Customer Acquisition and Data Protection in the Age of GDPR

The GDPR, the EU’s new data protection regulation, came into effect on May 25th, 2018.

The regulation has far-reaching implications for businesses that collect, process or store the personal data of EU citizens.

Under GDPR, businesses must ensure that the personal data they collect is accurate and up to date, that it’s collected for a specific, legitimate purpose, and that individuals have the right to access their personal data and know how it is being used.

In addition, businesses must provide customers with a way to opt-out of having their data collected or used.

And finally, businesses must take steps to protect the personal data they collect from unauthorized access, disclosure, or destruction.

The GDPR imposes significant fines for businesses that violate its provisions, including up to 4% of a company’s global annual revenue or €20 million (US$24 million), whichever is greater.

It takes a good compliance strategy to avoid any of those penalties.

Two key aspects of GDPR compliance are customer acquisition and data protection.

Compliance with GDPR begins with ensuring that your business has the proper consent forms and processes for customer acquisition.

That means having a clear and conspicuous opt-in for customers who want their data collected, processed, or stored and an equally clear opt-out for those who don’t.

In addition, customers must be given a clear and concise explanation of how their data will be used, and they must be able to withdraw their consent at any time.

Once you have consent, you must put processes and technologies in place to protect the personal data you collect.

That includes ensuring that only authorized personnel have access to the data, that it is encrypted, and that it is backed up in a secure location.

You’re also required to plan how to respond to a data breach.

That includes notifying customers and regulators within 72 hours of a breach and taking steps to prevent future breaches.

Lead Generation and GDPR: Caution When Handling Sensitive Data

The GDPR applies to any company that processes or intends to process the personal data of EU citizens, regardless of whether the company is based inside or outside the EU.

That has far-reaching implications for companies that generate leads through online forms and other means. If you collect leads from EU citizens, you must take steps to ensure that you are GDPR compliant.

The first step is ensuring you have proper consent forms.

That means having a clear and conspicuous opt-in for customers who want their data collected, processed, or stored and an equally clear opt-out for those who don’t.

Why?

• The new regulation strengthens the privacy rights of individuals and gives them more control over their personal data. It also imposes significant fines for businesses that violate its provisions.
• Personal data, e.g., the name, birthplace, residence, employer, contact data, religious affiliations, credit card info, passport number, IP address, ID number, email address, or any other data that could identify a person, is considered sensitive under GDPR. That means you must take extra care when collecting, storing, and using this data type.
• Data protection now applies to any company, regardless of size or location, that processes or intends to process the personal data of EU citizens. Company size doesn’t matter – all companies must be GDPR compliant. The GDPR requires companies to take steps to protect the personal data they collect from unauthorized access, disclosure, or destruction.

Here’s Why:

The GDPR requires companies to take steps to protect the personal data they collect from unauthorized access, disclosure, or destruction.

It also doesn’t matter where the company is based – if you process or intend to process the personal data of EU citizens, you must take steps to ensure you are GDPR compliant.

The Bottom Line?

If you generate leads from EU citizens, you need to be GDPR compliant.

That means having a clear and conspicuous opt-in for customers who don’t mind having their data collected, processed, or stored and an equally clear opt-out for those who do.

It also means putting processes and technologies in place to protect the personal data you collect and being prepared to respond to a data breach.

What the Data Protection Regulation Entails for Companies

Let’s paint a scenario:

You frequently organize raffles or giveaways on your website or blog and require participants to provide their personal data, such as name, email address, and mailing address.

You then use a marketing automation tool to add these leads to a campaign and send them promotional material about your product or service.

But wait – is this GDPR compliant?

The simple answer is no.

Before the GDPR, customer silence and inaction were considered tacit consent. Today, companies must get explicit consent from individuals before collecting, using, or sharing their personal data.

In other words, you can’t assume that someone consents to have their personal data collected just because they didn’t say no.

You must have a clear and conspicuous opt-in form that explicitly states what you will do with the personal data you collect and obtain explicit consent from individuals before collecting, using, or sharing their personal data.

Still unsure if the GDPR applies to you?

Here are a few questions to help you determine if the GDPR applies to your company:

• Do you use purchased mailing lists or email lists to market your products or services?
• Do you have a process for collecting leads from trade shows or other events?
• Do you require customers to provide their personal data when they sign up for your newsletter or create an account on your website?

If you answered yes to any of these questions, then the GDPR applies to you, and you need to take steps to ensure that you are compliant.

GDPR in Customer Acquisition

So, what are the practical applications of the GDPR for customer acquisition?

In this section, we’ll discuss the practical applications of the GDPR for customer acquisition and how to ensure your customer acquisition practices are GDPR compliant.

