Marketing, Engineered

A Complete Guide to GDPR Compliance for Engineering Companies

Written by Erin Moore | 5/17/18 3:00 PM

Since its introduction in 2018, GDPR has had a significant impact on how companies collect and use personal data of European Union (EU) citizens. It is crucial for all companies, regardless of location, to comply with GDPR if they process or hold personal data of any EU citizens. 

 

 

What is GDPR?

 

GDPR, or the General Data Protection Regulation, is an EU regulation governing privacy laws for all EU citizens. It replaces the 1995 EU Data Protection Directive.

GDPR is designed to strengthen and align data privacy laws across Europe, protecting and empowering citizens to take control of their data privacy. It also has a big impact on how all companies collect, store and use personal data of EU citizens.

 

Who does GDPR impact?

 

GDPR impacts all companies, in all countries, that process or hold personal data of any EU citizens.

You do not need to be an EU-based company, have an office in the EU or even do business in the EU; if you have contacts in your CRM from the European Union, this regulation impacts you.

 

So GDPR impacts me: what do I do?

 

First, do you do business in the EU or have a reason to contact EU residents? If the answer is no, remove these contacts and develop a strategy moving forward to ensure you’re not collecting information from EU residents.

If you do have business in the EU or a legitimate reason to contact EU residents, keep reading to learn how to develop a compliance strategy by May 25.

 

What is needed to be GDPR compliant?

 

GDPR has 99 articles, but the points below will most significantly affect marketers. Read the full text of GDPR here.

Please note- this is not legal advice for your company to use to comply with GDPR but rather background information to help you better understand the regulations. If you have questions about how GDPR impacts your organization and how to ensure compliance, please consult an attorney

  1. Clear consent and opt-in from EU contacts

    Implied consent is not enough- contacts must have clearly opted-in to receive emails from you. Opt-ins need to occur for each communication type you’re sending as well. If a contact is opted in to blog posts only, you can’t send sales emails or newsletters.

    This includes 1:1 sales emails! Unless the contact has clearly opted-in or has reached out to you first requesting information, you cannot send a sales email.

    Contacts must also give clear consent for you to process their data- so, be sure to include a consent checkbox or statement on any forms. If you do use a checkbox, be aware that contacts will not be able to submit forms without agreeing to data processing.

  2. Only collect the information needed to accomplish the task initiated by and consented to by the contact.

    If you don’t expressly need to know the contact’s industry to send him/her weekly blog posts, you can’t ask. However, you can ask industry if you send out different blog notification emails based on the contact’s industry- you just have to explain this on the form when you ask for the information.

  3. Citizens have a right to access the information you have on them.

    If an EU citizen requests access to the data you have on him/her, you must give them access to all data and information on how it’s being used within 30 days (some exceptions- see the full GDPR text).
     
  4. Right to be forgotten

    At any time, the EU citizen can request to have any or all of his/her information permanently deleted.

  5. Data breaches must be reported within 72 hours of becoming aware of the breach.

 

How do I Ensure My Company is GDPR Compliant?

 

There are several steps that can be taken to ensure any ongoing data collection and correspondence is compliant with GDPR.

  1. Send a Re-Engagement Email Campaign to EU Contacts

    When GDPR took effect in 2018, we sent a targeted email to all EU contacts to ask them to opt-in to the types of email they are interested in receiving. Any contacts that didn’t opt-in were deleted from our HubSpot CRM. We also deleted any contacts who fully opted-out of email communications.

  2. Update Forms

    As HubSpot Marketing Hub Professional users, we have the option to make forms “smart” based on visitor information. We built GDPR-compliant forms for all our resources and enabled smart forms on all landing pages to show these compliant forms to EU residents.

    If we didn’t have the smart form option, we would've needed to update all forms across our site to be compliant, with clear email opt-in options and only necessary form fields included.

  3. Update Cookie Policy

    Visitors to your website must consent to being tracked. As part of GDPR readiness, we updated our cookie policy to include express opt-in to cookies and a link to our updated privacy policy.



  4. Ongoing Email

    To be sure any bulk email sends are reaching the correct, opted-in people, we built contact lists for each email type (blog, newsletter, marketing info, etc.). Email campaigns only go to these opted-in segments, rather than to a larger group or whole database.

    If you're using marketing automation software, such as HubSpot, you're already protected from sending emails to contacts who have opted out of all or specific types of emails. With a little more caution, you can switch your strategy to only send emails to contacts expressly opted-in as well.
     
  5. Educate Your Team

    Since GDPR affects all types of email communication, we held an internal meeting to cover the regulation and its impact on our ability to communicate with contacts. Everyone from sales to PR to marketing is now aligned with regards to what is and is not allowed under GDPR.

  6. Implement an Ongoing Compliance Plan

    Our ongoing compliance plan ensures we continue to use compliant forms; address information and deletion requests as they come in; send emails by type to only the opted-in contacts; and continue to improve internal procedures.

What are the penalties for non-compliance?

 

Organizations found to be in breach of GDPR can be fined up to 20 million Euros (about $24.5 million) or 4 percent of annual global revenue- whichever is higher. Fines are tiered and affect both data controllers (the company collecting the data) and data processors (the company processing the data).

 

 

Are you a HubSpot user, wondering how you can use the tool to be compliant? Learn more about HubSpot’s GDPR product updates.

 

 

TREW is a marketing agency dedicated to reaching engineering and technical audiences through a range of marketing initiatives. Contact us today to learn more about the services we offer.