Presented at Marketing Nation 2018

Michelle Miles

Okay, this stuff is complicated. This is how I felt after watching Michelle’s session.

Let’s be honest, you aren’t going to quickly get compliant after watching a 30-minute session. Besides hurting my brain, Michelle did a great job outlining the basics of  General Data Protection Regulation (GDPR) and sharing resources to get going. Bottom line this is a big change for most companies, but the consequences are real so you can do everything but ignore it.

 

What is GDPR?

If you are asking this question, you have been living under a rock. Long & short, the European Union has specified 6 principles of holding & collecting data on their citizens. If you do business with/or hold data from European citizens then this applies to your company.

Yea, but what are the consequences? –> $20M euros or 4% of global revenues, whichever is greater. Yes, you read that correctly and they are projecting $6B in fine revenue in the first year. This is not a joke.

 

Oh boy, so what are some practical things I can start today?

Below, we pulled the table of contents from Perkuto’s GDPR Marketing Communications toolkit. Michelle mentions this a lot during her session. We link to each section, so go check it out!

1. Get a Lawyer. (you’re welcome)

 

2. Change your Privacy Policy Verbiage

Start here, make sure it is easy to find and understand. Here is the snippet example from their toolkit and the link to the Internation Association of Privacy Professionals (IAPP) example.

The information set out in this form is registered in on electronic
database for the purpose of [commercial prospection, HR…].

This information is intended to be communicated to [internal
service of the company, commercial partners…] and retained
for [the relationship, xxx months…]. In accordance with the
applicable regulation, your rights to access and update your
data, withdraw your consent or lodge complaint where
applicable can be exercised by following this link [contact
of the service, person or authority in charge…]

 

3. Whitelisting Campaign & Email Copy

For any existing records in your database, you need to send them a few email notifications requesting that they stay on the list. If they do not opt-in, you need to have them removed. Here is an example email that Michelle’s team created.

Hi {{lead.First Name}},

I saw that you’re based in Europe and have been getting
communication from us here at [Company Name] for a while. There
are a lot of new privacy laws in your region that we’re taking very
seriously So I’m reaching out to ask — would you like to continue
receiving communication from us? We’d love to keep inviting you to
our webinars, events, and passing along our best content on [topic
we care about]. The thing is, it’s important with the new privacy rules
that you give us the green light.

Do you want to keep in touch with us?

We also want you to know exactly how we use your personal information. We will never sell or share it with third parties unless we
have your consent. You can read more about this in our privacy
policy.

Please reply to this email to let us know you’d like to continue
receiving our messages and remain in our database.

Thank you,

 

4. Cookie Notifications

With GDPR you can still cookie, but you must get their permission. Obviously, if they say ‘no’, you can’t! Here is an example of a cookie notification you can use. I also included the raw text below so you can copy paste.

We’re glad you’re here! Help us customize your site experience by
enabling cookies so we can understand your interests and
recommend related information. Should you choose not to
enable them, you may still use our website; however, we can’t
tailor your experience to your interests or location.

YES. CUSTOMIZE MY BROWSING EXPERIENCE

I understand and agree to the privacy policy.

NO THANKS. I’LL TAKE MY CHANCES

 

5. White Paper Data Collection Form

Just because someone downloads a white paper it does not mean that you can send them more information. You must have an opt-in box within your form that is unchecked.

 

6. Preference Center Landing Page

GDPR requires that you have a center for customers to manage their data usage preferences. Here is Michelle’s example below and we have transcribed the wording so you can easily copy and paste.

TOP STATEMENT

“At Optymyze we take your privacy seriously and apply appropriate technical, physical, and administrative measures to protect your personal data. Details of how your data is used, stored, and protected are outlined in our privacy policy and are in full compliance with the requirements of GDPR and CASL.

We also value your trust and honor your preferences. As owner of your personal data, you may, at any time, unsubscribe from receiving marketing communications, request the export of your data to transfer to another company, and/or request the complete removal of your information from our database.

If you have general questions about our privacy policy, data practices or your personal data, please email us at privacy@optymyze.com. Thank you for choosing Optymyze.”

CHECKBOXES

  1. I’d like to receive more information from
    Optymyze. and understand and agree to the privacy policy.
  2. Send me more information on Optymyze’s data
    usage policies.
  3. Send me an export of my data.
  4. I do not wish to receive marketing emails. Please
    unsubscribe me.
  5. Completely remove my data from your
    databases. I understand certain or all services
    provided by Optymyze may be unavailable to
    me.

 

7. Export Request Email

Individuals can now request a data export, so you are required to share what you have on them within a reasonable time. Here is Michelle’s suggested email stating that you heard their request and what they can expect.

Hi there,

We have received your request for an export of your information from
[company name]‘s databases to transfer to another company. We will honor your
request with a complete data export within 30 days. Below is the standard
form data we have on your record.

