We exclusively market and sell downloadable training materials to other companies, so only use business details, name, job role, company email, company name. We use this information for marketing, but it is retained solely for our own use. Does anybody do something similar, if so what approach have you found to be most appropriate?
I have downloaded numerous papers on this, but am struggling to to define which approach to take.
Many thanks
Paul
Hi Paul,
Here is a checklist we put together for B2B companies… There’s a lot to this and we’re not lawyers – we just wanted to highlight these key points in order to help fellow marketers and business people. Maybe this will help:
9 Point GDPR Checklist for Email Marketers
• Your External Documentation (including Privacy policy)
• Your Internal Procedures and Documentation
• Refreshing Consents
Are you already documenting the company’s data flow: How contacts get added to your databases, how you track consent / opt-in / sign ups, the general flow of data, how long you hold personal data, how you delete personal data when someone requests it, how people can opt-out, what your lawful basis is for processing data (e.g. consent, contract), and what you do if there is a data breach or other problem.
Are you already documenting the company’s security, data security training for staff, and demonstrating that the stakeholders in your company take data compliance seriously.
Privacy policy – consider using a service such as Iubenda Redirecting to store... ($27/year) to generate privacy and cookie policies, etc, that are specific to your company. You just select the tools you are using, including Infusionsoft, to generate a policy for your biz.
Who have you named as the data lead (or data protection officer) for the company?
If you are working toward GDPR compliance, you’ll want to be sending email confirmations / double opt-in requests to people in your database. You’ll also want to create a process for tracking opt-ins / sign ups going forward as you need to know when and how the person opted-in. It would be good to to decide how you want to handle people who have not confirmed / double opted-in. If you want to categorize your database into US, EU, or Unknown, you can work on it yourself or use a service such as Klean13 to do it for you.
All sign-up / opt-in forms should be updated to include country and a tick box asking the contact if they want to be added to your email list. It would be good to have an automatic process for sending those email confirmation / double opt-in requests after every form entry.
Are there other data bases in your company that need to be considered? Invoicing, ERP, Skype, Outlook, Quickbooks, your file cabinets, etc.
I have prepared additional information including links to the ICO and more, should you want to dig in further. See the post here: GDPR: Best Practices for Your Marketing | Kokoro - Marketing that starts sales conversations
Hope this is useful to you!
Cindy Z
Many thanks Cindy.