For anyone in the digital business world, it was nearly impossible to avoid General Data Protection Regulation (GDPR).
In the days leading into the law taking effect, it was impossible to go about your day-to-day work activities without seeing its effects as businesses braced for the post-GDPR world.
Do you use Salesforce for your CRM? Here is its GDPR compliance documentation along with resources for users. Do you scroll Twitter for news, or even use it to promote your work? It has a GDPR hub of its own. Want to check traffic to your latest blog? Google Analytics required you to confirm your data retention preferences before allowing you to analyze your site visitors.
Screenshot of Google Analytics' data retention update.
Your own company is likely dealing with its own GDPR compliance concerns; at G2 Crowd, for starters, every employee was required to take and pass a training course.
Even our personal lives have been infiltrated by GDPR compliance: Microsoft required me to manage my data preferences before I could access my Xbox One.
GDPR is changing the way companies think about and manage Internet privacy and personal data, and this will have widespread effects on companies of all kinds. Some of these effects have already been anticipated by business leaders and are being addressed. Others won’t become apparent until sometime in the future.
All this change and uncertainty will affect different employees and companies to varying degrees. B2B marketing will certainly be affected. But as marketers, how will the way we do our jobs in the digital age change, and what can we do to adapt?
Marketing and GDPR
To understand how GDPR will transform the way marketers do their jobs, it’s important to understand the basics of what GDPR is and why it was put into law.
What is GDPR?
General Data Protection Regulation (GDPR) is a regulation by the European Union (EU) that goes into effect May 25, 2018. It is being enacted to protect the data and privacy of all individuals in the EU by giving them control over who can gather their data and how it can be used. The law was adopted in April 2016, giving companies two years to understand how it would affect them and become compliant.
For businesses and marketers, more important than the law's history is what this means for data. The Salesforce GDPR hub offers an overview:
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
Anna Westfelt, intellectual property associate at law firm Gunderson Dettmer explained how that definition differs from what U.S. companies typically think of as personal data.
“Personal data under the EU laws is much broader than what we think of of as PII here (in the U.S.), or personal identifiable information,” Westfelt explained in a video with GDPR compliance company DataGrail. “It’s any information that relates to an identified, or an identifiable, person. That can include dynamic IP addresses, and device IDs, and just a much broader definition of what is considered personal data in the EU.”
GDPR and Contact Lists
Email marketing has been a marketing staple in the digital age, and one way companies have grown their prospect bases has been through data providers. These providers sell lists of contacts to businesses. Companies buy lists of prospects with particular attributes – age, location, job role, income, etc. – to supplement their own prospect lists.
Prior to GDPR, this tactic has been legal or at least poorly regulated (albeit not terribly effective). In a GDPR world, buying, selling, and using email lists without explicit positive consent from all contacts becomes much more difficult. For a company purchasing these lists for cold outreach, they must demonstrate that the individuals have a need for their product or service.
Under GDPR, companies must get clear statement of consent in order to sell any individual’s information. This consent must be for specific processing of data, and individuals have the right to request deletion of their personal data across all systems, including third-party. This is impacting contact lists for all industries.
In reality, purchasing contact lists in the new GDPR world becomes tenuous at best. For a company to do so and be in compliance, the list members must all have opted in explicitly to have their information shared with the purchasing company with the purpose of being contacted. Getting that consent will make legal lists much harder to purchase than ever before, and their uses will become fewer and fewer.
“While certain purchased lists with clear affirmative statement of consent within the original subscription may be allowed under GDPR, Mailjet strongly recommends against this in every way possible for deliverability concerns.”
GDPR and Ad Targeting
The explosion of big data and worldwide connectivity have been a marketer’s dream in recent years. Pre-GDPR, websites were able to gather visitor information, then use that data to target advertisements directly to the people they know had already considered their products or services.
Through cookies and terms and conditions agreements (oh my!), websites could get explicit or implied consent to gather this data, then use it in this targeting as they pleased. The ads people see on other websites were targeted to them as individuals via this saved data being run through an advertising platform.
Companies could also use third-party data to target audiences by demographic. For instance, the Washington Post reported in 2016 that Facebook advertisers had access to 98 different data points with which to target audiences.
The need for explicit permission from visitors when gathering and using data under GDPR makes these practices significantly more challenging to marketers.
“GDPR will force marketers to relinquish much of their dependence on behavioral data collection,” Dipayan Ghosh wrote for Harvard Business Review. “The stipulation that will perhaps cause most angst is the new formulation for collecting an individual’s consent to data gathering and processing; GDPR requires that consent be active (as opposed to passive) and represent a genuine and meaningful choice.
"Digital marketers know that users of internet-based services like Snapchat, Facebook, and Google technically provide consent by agreeing to these companies’ terms of service when they sign up," Ghosh continued. "But does this constitute an active and genuine choice? Does it indicate that the user is willing to have her personal data harvested across the digital and physical worlds, on- and off-platform, and have that data used to create a behavioral profile for digital marketing purposes? Almost certifiably not.”
One alternative for marketers, as Ghosh outlines, is contextual marketing. Rather than ads on a website being dynamic and changing per website visitor and their data, those ads are instead static and are selected based on the piece of content.