  • Name: {{lead.First Name}} {{lead.Lastlead Name}}
  • Email: {{lead.Email Address}}
  • Phone Number: {{lead.Phone Number}}
  • Company Name: {{Company.Company Name}}
  • Department: {{lead.Department}}
  • Position Level: {{lead. Job Title}}
  • Industry: {{Company.lndustry}}
  • Country: {{lead.Country}}

At[company name] we take your privacy seriously and apply appropriate technical,
physical, and administrative measures to protect your personal data.
Details of how your data is used, stored, and protected are outlined in our
privacy policy and are in full compliance with the requirements of GDPR
and CASL.

You can find full details of our privacy policy located here.

Thank you for choosing [company name].

 

8. Export Request Alert

Yes, it continues, so once you have received the request you need to make sure your internal team gets it done within the timeframe. Here is Michelle’s export request alert internal email template.

The following person has requested an export of their data and received
an email notifying them that a full export of their information is on its way,
and will arrive within 30 days. Please export their data using the data
export view in Marketo, and export a copy of their activity log.

  • Name: {{lead.First Name}} {{lead.Lastlead Name}}
  • Email: {{lead.Email Address}}
  • Phone Number: {{lead.Phone Number}}
  • Company Name: {{Company.Company Name}}
  • Department: {{lead.Department}}
  • Position Level: {{lead. Job Title}}
  • Industry: {{Company.lndustry}}
  • Country: {{lead.Country}}

After exporting their data, send them a copy of the email below with an
attachment of their data.

Thank you!

This email is in response to your request for export of your information
from [company name] databases to transfer to another company. Please find the
attached details of your record.

At [company name] we take your privacy seriously and apply appropriate technical,
physical, and administrative measures to protect your personal data.
Details of how your data is used, stored, and protected are outlined in our
privacy policy and are in full compliance with the requirements of GDPR
and CASL.

You can find full details of our privacy policy located here.

Thank you for choosing [company name].

 

9. Data Erasure Email

GDPR also requires that you fully remove records upon request. Here is Michelle’s erasure email template.

We have received your request for the complete removal of your
information from [company name] databases. We will honor your request
within 30 days.

At [company name] we take your privacy seriously and apply appropriate
technical, physical, and administrative measures to protect your
personal data. Details of how your data is used, stored and protected
are outlined in our privacy policy and are in full compliance with the
requirements of GDPR and CASL.

You can find full details of our privacy policy located here.

Once we remove your data, you will no longer be able to use [company name]
Cloud Software-as-a-Service (SaaS) offering, any associated mobile
apps and the Perkuto Support and Community websites
(https://support.perkuto.com and https://community.perkuto.com),
which provide support for the Perkuto Cloud. You will receive no further
marketing, sales communications or information.

If you requested this in error, you must click here to cancel your request.
If you prefer to unsubscribe instead, you may also do so here.

Thank you for choosing [company name].

 

10. Data Breach Notification

Noone wants to consider this, but we all should be prepared. Here is Michelle’s example of a data breach notification email. Let’s hope you never have to use this!

[NAME]

[ADDRESS]

[DATE]

Dear {{lead.First Name}}:

We respect your private information and sincerely value your business and, as
a precautionary measure, are writing to inform you about a data security
incident that [may involve/involves] your personal information. [[On/Between]
[IDENTIFY BREACH TIME PERIOD], [BRIEFLY SUMMARIZE BREACH].] The data
accessed [included/may have included] personal information including
[IDENTIFY TYPES OF Pll AT ISSUE]. [To our knowledge, the data accessed did
not include any [OUTLINE SPECIFIC TYPES OF Pll NOT INVOLVED]].

[COMPANY NAME] is currently conducting an exhaustive review of [IDENTIFY
AFFECTED SYSTEMS/RECORDS/OTHER] and is working with [LAW
ENFORCEMENT/MAJOR CREDIT CARD COMPANIES/CREDIT BUREAUS/
OTHER] to properly address the situation and implement additional security
measure to prevent future attacks on our valued [CUSTOMERS/CLIENTS/
AFFECTED INDIVIDUALS]. [COMPANY NAME] values your privacy and your
business and we deeply regret that this incident occurred.

We are here to answer your questions about this situation. We take your
privacy seriously and apply appropriate technical, physical and administrative
measures to protect your data, in compliance with GDPR and CASL
regulations. Details of how your information is used, stored and protected is
outlined in our privacy policy. For more information and assistance, contact
[NAME OF COMPANY REPRESENTATIVE] at [TELEPHONE NUMBER] between
[TIME] am- [TIME] p.m. daily, or visit [WEBSITE WITH SPECIFIC URL FOR THIS
INCIDENT]].

Sincerely,

[NAME] [TITLE]

Presentation Recording – April 26, 2018 from Successly.io on Vimeo.


Did you find a golden nugget in this summary?

You need to or Register to bookmark/favorite this content.