GDPR (and CCPA) privacy laws will help you build a stronger business

GDPR (and CCPA) privacy laws will help you build a stronger business

Most of what you actually need to follow to be GDPR/CCPA compliant is common sense for any business. It will force you to build a stronger brand, target more engaged leads and gain stronger trust from customers.


Since 2018, updated regulations around data privacy (GDPR in Europe May 2018, CCPA in California January 2020) seemed like a mini-revolution in the digital world. It is quite a project for most companies to adjust their process and tools to remain compliant. It was all a bit like Paul Graham said a few months ago:

However, having implemented it for clients and gone through it in detail, the legal text is not for bedtime reading but most of what you actually need to do to be compliant is COMMON SENSE.

As I will demonstrate below, I believe those regulations just brought attention to data privacy into the boardrooms and now forcing businesses to follow best practices to build strong brands.

I previously wrote from an individual perspective on how and why we should be aware of our personal data online. We can now spin the table and look at it from the business side. How can SME embrace the new regulations? How can these be used to nurture more engaged leads and build long term trust with customers?

A quick intro on GDPR and CCPA

Both regulations define “Personal Data” as any information relating to an identified or identifiable data subject. The CCPA grants California resident’s new rights regarding their personal information. While it incorporates several similar concepts, the scope and territorial reach of the GDPR is much broader, as it applies to any company offering goods, services to individuals in the EU).

Those regulations are hundreds of pages long and apart from lawyers, no one is really expected to go through them all line by line. To streamline this process, the GDPR can be summarised in the 7 principles below. We will explore which one with practical examples further down to help make sense of it:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability principle

It’s critical for EVERY staff member in a company to be aware of the data privacy regulations concepts and how it applies to their own company’s processes.

Like most compliance processes, GDPR can be deployed as a risk-based approach which requires us to think about “why” we need to capture personal data and justify “how” we use and store that data.

Data lifecycle in a business

When you think about where data comes from and where it sits, the whole lifecycle in a business can be messy. Who is in charge of maintaining the CRM? When you consider HR data, operational suppliers or prospects, it’s an organisational process. If the Operations team supervises those systems, effort needs to be made to keep the data organised, traceable and safe, whilst making it available to every department who needs it to manage interactions with individuals. If we put staff records on one side and focus on customers data, we can follow how that data flows into a business in chronological order:

  1. Starts with a Lead Gen / Marketing outreach campaign to gain awareness
  2. Enters the sales funnel for a Prospect that has expressed interest
  3. Turns into a Customer record you are providing a service and ongoing support for or accessing your products
  4. Ends at the of the relationship when the customer terminates the agreement

Let’s go on a journey and explore these various states and see how companies can remain compliant at all stages against the 7 GDPR principles.

Minimising data capture during Lead Generation

We used to be able to buy emails lists and blast the identical spammy content to thousands of emails. This was like a shot in the dark, where the reliability of the data was (at best) average and no one was expected to hear from your product or had a need for your service. These outdated practices have thankfully disappeared from every marketing strategy plan! Brands now have to work harder to gain the trust of users and emphasise or create a NEED before starting to micro-target potential customers with more relevant and personalised content.

Companies first need to build engagement with storytelling and touch on individuals’ aspirations and beliefs. Yes, you might only capture 0.1% versus the number of records you could get from email lists, but they will be so much more valuable as customers voluntarily shared their details and expressed interest in your product/services.

From there, you are ready to review my checklist below and run thorough due diligence on all your MarTech tools (CRM, email…) against the official principles:

  1. Make it clear to the user what they will sign-up for, explain the benefits and logic of how you will use the data in plain English, not in hidden policies full of legal jargon. This will cover most of the lawfulness, fairness and transparency principle;
  2. Only use the data for the specific use case it was captured for - someone signing up for a Zoom webinar might not want to receive product offers or discounts (unless they opted-in!). This will cover the purpose limitation principle;
  3. Only capture the fields that you need for your segmentation. For example, you might need a geographical location but not the full address or even last name to run targeted campaigns. Focus on identifying the product features they need (non-personal data) rather than socio-economic segments. This will cover the data minimisation principle;
  4. Make sure you capture accurate data. Whilst this is in the hand of the users filling forms, add the relevant validation rules to ensure data accuracy;
  5. Always consider personal data as “top secret” confidential information. Never forget to validate the cloud-based tools you use for security and contractual cover around the “data controller” and “data processor” roles. You do not want this to be shared with anyone outside of your organisation and should even have strict permission groups for staff. The security around the personal data needs to be even tighter than your intellectual property assets protections! Implementing processes such as ISO 27001 will cover the integrity and confidentiality of that data;
  6. Record the time, the source and the opt-in status from the user anytime you capture data. This will be required for audits and access requests as part of the accountability principle.

