When Data Privacy and Protection Laws Meet Your Marketing

Lauren Inggs | 22 February 2017

Online privacy is an increasingly fraught area. Many regard online privacy as a limited luxury at best, and there are already many stories where personal data is easily found and exploited. For businesses, the ramifications of storing the personal data of individuals, be they leads or customers, have never been more serious.

In 1995, the EU adopted a Data Protection Directive focused on protecting the rights and data of individuals living within the EU. This directive has had far-reaching implications for businesses storing customer data, and certainly for marketers using personal data to further their Inbound Marketing activities.

Why Data Protection and Privacy Matters for Your Business and Its Marketing

Consider that inbound marketing relies on building relationships and targeting the right person, at the right time and place, and you can see how important and valuable data is to businesses adopting inbound marketing. In fact, inbound marketing couldn't be successful without data gathering and usage.

But the dangers of insufficient data privacy and protection can result in some nasty consequences for your business, from lawsuits to stiff financial penalties – not to mention the knock a company's image can take in the aftermath of a data leak or hack. If you're looking to use inbound marketing to boost your business, it's important that you take a closer look at how the EU's Data Directive affects you, what your responsibilities are for complying with it, and how you can best protect your contacts' details while still experiencing the success of inbound marketing.

First things first – let's look at some of the key concepts outlined in the EU Data Protection Directive.

marketing data privacy laws

5 EU Data Protection Directive concepts to know

1. The need for clear and transparent data protection policies

This one may seem to be a given, yet many businesses fail to provide their contacts with a clear, transparent and accessible data protection policy. According to the directive, it's mandatory that companies provide this information to their contacts in an easy to access manner. What this means is that your website design needs to incorporate a page detailing what measures you take to ensure your business safeguards personal information that your site visitors can easily find.

2. The right to be forgotten

The right to be forgotten refers to the legal right an individual has to request a company delete their personal information. This rule allows people to reach out to your business and ask you delete their details, a request you need to comply with should you be asked and there are no legitimate grounds for retaining said information.

This overflows into data beyond what might be considered personal. The laws outlined in the directive also consider an individual's IP address personal data, which means that it becomes a matter of consent when using an IP to track what a user is doing on your website.

It also means that marketers can no longer simply flag contacts with a "Do Not Contact" and leave it at that. And since these laws make no distinction between B2B or B2C personal data, marketers within businesses need to be extra vigilant when it comes to ensuring data does not carry across multiple internal systems after a contact requests their data to be deleted.

3. The right to make informed choices

Under the EU Data Protection Directive, individuals disclosing information to your business have the right to do so under informed circumstances.

This means that opt-outs are no longer considered appropriate or legal unless a clear statement has been displayed to a potential contact informing them that should they proceed and submit their details, they will be opted into a mailing list. Instead, the standard practice is the offering of opt-ins, where individuals voluntarily offer their information in exchange for an offer of value.

This means that your marketing offers need to be on point, as a contact has the right to ask you to delete their information if they submit their details to you in exchange for an offer that is sub-par – which defeats the point of gaining leads and converting them to customers! The key takeaway here is simple – create brilliant offers!

3.1. A brief note on buying lists: Just don't do it!

While there isn't legislation expressly forbidding the purchase of lists, there can be issues arising when the information in the lists was not obtained legally. Additionally, since contacts can request you to delete their data, you're essentially wasting your time contacting individuals who either didn't reach out to you first or opt-in to receiving communication from you. It goes against the principles of inbound marketing and is more often than not an exercise in fruitlessness. Rather save your money and pour it into developing effective inbound marketing campaigns.

4. The right to notification on data breaches

If your business is storing individuals' data, you are legally obligated to inform them if you suffer a data breach. This obligation is a serious one and means you need to be on top of your data security and any threats on your network or data storage facilities. Being on top means that you're able to inform your contacts of a breach before they potentially become victims of its fallout.

Depending on the size of your business, this can be challenging. Using a marketing CRM like HubSpot can be a lifesaver. HubSpot's security teams and facilities provide you with monitoring of marketing data and its safety at all times, along with stringent measures for keeping it secure and preventing breaches before they happen (and lifting the worry off of your shoulders).

5. The need for increased accountability and responsibility

According to the directive, businesses need to be accountable and responsible for data protection from the get go. This involves committing to data protection risk assessments, employing data protection offers and adhering to the principles of "data protection by default" and "data protection by design." This means that from the earliest stages of product or services development, companies will need to factor in data protection. It also means that marketers need to ensure they are taking adequate steps to protect data from the outset.

The rights listed above are explicitly addressed by the EU Data Protection Directive and are critically important for businesses and their marketing teams. There is, however, one more area of the Directive that needs to be carefully looked at as well, and that's the issue of data transference outside of the EU.

EU Safe Harbour and data transferring outside the EU

The EU Data Protection Directive has some stringent policies regarding the transference of data outside of the EU. One of these policies was "Safe Harbour." Essentially, "Safe Harbour" was a framework developed by the EU to mitigate data security during the transfer of data between the US and EU. However, due to valid complaints made by outside parties, the EU was forced to revaluate the validity of the Safe Harbour framework, and its subsequent assessment has lead to the crossing it off as an assurance of data protection.

This action has left companies to look for other options regarding the protection of data transferred outside the EU. These take the form of "Standard Contractual Clauses" (SCCs) or "Binding Corporate Rules". These SCCs, also referred to as Model Clauses, were issued by the European Commission and are considered a valid safeguard when undertaking data transference from the EU to the US.

What does this mean for your business?

If you had been relying on Safe Harbour when transferring data outside the borders of the EU, you do need to make some necessary changes. It's always advisable to consult a lawyer when dealing with legal issues of this nature to ensure you are compliant and not running the risk of facing steep penalties and legal action. Naturally, this applies to all data you store, whether for business or marketing purposes.

Our recommendation regarding marketing and data protection is to go for a marketing CRM like HubSpot. Although HubSpot stores data in a content network based in the US, they have taken every precaution to not only ensure the security of that data but also to establish total compliance with the EU's regulations on data storage and transference outside of the EU. They offer a Data Processing Annex to all their customers within the EU that includes the necessary SCCs to ensure Data Directive compliance.

Letting HubSpot take care of the nitty gritty regarding your data's security and compliance helps you focus on your marketing in greater detail, without the concern of potential data breaches or red tape regarding your data transfers and storage. Want to know more? Get in touch with us, and let us help you make the right choice for your business!

A guide to HubSpot GDPR and Data security

More Articles

Insights, learnings and takeaways passed on from our team to yours.
From educational pieces to comparison articles to hot off-the-press news all from the Struto universe.