefine Plan Build Adopt
Functional strategy,
Project plan
Define roles,
policies,
procedures
•Compliance
policies
•Compliance
metrics
•Compliance
reference map
Compliance
policies, Project
plan
28. 28 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
Common Implementation Pitfalls
Educate Define Plan Build OperateAdoptAudit
•Poor or
incomplete
view of
regional
regulations
•Failure to
budget for
compliance
activities
•No expert
legal advice
sought when
assessing
risk
•Incomplete
strategy
impact
assessment
•Lack of
involvement
by all
functions
•Failure to
identify cross-
functional
gaps
•Utilizing
big bang
implementa-
tion approach
•Poor visibility
or tracking of
critical path
dependen-
cies
•Lack of
violation
management
and
escalation
procedures
•Over-reliance
on technology
to safe guard
data privacy
•Failure to
build in
consultation
period with
employees
•Failure to
include
compliance
training in all
employee on-
boarding
•Not keeping
pace with
regulatory
changes
•Failure to
build data
privacy
strategy into
new market
entry planning
29. 29 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
• EU GDPR data compliance must be governed by a companywide policy
• Invest in appropriate legal counsel to support the definition of a corporate data privacy compliance policy
• Work with corporate data controllers to ensure global and cross functional support for compliant and relevant contact
information gathering activity.
• Assess the current range of data intake activities and the technology used to store and monitor each contact record.
• Gain executive sponsorship to drive ‘opt-in’ demand-marketing objectives.
• Design campaign activities and program tactics, to support compliant data intake.
• Review contracts for external marketing services for any detrimental or risk-bearing consequences to the stated privacy
policies.
• Implement systematic and measurable metric reporting (e.g. percentage permission marketable contacts).
Key Takeaways and Recommendations (1)
30. 30 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
• A clear understanding of the global, regional and local regulations that affect your organization is the first step in defining a
viable data privacy policy.
• Identify and distribute accountability for data privacy compliance across all functions within the organization instead of
centralizing responsibility solely within one team.
• Invest the time to complete a full audit of where your marketing and sales data is stored and document data flows to
determine who has access to the data.
• Prioritize compliance gaps identified during the audit and group work required into waves comprised of a series of well
defined projects.
• Embed compliance into the organizational culture by ensuring all employees receive training and monitoring is in place
with visibility up to senior executives.
• Continuously track regulations for new interpretations, guidance or modifications to existing requirements as policies are
still evolving in many markets.
Key Takeaways and Recommendations (2)
31. Poll #2
Which aspect of GDPR compliance are you most concerned with?
• Our owned website and landing page language and process compliance
• Third-party lead- and/or data-provider compliance
• Cross-border data transfer compliance
• Documenting compliance
• Shrinking pipeline due to GDPR restrictions
© 2018 Integrate, Inc. 31
34. The Missing Layer in Revenue Marketing
© 2018 Integrate, Inc. 34
CRM
Convert Prospects to Customers
Marketing Automation
Nurture & Qualify Leads to Prospects
3rd-Party
Lead Gen Webinars Events Data Lists
Top-Funnel Marketing
Generate & Process Leads
35. Integrate’s GDPR & Global
Compliance Solution
© 2018 Integrate, Inc. 35
Integrate’s Demand Orchestration
software combines a variety of features to
help marketers maintain compliance with
GDPR and other country requirements,
specifically:
• consent and opt-in management
• documentation of compliance
• cross-border data transfer laws
… so they can scale with confidence.
36. Document Vendor Compliance
Using Source Agreements
• Obtain GDRP compliance confirmation
from all third-party lead sources so you
can launch campaigns rapidly with
reduced chance of error
• Ensure lead providers acknowledge
compliance with GDPR data privacy
and transfer regulations
• Customize compliance agreements to
any regional regulations or specific
company requirements
36© 2018 Integrate, Inc.
37. • Store and update GDPR and other country-
specific opt-in language
• Provide third-party partners with granular opt-in
language
• Confirm all lead data matches opt-in
specifications
• Apply opt-out suppression lists to demand gen
campaigns
• Restrict access to collected specific personal
information
• Securely transfer data in compliance with GDPR,
EU-US Privacy Shield and Swiss- US Privacy
Shield laws
37
Assure Opt-In & Data Privacy Compliance
© 2018 Integrate, Inc.
38. Monitor Consent Language with
Proof of Concept
Review campaign assets,
copy and other deliverables
from third-party lead
providers to make certain:
• GDPR language is implemented
• Third-party partners adhere to
brand guidelines
• Campaigns require approval
from marketers before going live
38© 2018 Integrate, Inc.
39. RESOURCES
• 5 Steps B2B Marketers
Must Take to Prepare for
GDPR (Whitepaper)
• The Cost of Bad Leads
(Report)
• Integrate’s GDPR &
Global Compliance
Solution Overview
© 2018 Integrate, Inc. 39
42. 42 © 2018 SiriusDecisions. All Rights Reserved@SiriusDecisions
• The GDPR sets a high standard for consent.
• Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
• Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR standard.
• Consent means offering individuals genuine choice and control.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
• Explicit consent requires a very clear and specific statement of consent.
• Keep your consent requests separate from other terms and conditions.
• Be specific and granular. Vague or blanket consent is not enough.
• Be clear and concise.
• Name any third parties who will rely on the consent.
• Make it easy for people to withdraw consent and tell them how.
• Keep evidence of consent – who, when, how, and what you told people.
• Keep consent under review, and refresh it if anything changes.
• Avoid making consent a precondition of a service.
• Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate.
Guidelines for Consent – Issued by the UK’s ICO