In the simplest terms, the GDPR requires that you have a legal basis for collecting, using, or sharing the personal data of EU citizens.

• Every work step involving customers and suppliers must be re-evaluated in light of the GDPR.
• Pay thorough attention to ensuring every partner in your company is informed of their rights and obligations under GDPR when transferring personal data.
• You must be able to provide evidence of this when required. When a customer or the law demands it, you have to be able to hand over a list of everyone with whom their personal data has been shared.

It has profound implications for how you acquire customers and the type of data you collect from them.

For example, if you plan on using purchased lists or email lists to market your products or services, you will need to get explicit consent from individuals before adding them to your marketing campaigns.

The same goes for collecting leads from trade shows or other events.

You will need to get explicit consent from individuals before adding them to your marketing campaigns.

And, if you require customers to provide their personal data when they sign up for your newsletter or create an account on your website, you will need to get explicit consent from them before collecting, using, or sharing their personal data.

How Has the GDPR Transformed Customer Acquisition?

The GDPR has transformed how companies acquire customers by requiring them to get explicit consent from individuals before collecting, using, or sharing their personal data.

This has led to a more transparent and respectful relationship between companies and their customers.

Here are some of the ways GDPR has transformed customer acquisition:

• Data Collection and Obtaining Approvals

Typically, you obtain personal data from customers when they sign up for your newsletter, create an account on your website, or make a purchase.

With any of these interactions, you obtain their consent by providing them with a clear and conspicuous opt-in form, a link to your privacy policy, and a follow-up email.

That ensures that your customers know exactly what you will do with their personal data and allows them to opt out of any marketing campaigns.

Individuals may also request free information about the personal data you have collected from them and how you intend to use it.

You must provide this information within 30 days and explain your reasons. 

If a person requests that you stop using their personal data, you must comply with their request.

You must not send them any ad or direct marketing material unless they have given their explicit consent.

In this case, you want to document the person’s consent to prove that they have given their consent if required easily.

A well-documented consent is the foundation of any GDPR-compliant customer acquisition strategy.

However, you may still keep some anonymized data to prevent yourself from approaching a contact in the future.

Sounds easier than it [really] is.

In some cases, the law may require retaining some personal data, for example, for tax purposes.

It is essential to have a data retention policy that considers the requirements of GDPR.

• Data Processing Under GDPR

The GDPR requires that you process personal data lawfully, transparently, and in a way that is fair to the individual.

At no point in the customer acquisition process are you allowed to process personal data in a way that is discordant with the purposes for which it was collected.

For example, you cannot use customer data collected for one purpose and then use it for another purpose without the customer’s explicit consent.

Say a customer calls your company asking for a free product version.

You can only use the customer’s personal data (e.g., name, phone number, email address) to provide them with a free version of your product.

You cannot add them to your marketing campaigns or sell their personal data to third parties without their explicit consent.

Doing will only get you into hot water with the GDPR regulators.

Here’s how you avoid fines:

• • Inform the prospect or customer that you have saved their information for marketing purposes
  • Get explicit consent from the individual before using their personal data for marketing purposes
  • Collect only the personal data that you need for the specific purpose
  • After making a phone call, send a follow-up email to confirm the conversation and what was agreed upon.

You must also take all steps necessary to ensure the personal data you collect is accurate and up-to-date.

The Pitfalls: How Exactly Does Your Customer Acquisition Need to Change?

• Be upfront about what you’re going to do with the personal data.
• Get explicit consent from individuals before collecting, using, or sharing their personal data.
• Provide customers with an easy way to opt out of any marketing campaigns.
• Be transparent about the personal data you have collected and how you use it.
• Stop using personal data if the individual requests that you do so.
• Handle personal data securely and protect it from unauthorized access.
• Have a data breach response plan in place.

In 2017, during the Data Protection Conference, it was announced in a short paper that direct advertising would no longer be allowed without the explicit consent of individuals.

The following year, the GDPR was introduced, which put these changes into effect.

Once you obtain consent, you can continue your customer acquisition strategy.

If you don’t obtain consent, you need to find a new way to acquire customers that don’t involve using personal data.

For most companies, it’s not practical or possible to stop using the data available to your organization.

That means direct marketing is still permitted in certain circumstances.

However, if you want to walk straight and narrow, you’ll need to get explicit consent from individuals before using their personal data for marketing purposes.

You might have to contact your lawyer to get help with this one.

If you don’t obtain consent, you need to find a new way to acquire customers that don’t involve using personal data.

Section 7 of the German Unfair Competition Act (GUCA) still applies when dealing with private consumers.

