Data privacy regulations are being introduced by governments all over the world to ensure that customer data is kept safe by the companies that collect it. However, the practical application of these regulations in business can dampen marketing efforts. It doesn’t have to as long as you fully understand what they are and how they affect your business.
1. Email spam
In order to comply with most state and international laws, email communications should all be opt-in. This means that the lead or client has given express permission to be added to an email list for future use. If a customer has bought something, that does not imply opt-in consent.
When you obtain a lead from your website, or make a sale, you’ll need to get that person’s consent to be added to an email database. This does not mean that you cannot respond to email queries, but that you need to obtain consent to send further communications that aren’t answers to direct questions from the client. At the end of a customer interaction for a lead, or as part of the sale (online or off), have a purpose-built email sent out automatically that will ask the lead or client for consent to receive further communications from your company.
In the United States, the two most rigorous anti-spam laws are in Illinois and California. If you design your email communications to match the requirements of these laws you will generally be in compliance with the rest of state laws. There is no federal law which governs email spam in the US.
In Canada, the federal CAN-SPAM Act requires all email subscribers to be opt-in.
Tools such as Constant Contact, Mailchimp and Zoho Campaigns have several opt-in forms available. If you are a Zoho One user, you can set up Zoho CRM to trigger an opt-in consent email once a lead converts, which will in turn feed that information to Zoho Campaigns.
2. Be Proactive about Data Breach Notification
The best plan for a data breach is to have a proactive plan drawn up with emails and social media statuses that have been vetted by your legal department or a lawyer beforehand. These emails and the legal vetting should be updated yearly in order to stay in compliance with constantly evolving data privacy regulations.
A data breach plan should be part of your business continuity/disaster recovery plans and cover various types of data breaches. You should also have a full public relations plan ready to go — including social media statuses — to minimize damaging your brand’s reputation. Make sure that the response is appropriate to the type, size, and impact of the data breach. There are consultants that specialize in how to deal with brand negativity through social media that can help with everything from preparedness through handling your brand in a high profile situation. It is much cheaper to hire these consultants for a proactive plan than to hire them in the event of a breach. They may also be able to help you design your policies and prevention to avoid a breach in the first place.
3. Privacy Policies
Privacy policies should be GDPR-compliant and your organization should follow whatever they say rather than just using a boilerplate policy that you download from the internet. Craft them with a lawyer that specializes in this area and make sure your organization is actually following what they say.
The biggest issue with privacy policies is that employees aren’t aware of what the privacy policies are. This means that your business is saying one thing in your policy and doing another thing entirely in practice. Employees and third-party contractors should all be aware of the actions that your privacy policy sets forth, and be sent regular communications which remind them of how to implement these policies. An annual audit of users and contractors would be advisable to make sure your business is walking the walk.
4. Employee training
Make sure all employees are properly trained in your privacy and email policies, and if there are any questions about any campaigns run them by your legal department or a lawyer. Use this opportunity to also educate your employees about standard cybersecurity protocols, such as how to avoid phishing emails, social engineering, and other common areas of attack.
You may want to do a couple of longer training sessions per year (about a half day should cover it) with monthly emails with short videos and other material that your employees will find interesting. You’ll be surprised to find out how thirsty your staff are to find out more about how they can help protect the company from cyber threats and your clients from data breaches. It’s way more interesting than TPS reports.
5. Make sure technology solutions are compliant
We’ll have an entire blog on this because this requires huge expansion, but in summary you’ll want to go through your website, emails, email newsletters, and other technology solutions to make sure they are meshing with both data privacy regulations and your company privacy policy.
As a team of experts on everything in the marketing and digital world, ion8 is well-positioned to help you with ensuring that all of your company’s marketing efforts are compliant with regulations that are specific to your industry.