This practice is less common now than targeted advertisements, and it is by nature more difficult to execute than ad targeting. It requires connecting content (which is created manually by humans) to advertisements, rather than connecting data (which is gathered automatically by technology) to ads.
For a CMO with a marketing budget, moving from targeted ads to contextual ones is a logical move, but it won’t be seamless. In the near future, the processes will be different and contextual ad marketplaces will be less advanced than those of targeted ads.
Long term, there will be questions about the effectiveness of these advertisements. There is a reason advertisers and marketers choose targeted ads far more often than contextual ads: having the ability to target your product or service to a specific person or demographic, rather than speculate on who will consume content and predict their behaviors, increases the effectiveness of ads. Simply, moving further from the data sources will produce lesser results.
Ultimately, the practice of contextual advertisements will improve as it grows in popularity and marketers (ironically) gather more data on it. Still, if ad targeting makes up a significant portion of your marketing budget, monitoring the effectiveness of those dollars and comparing it to the effectiveness of post-GDPR advertising will be essential in evaluating how it fits into your marketing strategy going forward.
GDPR and Events
Event marketing is an industry that serves many purposes. It can range from small networking events at the local bar to massive conferences headlined by celebrities. It’s a massive industry: upwards of $512 billion as of a 2014 study by Frost and Sullivan (paywall).
Events are clearly important to CMOs and marketing departments in the digital age. According to a 2017 study by Bizzabo, 31% of marketers believe live events are the most effective marketing channel. And according to the same study, 28% of companies spend at least one-fifth of their budgets on organizing events.
Live events serve many purposes for companies: brand awareness, recruiting, media attention, thought leadership, sales opportunities, and much more. But one key benefit to producing events is data gathering.
For every person that signs up for or attends an event, the host gathers contact information for their own purposes, but also to sell. At a conference, sponsors scan badges for the same purpose. Marketers give away swag for free to spread their logos, yes, but more important is building their databases of prospects.
You know what comes next.
GDPR throws a wrench into all of those practices. Previously, an event host could take the information it had gathered and use it or sell it as a list of highly targeted prospects. Now, a host can do that, but only if explicitly telling attendees from the EU exactly what will be done with that data: who it will be shared with and what will be done with it. A host would potentially have to list tens of companies who would email or call a guest as a prospect.
How many people do you think will check those consent boxes?
“[GDPR] is going to change the way meeting planners decide what data needs to be collected from attendees in things like registration forms and apps and how that data is going to be used for marketing and personalisation,” event management platform Eventsforce wrote in a blog post. “It will change the way attendee data is shared with other third-party organisations like venues, sponsors, agencies and tech providers.
“The regulation will also force planners to play a much bigger role in securing all the data they collect from attendees, as well as making sure that any organisation dealing with their event data is also complying to the new regulations,” the post continued.
Companies will still be able to gather data from EU residents, but that data will be harder to acquire and maintain. It will also generally be less valuable: Attendees will certainly accept their data being shared with fewer third parties than they did when consent was implied.
For CMOs or others determining how to spend marketing budgets, events still have value. Depending on the type of event, gathering information from attendees can be a bonus rather than a primary focus. However, this is valuable data that will no longer be available to companies producing events, or it will at least be significantly limited.
Evaluating what that loss in value is for your company and your events will be necessary to determining how to adjust your focus.
GDPR and G2 Crowd
GDPR has the potential to drastically change the way businesses and marketers spend their budgets allocated to the EU. Both how they gather data and secure data from those residents, as well as contact them, will be affected. Many aspects of modern marketing, including contact lists, ad targeting, and events, will change in viability, effectiveness, or both.
For marketers, this will lead to decisions about how to allocate your EU budgets. With diminishing returns coming from marketing channels you’ve relied on to build your marketing funnel, there will be pressure to improve your tactics or look to new channels.
Some of these channels won’t emerge for months or years as companies learn exactly how GDPR will affect them in practice rather than in theory. Others are existing strategies that won’t need to be adapted greatly to meet compliance.
At G2 Crowd, we are bringing transparency to B2B buying through verified user reviews. SaaS marketers have taken advantage in many ways: calling out positive reviews, comparing offerings to competitors, and adding highly qualified leads to their pipelines.
For marketers looking for new marketing channels to allocate funds, or to redistribute among existing channels, using sources like G2 Crowd that are GDPR compliant and offer high-quality leads is a strong alternative to current tactics.
G2 Crowd now requires:
- All EU users to consent to receive updates about products, services and offers
- All users submitting lead forms to confirm they consent for G2 Crowd or vendors to contact them
As a marketer living in a GDPR world, compliance is a necessity. Working with EU data sources that are in compliance will be essential to continuing your European marketing strategies. Sales teams will also need to be aware of how GDPR impacts their CRM and contact database. Everyone will feel the GDPR impact.
Your current strategies may or may not be sustainable with the new limitations. If they aren’t, or they are less effective than they were in the past, then you will need to reconsider how you’re spending your budget and time.
Find data sources that are compliant. Find prospects who are highly qualified and looking for your business solutions already. The companies that do this have the opportunity to gain a massive advantage over competitors who react too slowly to our new reality.