This law says to make telephone calls, emails, fax, and SMS advertising, the person contacted must have given their explicit consent in advance.

That applies even if the person is already a customer.

Email Acquisition in the Age of GDPR

Acquiring email addresses has become more difficult since the introduction of the GDPR.

Under no circumstances are you allowed to send automated, unsolicited emails (i.e., emails that are not part of an existing customer relationship) to a prospect.

You can still email people who have given explicit consent, such as when they opt-in to your newsletter or download a white paper from your website.

Just be sure to attach a link to your privacy policy in the email so they can easily opt-out if they change their mind.

You also want to state the reason for contacting them in the email.

The best way to acquire new emails is to have a sign-up form on your website that is prominently displayed and easy to find.

If you’re using pop-ups, give visitors the option to opt-in to your newsletter or other communications. And, as always, be clear about what you’re going to do with the personal data you collect.

Another way to acquire emails is to use a “keep me informed” button on your website.

This button can be placed on product pages, blog posts, or other places where it makes sense.

When visitors click the button, they should be taken to a landing page where they can enter their email address and opt-in to your communications.

Again, include a link to your privacy policy and explain why you’re asking for their email address.

You also want to use a double opt-in process to ensure the person who entered their email address wants to receive your communications.

With the double opt-in, the person enters their email address on your sign-up form and then sends an email with a link to confirm their subscription.

Only when they click the confirmation email link will they be added to your list.

Using a double opt-in process helps you stay compliant with the GDPR and avoid dealing with people who complain they never signed up for your emails in the first place.

Side Note: Include check boxes for people to opt-in to different communications from your company.

For example, you can have one checkbox for your newsletter and another for special offers.

This way, people can choose what they want to receive from you instead of being bombarded with emails they don’t care about.

Telephone Acquisition in the Age of GDPR

The GDPR has changed the way businesses can acquire telephone numbers.

Under the GDPR, you can’t buy or rent lists of telephone numbers for marketing to individuals.

The only way to legally acquire telephone numbers for marketing purposes is to have the person give explicit consent.

There are many ways to do this, such as:

• Ask people to opt-in to receive telephone calls when they sign up for your newsletter or other communications.
• Have a checkbox on your website that people can tick if they want to receive telephone calls from your sales team.
• Including a statement in your privacy policy that says you may contact people by telephone if they’ve given their explicit consent.
• Ask people if they want to receive telephone calls when you collect their number, such as when they make a purchase or book an appointment.

If you have an existing list of telephone numbers, you can still call those people as long as they haven’t explicitly asked to be removed from your list.

Just be sure to allow them to opt-out of future communications at the beginning of each call.

And, as always, include your privacy policy on your website and in any email or other communication you send out.

Some special rules apply to telemarketers:

• When making a sales call, never hide or suppress your caller ID. The person you’re calling has the right to know who’s trying to reach them. If you’re using an automated system to make calls (like a robocaller), always give people the option to opt-out of future calls.
• Otherwise, you’ll be subjected to a fine of up to €10,000.
• If you decide to contact a private person, you can only do so after you’ve received their explicit consent. You also need to provide them with a way to opt out of future communications.

When in doubt, always avoid caution and get explicit consent before making any marketing call, whether it’s sales or customer service.

If you don’t adhere to the GDPR’s rules on acquiring and using telephone numbers, you could be subject to a fine of up to €300,000.

The situation changes when dealing with traders.

Here, you only need presumed consent.

That’s to say, you can contact them without their explicit permission as long as they haven’t told you not to.

That’s because the GDPR presumes that traders want to receive marketing communications related to their line of work.

Even so, it’s always best practice to get explicit consent before making any marketing call.

This way, you won’t have to worry about running into any legal trouble.

Data Protection in the Age of GDPR

Under the GDPR, all businesses need to take data protection seriously.

That includes ensuring that personal data is collected and used lawfully, transparently, and with the individual’s consent.

It’s also important to keep data safe and secure, which means having adequate security measures to protect against unauthorized access, destruction, or use of data.

It includes both physical and digital security measures, such as:

• Access Control: Limiting access to data to only those who need it.
• Data Encryption: Encoding data so that authorized individuals can only read it
• Regular Backups: Making copies of data in case of accidental deletion or destruction
• Disaster Recovery: Having a plan in place to restore data in the event of a physical or digital disaster

In addition to these security measures, businesses must ensure that data is accurate and up-to-date.

That includes regularly checking data for errors and omissions and updating it as necessary.

Finally, businesses need to have a process to respond to data breaches.

That includes identifying and fixing the cause of the breach, informing affected individuals, and taking steps to prevent future violations.