Skip to content

GDPR for inbound marketers - A step-by-step guide

4 mins read

So, there was a lot of talk surrounding GDPR in 2018 and rightly so. It had the potential to have a big impact on marketers, in particular, those practising digital/inbound marketing techniques. By now, everybody should be compliant. 

faizal and tom

So let’s just jump right in...

What is GDPR?

GDPR stands for General Data Protection Regulation and it was brought in by the EU to replace the UK Data Protection Act of 1998.

Why was it introduced?

GDPR was introduced for two key reasons. Firstly, to update law which was created before the boom of internet and cloud services. Secondly, to give the EU single market an identical set of laws.

Who did it affect and when?

The law actually came into force on 24/05/2016, but businesses were given a two-year period to comply (until 25/05/2018). So if you’re not already compliant, here’s your wake-up call. 

It affected both businesses (controllers of data) and IT processors (such as software companies).

It applies to all parties, even those outside of the EU if they deal with EU residents’ data. 

How do we need to handle data under GDPR?

As a business (controller), you need to make sure data is used for a specific purpose and handled lawfully and transparently. Once the specific purpose is completed and the data is no longer needed, it’s a requirement that it’s deleted, demolished or destroyed. Take your pick. 

“Lawful” is the keyword here and it has a range of alternative meanings - the important ones for marketers are below. You must ensure one of these apply:

  • The person has given their consent for the data to be processed.
  • Comply with a contract or legal obligation.

How do marketers gain consent?

As marketers, the consent issue was the big change here. You need to make sure you have a process in place to ensure potential leads are giving an active and affirmative confirmation.

Inbound marketing is based on obtaining and analysing information which is why it’s so important to have these approval steps in place. 

Did that mean the success of this popular methodology was over? 

With inbound marketing, the potential customers are actively seeking you out and asking for more information. In contrast to outbound, where you collect personal information and contact people who aren’t yet aware of you or your offering. 

So, it’s up to the individual visitors to leave their information and tell us exactly what they want from further communication.

This means you have to create valuable content so that they're willing to leave the information you need.

This active consent means passive acceptance, such as asking people to opt-out after a pre-ticked box, is no longer allowed.

We can relate to being called by someone we don’t remember contacting, or receiving a newsletter you know you haven’t signed up for. We’re always a little sceptical when we have to leave our email address.

It’s better for everybody if you’re open and transparent about how you’ll process the information that’s left behind. Not to mention it’s now required by law.

We also need to keep a record of how they gave consent and allow them to withdraw that consent at any point. It’s no longer feasible to just link to a long and complicated privacy policy.

Which data is included?

Data which was available in the Data Protection Act is included. Also, the EU has further increased the scope. One noticeable change for inbound marketers is IP addresses and online identifiers have been added.

So these common marketing fields/data are incorporated:

  • Name.
  • Address.
  • Phone number.
  • Email address.
  • Job title and place of work.
  • IP address.
  • Cookies.

It’s also worth noting that this applies to both B2B and B2C data.

What are the penalties?

If you fail to follow the basic principles, such as gaining consent, you could be fined up to €20m or 4% of global turnover, whichever is greater.

You’ll also be penalised if you fail to report any data breaches within 72 hours. Previously, companies have kept schtum and hoped nobody would find out. The purpose of GDPR is to eradicate this lack of transparency across business practices.

But I’m from the UK and we are leaving the EU - does this still apply?

Whilst we’re a member of the EU, (until Brexit makes its mind up), we are bound by GDPR.

It’s also believed the UK will adopt the same legislation when/if the UK leaves the EU, so companies using data from the EU can continue to do so legally.

Impact on inbound marketing

If you’re practising inbound marketing already, the good news is you’re on the right side of this policy change. If you’re not, what are you doing? Those who practise outbound needed to seriously review their data acquisition strategy once GDPR came into effect. 

With inbound marketing, all you needed to do was review a few tactics.

To make sure you’re absolutely 100% compliant, these are some of the areas you need to double-check: 

  • Landing pages/forms need to ask for consent when marketing to people in an opt-in fashion (not a pre-ticked checkbox) and include a link to your policy on:
    • Why you're asking for the data.
    • How you will use it.
    • Clear opt-in and opt-out rules.
  • Adopt the double-opt-in approach so after the contact has filled in the form, they should get an email asking them to confirm their email address and opt-in. This approach is also a pretty good way of keeping your database clean.
  • Make sure you only use the data in a specific way.  E.g. if someone downloads an eBook on X subject - they’re only giving consent to receive information about X subject.
  • Document a process so that if individuals request to understand their data, you can provide it (how you handle it, who has access to it and how they gave consent). You need  to provide this information within 30 days of the request. It may be useful to have software which can help with the process and data requests. We use HubSpot which is perfect because:
    • HubSpot has its full journey documented automatically.
    • It’s easy to provide customers with their contact record and data.
    • You can securely delete the data at the touch of a button.
  • Audit your current database to try and establish consent. This audit may be a good time to do a cleanse and be honest about why data was captured.
  • Cookie and IP opt-in have been around since EU Cookie Law, but now might be a good time to implement a consent for Cookie and IP tracking.
  • If you have over 250 employees or your core business processes data, you'll need to look into hiring a Data Protection Officer if you haven’t already.
  • I'd advise rereading the official documentation and asking others in your team, IT teams and management to do the same.

Looking for a system which can handle your GDPR compliance needs and make it easy? The HubSpot Marketing Platform and the HubSpot CMS are perfect. That’s where our guide to setting up HubSpot can help.

Get your all-in-one guide to setting up HubSpot to comply like a professional

I know, trying to set up HubSpot accurately and maintaining it can be a little overwhelming. There are the landing pages you need to think of such as website integrations, building forms and lots of other stuff to understand.

That’s where our brand-new guide comes in.

If you want to take your HubSpot knowledge to the next level, download your copy of the guide using the link below.