ABM, Meet Your New Boss, GDPR – Part Two of Four

GDPR will be either the end of the marketing world, or a great way to increase conversion numbers on your email campaigns. Time will tell which is right, so, for now, this blog series is concerned with understanding and adjusting the tactics for account based marketing (ABM) as they relate to GDPR.

This is a 4-part blog series covering how we achieved GDPR readiness. Over the month of April we will release the following sections:
Part One: Segment and Sync Your Databases, Consent, List Vendors
Part Two: Inbound Leads, Managing Opt in /Opt out, Leads from Field Marketing
Part Three: Outbound Marketing Tactics
Part Four: Advertising

Download the entire white paper here.

 

How GDPR Affects ABM Tactics

An ABM strategy usually employs a variety of digital marketing and direct marketing tactics, so it’s important to look at each one closely at how it might be affected by GDPR. You should consult with your legal team and security officer for specific direction and guidance on how these rules may affect your organization

Solve for GDPR

For our company’s GDPR readiness, Treasure Data’s ABM initiative was put to task by our very own product – the Treasure Data enterprise customer data platform (CDP). Using our own solution for GDPR has been exciting for both sales, marketing and product teams. Being that we have less than 250 employees, we aren’t subject to GDPR yet so we didn’t HAVE to do this, but it was great seeing how our CDP works in the areas of database segmentation, opt in / opt out management, inbound leads, cold emailing and more.

Managing Inbound Leads

Managing inbound leads within GDPR regulations breaks down into two discrete areas:

  • Inbound leads that come in from web forms you control
  • Inbound leads that come in from affiliate sites

-Inbound leads from web forms you control

Ensuring that new leads from web forms you control are GDPR-compliant is simple if you use a double opt in process. Most marketing automation vendors provide guides for double opt in, such as:

If you have the capability, you’ll probably want to use the double opt in process only for EU / UK contacts. Here are a couple of ways to do this:

  1. The easiest way is to have a mandatory field on the form requiring the contact to identify his or her country. If it’s an EU country regulated by GDPR, then it should trigger the double opt in process. If not, you can assume an “opt out” approach and market as normal.
  2. A more savvy way to do this is to dynamically serve a different form depending on the cookie / IP address of the visitor. With this approach, you’d first need your website to serve a cookie permission pop up to visitors recognized as EU citizens. If they accept cookies, then you can use the double opt in dynamic form. If cookies are refused, you should default to option 1.

A number of vendors can help you with these techniques, including Treasure Data, so just select the best fit for your business.

-Inbound leads from affiliate sites

The guidelines here are similar to when purchasing a list or working with a SaaS database contacts vendor. You need to make sure that any partner / affiliate site from which you collect data is GDPR-compliant. We suggest adding language into any new contract that puts liability on the affiliate partners, as well as revisiting any existing contracts. Of course, you should consult with your legal team for more details.

Managing Opt Outs and Other Individual Rights

GDPR introduces new complications in how you manage communications preferences for contacts in your database. In short: An EU contact (“data subject”) needs to be able to opt in / out of any communication type at any time.

This is actually one of the more complicated aspects of how GDPR affects marketing, but there’s a foundation we can all recognize — including an “unsubscribe” link in your email that goes to a contact preferences page.

From an email-only perspective, this is pretty straightforward. Any marketing automation system you use should contain an easy “unsubscribe” link to allow people to remove themselves from further email communication. With GDPR, however, it gets more complicated because of new rights granted to individual “data subjects.” Run afoul of any of these and you can get hit with disastrous fines.

EU subjects in your database have several new rights:

  • A “right to data access” — they get to view all the data you have stored about them, how you collected it and how you use it.
  • Clear description of communications preferences and easy management of them.
  • The ability to opt out of any communications or of processing of their data, for marketing or many other purposes.
  • Contacts have the “right to be forgotten,” meaning that your company must delete any and all information you have on the person from all your systems, including downstream systems like email automation systems to which you have sent their data.

