With just a matter of months until the EU General Data Protection Regulation comes into effect, most businesses should have safeguards in place to better protect their B2B marketing data at this stage. However, if you’re still you’re still confused, you’re not alone. The GDPR is the biggest change to data protection legislation for more than a decade. It’s a huge and complex body of legislation and therefore hardly surprising that many businesses are struggling to fully understand their responsibilities. Even if your data is handled by a third-party - such as HubSpot - you still need to be proactive in your approach to the GDPR.
If you feel like you’re fumbling around in the dark, join the Squaredot team by signing up for tickets to An Post’s GDPR Breakfast briefing. GDPR subject expert, Marc Michaels, will decode the new regulations and offer practical advice on how to develop, integrate and manage the significant changes that marketers will be expected to implement. In the interim, there’s no harm in swotting up on what life will look like in a post-GDPR world. Here’s our take on things.
What agencies will advise on the GDPR or do we need a data protection specialist?
For most businesses, GDPR adoption has been a voyage of discovery. The Data Protection Commission (DPC) has launched a GDPR-specific website with guidance to help individuals and organisations become more aware of their respective enhanced rights and responsibilities. However, the complexity of the process means additional support will be required. For most businesses, hiring a full time data protection specialist is probably not necessary. But don’t take our word for it!
Some organisations (public authorities, companies conducting large scale monitoring or those handling large volumes of “sensitive” data) are legally obligated to hire a Data Protection Officer (DPO). You may need to check with the Irish Data Protection Commissioner to verify if your business falls into this category. However, if senior management is confident the organisation has people who can upskill in-house, then you will be able to get by without adding someone in this capacity to your team.
All things considered, when faced with the threat of incredibly punitive GDPR fines can your business afford the risk of going it alone? Any investment in consultancy services that will train your team in email marketing best practices (where we imagine the bulk of breaches might stem from) are unlikely to be wasted. Building GDPR compliant practices from the outset will be far more cost effective (and less embarrassing) than falling victim to a successful cyber attack or data leak event.
Will Hubspot or my third-party marketing partner cover the GDPR for me?
If your business uses an agency for marketing communications or an automated marketing platform to host business contacts and data, it’s not safe to assume that the GDPR doesn’t apply.
While marketing platforms like HubSpot are classified as a GDPR data processors, entities who collect data and decide how to use it (your organisation) are data controllers. Because you hold personal data belonging to customers and sales prospects, your business bears the responsibility for protecting that information.
Although you can outsource various business functions, your data protection responsibilities are non-transferable. As part of compliance, it will be important to reconfirm with all your contacts that they’re still OK to hear from you. While it may be business as usual for the most part (HubSpot already offer an unsubscribe function to marketing emails) it’s better to be safe than sorry. Why not use the GDPR as an opportunity to clean up your data lists once and for all?
When it comes to explaining a data breach, passing the buck won’t wash. Make sure that when carrying out a data protection audit, you carefully consider whether your marketing partners are capable of helping you navigate the GDPR - it’s an important conversation you need to have.
In addition to re-qualifying data lists HubSpot users will also need to update their cookie practices and put their data capture processes in order.
How do I report data breaches in order to comply with GDPR?
Even with the best data security defences in place, there will always be a risk that personal information is lost or stolen. Your firewalls may be cutting edge and repel 100% of cybercriminal attacks – but there is still room for human error to expose sensitive B2B marketing data.
If that happens, your business has a duty to report the breach to the Irish Data Protection Commissioner. Reporting breaches is mandatory – even if the issue is resolved quickly and you believe that the missing information has been successfully retrieved.
You have 72 hours to make a disclosure to the DPC, or risk being fined twice – once for the breach itself, and once for failing to report the incident. The GDPR also requires that your business should inform individuals affected about the loss, theft or destruction of their data too.
Reports can be made to the Irish Data Protection Commissioner by email (preferably), telephone or fax. DO NOT send any personal data along with the report – this would constitute a second breach of the GDPR. Full contact details for the DPC are available here.
[Please note: This blog is written from Squaredot’s point of view and understanding of the GDPR and changes to PECR, which is still in draft as of today’s publication date. Information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts or the Irish Data Protection Commission for most controversial questions. For everything else, we welcome your thoughts in the comments section below!]