Social media channels can be trickier to navigate with less choice of tools and freedom. You pretty much have to abide by their flows and features, so follow best practices and try to further engage with social leads in an environment you control.

At this stage, the key is to only capture the minimum data points required and avoid dispersing data into too many systems, or it will become a nightmare to audit and keep organised. Tools like AutoPilotHQ, Segment, Marketo or Pardot can act as the central glue that automatically syncs data between your CRM (Salesforce, Pipedrive…) and 3rd party tools.

Enriching your data during the Sales Lead phase

Now that the customer has expressed a genuine interest in one of your products/services, you can engage in more interactions with them to discover more about their needs. That potential customer is shopping around and has a legitimate interest to hear about what you have to offer.

The definition of “Legitimate Interest” in GDPR will allow you to send a relevant message specifically about the products they registered interest for: you can really invest in remarketing, email campaigns, invites to webinars…  Legitimate interest will allow you to distribute more relevant content to keep customers engaged, drip-feeding information to slowly convince them to sign up.

Similar to lead generation, your CRM will be the central focus of attention when it comes to personal data storage and you can follow similar guidance:

  1. Avoid sensitive data. You might think that you'd need to know about the ethnic origin, political opinions or religious group to make a decision on someone’s credit application or the type of membership they should get? GDPR prohibits it so find a better way.;
  2. Keeping the data accurate will be a challenge. People move jobs and change email. Their interests evolve. Their industry sector changes... Put in place recurring procedures to keep the details and your segmentation up-to-date;
  3. Allow customers to unsubscribe at all times. Platforms like Mailchimp will automatically add such links in every campaign but you need to plan for this process when connecting your tools. Deleting it from your email platform might not delete other records in your CRM or internal databases;
  4. Keep track of all communications, like a log or timeline of all interactions. This will help with audits. More importantly, it will help you measure the engagement of every campaign;
  5. Consider auto-erasing records of inactive or disengaged users. If someone didn’t interact with your brand in 12 or 18 months, they are no longer interested so you should focus your effort on more engaged users. This will cover the storage limitation principle.

Safeguarding the trust of your Customers

Now that someone converted and signed up, you have a wider scope of interactions. The goal is now to keep the trust of that customer for as long as possible. More than continuously delivering value to retain them as a customer, you must safeguard their personal data. A security incident will most likely breach the trust your customer had placed in you. Remember the 7 principles and adjust your processes and policies accordingly:

  • Make it clear how long you will keep their data and how you use that data. This should cover where it’s stored, whom you share it with. Be transparent about the tracking and monitoring tools you use (Google Analytics, social remarketing tools...) and ask yourself how those are beneficial to your customer;
  • Remember the data minimisation principle as you onboard users and capture more data. You need their full address details for billing purposes but again, keep it minimal. Do you really need their date of birth?
  • For accuracy, allow the user to edit their details in the My Account area or via a manual process your document;
  • Prepare for “Subject Access Request” - users have the right to request access to all the information you have about them and request erasure. This is why it’s so important to log when they signed-up and keep track of all their data connected in your 3rd-party tools ecosystem;
  • Review your onboarding policies for staff, ensure relevant permission groups and secure access remain suitable at all times.

Ending the relationship amicably

There will come a point where your customers no longer want or need to pay for your tools or services. At this stage, the new regulations are also enforcing several new processes that you might have disregarded or considered less important in your product features.

The regulation requires that you permanently remove the contact record from your database, including email tracking history, call records, form submissions, and other engagement data and activity. Typically, these requests should be attended to within 30 days.

Ideally, you would allow users to terminate their account online, ensuring it deletes or anonymises the relevant personal data field from your systems. If not possible, have a scripted process that can be run on demand.

I’d recommend looking again at your customer off-boarding procedure to ensure it includes every bit of customer data you have in your various systems.

To summarise

As we have seen, the regulations add some burden in terms of extra policies of features to implement but I believe they make perfect sense and give the end-users more flexibility and ultimately trust in your brand. To be successful and remain compliant, businesses need to:

  • Run efficient outreach marketing campaigns based on legitimate interest and storytelling;
  • Develop a fair and sustainable business built around trust from their customers;
  • Build stringent processes to help with scale and remain compliant.

Accountability needs to start from the board. Most SME don't need to hire a dedicated "Data Protection Officer" (unless you are in the data tracking business), but you should still have someone in your organisation who is responsible for data privacy and staff training/awareness. Companies need to always look for the “weakest link” that could put all this compliance at risk. At the end of the day, it’s everyone’s job to protect customers' data.

Jump to: