Blog Posts

The Status of Marketing in the Aftermath of the GDPR

The Status of Marketing in the Aftermath of the GDPR

What “GDPR Readiness” really looks like and how businesses say they’re doing it.

The General Data Protection Regulation (GDPR) swept the nation in the latter half of 2017. Companies holding European citizen data would fall under the jurisdiction of the European Union’s regulation over data privacy.

The rollout was messy, to say the least. Even though we’ve seen security become a competitive advantage for some and how a poor information security program can damage sales.

Hubspot conducted a survey in Q3 of 2017 revealing that most companies were not ready for the GDPR.

About 12% of companies said they first learned about GDPR from Hubspot’s survey. And a full 22% admitted that they haven’t done anything at the time of the survey to prepare for the GDPR.

However, the survey didn’t reveal that most companies would “half-bake” their GDPR compliance.

The next six months after the GDPR was in effect were a scramble for organizations to become compliant. But research showed other projects had higher priority over data security (more on this later).

Why GDPR Focuses on Marketers

Marketers promote brands and drive traffic to businesses. They tend to communicate more with audiences than any other department in an organization. Your sales and marketing team should know about GDPR. This led to two big reasons why the GDPR focused on marketers:

  1. Email Spam
  2. CRM Usage (with Marketing Automation)
  3. Website security

Email Spam – for marketers with limited insight on their leads

Are you familiar with spam?

Marketers generate traffic and leads for businesses. They use a variety of tools to collect data about visitors and leverage behavior-based strategies to run ads and engage with prospects on social media.

Some data-points often used by marketers include:

  • Your IP address upon form submission (helping them identify your country, state/province, and timezone)
  • Your email address (using enrichment tools to find your social media accounts, job title, and company)
  • Your browser behavior (helping them serve ads to people who’ve viewed the pricing page)

But sometimes the data isn’t good (which creates spam)

Traditional businesses tend to leverage one-size-fits-all marketing strategies. They don’t properly segment their email lists and, as a result, send out mass emails to their audience.

GDPR works against marketers who do this.

CRM Usage

Marketers and salespeople tend to be the heaviest users of CRMs and Marketing Automation platforms. Using tools like Salesforce, Marketo, and Hubspot, marketers can increase their capacity to interact with thousands of people at a time (while enabling the sales department to intercept warm leads).

But how does that relate to the GDPR?

Data about website visitors, leads, and customers is stored within the CRM software. These tools act as databases that catalog hundreds of data points about website visitors, leads, and customers. It’s an extremely powerful component of any fast-growing business.

Risks marketers face when using CRM systems:

  • Accidentally emailing everyone at once (i.e. sending a discount email to people who are already customers)
  • Overwriting important data about visitors, leads, and customers
  • Getting breached, allowing hackers to download the entire database

Overall, operations can take a dive pretty quick. Despite these risks, marketers are prioritizing other projects.

Website Security

The same year that GDPR began being enforced, Google announced that websites that failed to use HTTPS encryption would be flagged for users as “Not Secure.” This made SSL encryption critical not only for GDPR compliance with data encryption, but also important for building trust with site visitors and maintaining page rank in Google search results.

The Reality of Marketing Priorities

Hubspot’s “State of Inbound” report interviewed marketers around the globe. They conducted research, case studies, and surveys to learn what marketers were really focused on.

Marketers are most focused on generating traffic, leads, and ROI. Information security didn’t make the list, yet.

Hang On, What About the GDPR?

Well, about that. The majority of companies surveyed likely didn’t want to tamper with their lead generation machines. It takes a lot of time and money to figure out what gets people to sign-up for offers and consultations. Time and budget are always an obstacle for information security programs.

Expected consequences of the GDPR amongst marketers and executives:

True GDPR compliance requires businesses to change their processes, however this would be considered too high-risk.

Many companies researched other options to determine what types of activities would help them move towards GDPR compliance.

The Result: Updated Privacy Policies, “We Use Cookies” Notifications, and Lacking Email Nurtures

As many of us know, our inboxes flourished with privacy policy emails from late 2017 to early 2018. It had sparked when the interest in the GDPR began to surge in the news and within online communities.

Notice that “Changing the way we sell/market our products” is rated last

Marketers would need to change the way they market their products if truly GDPR compliant. This means splitting all existing email nurtures, creating marketing opt-ins on forms, and explicitly stating how they use the data they collect.

Example of a GDPR Compliant Marketing Automation Workflow

If a customer signs up for an ebook, there needs to be a checkbox where they opt into marketing communications. If they don’t check this box, they still need to receive the ebook, but not be enrolled into the nurture.

Doing this requires some technical implementation, but it’s worthwhile. Inside the CRM, create a checkbox called “Opted Into Marketing Communication”. If checked, configure your marketing automation to enroll the contact into the nurture after they’ve opened the ebook. If unchecked, you just send them the ebook. Either way, it splits up people who’ve opted in and those who haven’t.

There’s a grace period where it’s okay to directly email people who don’t opt into marketing communication. It just has to be in a direct fashion. Here’s an example and template you can use:

Hey {},

I noticed you signed up for one of our ebooks – hope you enjoyed it. Your record lists you didn’t opt into our general marketing emails, but just wanted to pass along a quick FYI of another ebook you might enjoy.

{Ebook Title with Link}

Hope you’re having a great day!

{Marketer’s Name}

{Marketer’s Email Signature}

By reaching out to someone directly, you’re not engaging with them in a marketing capacity (to thousands of people), rather you’re engaging them in a one-to-one fashion that is entirely non-intrusive and customized to them.

Benefits of doing your email nurtures this way:

  • Non-invasive, builds authenticity, trust
  • Lowers risk of emailing inappropriate offers and discounts.

GDPR is here, but it’s not strongly implemented

Companies are reluctant to change their lead generation methods as it’s such a sensitive component of their businesses. They’d rather implement smaller changes like Privacy Policy Updates and Cookie Policies to show they’re aware of cybersecurity concerns.

A truly compliant GDPR program would include alterations to sign-up forms that explicitly ask people to opt into marketing communications. Additionally, if someone does not opt-in, marketers are still required to send them the offer they signed up for (from our example, an ebook).

Last, but not least, we reviewed an example where it’s okay to engage with a contact who has not opted into marketing communications. In this manner, the goal is to engage the contact directly (1-on-1) and to not send mass emails to groups of people.

We hope your team is taking cybersecurity seriously and we look forward to continuing the discussion around building more secure companies.

Continue to be smart, protect your data, and don’t do spammy marketing campaigns!

Want to check out how Carbide guides you through creating, implementing, and managing an Information Security Program?  Book a demo with us.