Here’s an example of what opt out pages would look like from an email-only perspective before and after GDPR:

Before After
Email me with

  • News about Treasure Data
  • Blog updates about Treasure Data
  • Sales / marketing promotions
Email me with

  • News about Treasure Data
  • Blog updates about Treasure Data
  • Sales / marketing promotions
Opt out

  • Remove me from all communications
Cookies

  • Collect / track web browsing history
Advertising

  • Allow retargeting on Google
  • Allow retargeting on Facebook
  • Allow retargeting on third-party websites
Product

  • Allow Treasure Data to collect data on how I use the Treasure Data app
Opt out

  • Remove me from all communications
Be forgotten

  • Delete all information you have on me

You can see how many variables there are to consider, even on just email preferences. When you add phone contacts, social media, browser and mobile device tracking, chatbots, location tracking, voice systems like Alexa, and more exotic methods of data collection, it pays to centralize management of data, preferences and your interactions with contacts.

With the ability to pull contact data from multiple sources, unify IDs into a “golden customer profile” and push / write back to the original systems of record, CDPs can help manage this complex issue, especially where marketing operations are concerned.

Different CDPs will have different integrations out of the box and most will require some custom setup to work with your specific marketing technology stack. You should also expect to involve your internal web development / management team in order to ensure a page like this displays and functions with your various domains and web properties.

Outbound Marketing Tactics

Field events take place in many geographies, not necessarily only within the EU. So let’s say an EU citizen gets her conference badge scanned at a trade show booth in Tokyo, and the lead data is then uploaded into a CRM in Denver – those GDPR rules still apply. It will not matter where the data was collected or uploaded or where a marketing campaign is launched – as long as the data represents an EU citizen, you’re a “data controller,” subject to the GDPR no matter where data is stored.

Managing leads within GDPR regulations collected at trade shows, conferences and other events (summits, meetups, networking events, etc.) comes with its own set of considerations. Here are some general guidelines to consider:

  1. Review and update all of your event contracts. Make sure the organizer has updated their terms and conditions to include opt-in language like “by attending this conference you agree that our sponsors may contact you for marketing purposes.” If they don’t, you should reconsider your sponsorship of the event.
  2. Most events make lead retrieval units available for sponsors and you usually have the option to customize the questions. One question should be “by getting scanned you agree to receive marketing material from us” and your booth staff should be trained to ask this question EVERY TIME THEY SCAN someone (and mark the box!). Even if the event includes the opt-in in their T&Cs you should obtain consent at your booth as well in case you get caught on the wrong side of an audit. This gives your company additional protection.
  3. Your method for GDPR compliance at field events should be codified in a formal internal process and documented. Your staff should sign off that they have received training on how to correctly obtain consent and capture leads. Talk with your legal council about where / how to best store this documentation.
  4. An option is to have event / booth signage notifying attendees that by attending they are consenting to marketing of any type. Your staff should point out the signs during the event when collecting business cards, scanning badges, etc. To be fair, this has questionable value in an audit, but, if you take a photo of the booth and document the signage, then it could help.

Obviously with GDPR, gone are the days when you stood in the aisle saying, “Hey, would you like this cool pen? Oh, can I scan your badge?” But on the bright side, we expect to get more qualified leads and improve our performance metrics in the end.

End of Part Two of Four

Coming up next week:
Part Three: Outbound Marketing Tactics. Learn how to manage cold calls, emails, social media outreach and even direct mail to comply with “legitimate interest.”

Download the entire white paper here.

Erik Archer Smith
Erik Archer Smith
Erik Archer Smith is a data-driven marketing and sales professional at Treasure Data with 10+ years experience helping companies scale during phases of hyper-growth. Erik got involved with tech early and built the first social media site in Japan using open source technology in the early 2000s. When not working, he enjoys spending time at the beach with his wife and dog, and obsessing over character-build stats in whatever RPG currently has him hooked.
In Case You Missed It