A guide to get you GDPR compliant before the new data law comes into effect
On May 25 2018 the European Union’s new law governing the use of its citizens’ private data comes into effect.
The General Data Protection Regulation to give it its full name gives people living in the EU new powers to ask you what data you hold on them, what your doing with it, how long you are going to store it for, and the right to be forgotten or to have their data deleted from your records.
And when we say you, we mean you here in Australia. At least we mean you if people living in Europe visit your website, sign up to your newsletters and mailing lists, and if you or your suppliers, such as third-party merch vendors, collect personal info when you sell to people living into the EU.
We were surprised recently when we took a quick poll of a few local artist reps and businesses to find that pretty much most of you don’t think you are affected by the GDPR.
Europe (including the UK) has been a happy hunting ground for Aussie musicians as they take music out to the world and if that’s you then read on. Here’s TIO’s quick guide to help get you GDPR compliant, written for us by music marketer and digital strategist, Mark Muggeridge.
Mailing Lists and Email Marketing.
A mailing list remains one of, if not the most valuable data source that a music business can own. It allows you to reach out to your fans F-A-S-T without an algorithm getting in the way. With GDPR however you need to get your head around the idea of no more bundled consent. That is you can no longer sign people up to your mailing list and then use their data for other purposes, such as building Facebook or Google Advertising Audiences.
If you don’t already use a platform such as MailChimp or one of the many others available in the market for email marketing, now’s the time to jump on board. MailChimp, in particular, have done a great job of helping their users become GDPR compliant.
The key steps you need to take with your mailing list are as follows:
Make sure your sign-up forms are GDPR friendly by allowing fans to choose what kinds of marketing you can conduct using their data. Most of you won’t be sending physical mail, but you will need to offer checkbox options for newsletters and for them being targeted with online advertising for example. (Think Facebook Custom Audiences.)
Sub-sect your mailing list so that you only use the data of people who have consented to online advertising is key, but thankfully MailChimp makes this easy.
However, don’t worry about trying to offer separate sign-up forms for Europe and non-European Fans. Just use the one form and sub-sect your lists based on the options fans choose. Fans in other countries get the benefit of these new options and that’s a good thing as it shows you respect their privacy.
How do you deal with requests from fans who want to correct, remove, or know what data you are holding? Again any decent marketing platform will have you covered for this including DMPs and CRMs, fluency in which are becoming a must-have for music marketers.
Platforms like Salesforce and Adobe Marketing Cloud have tools built in and MailChimp too has introduced tools to assist with this but take note; removing a fan’s data means removing it, and this is different from a fan unsubscribing where data is still held on your marketing database!
Finally you’ll need to sign a Data Processing Agreement with any marketing platforms you use where data is collected. This is usually offered as an online form where you enter the username of your account with that service and most importantly an email address which directs email to whomever within your organisation is going to take responsibility for the security of data holding and handling.
What about Fans already on your lists?
It’s important to note that consent which was previously given by EU citizens no longer applies after the GDPR comes in. Again, chances are that you don’t know where fans on your list live, so read on and find out why you’ve been getting all those Privacy Policy Emails lately and why you need to prepare to send your own version.
Your Privacy Policy and Website Terms of Service.
You should already have a Privacy Policy available on your website. The Privacy Policy will cover the use of the data which you are collecting via mailing list sign-ups, but this will need to be updated to reflect the services you use to store data (such as your marketing platform).
You’ll now need to add a Cookie Statement. This needs to outline what cookies you are serving via your website and it also needs to offer basic guidance as to how fans can opt out of having these cookies placed on their system if they don’t want to be tracked. You serve cookies via services such as Google Analytics, and the remarketing pixels provided by Facebook, Google’s Adwords and Twitter.
The Cookie Statement is different from the Cookie Bar or Pop-up which you see on many sites (including yours in the future, hint, hint.) A Cookie Bar just collects an acknowledgment that fans are willing to accept cookies and gives them a link to your cookie statement so that they can get opt-out details if they need them.
As we mentioned above, once the GDPR comes in, you no longer have the previously given consent from EU citizens. Emailing your database and giving them the details of and a link to your updated Privacy Policy is the way to deal with this.
Also, bear in mind that if you were to change your policies in the future or add new ways of using the data you hold you would have to reach out to fans again updating them.
Collecting details such as the number of or duration of website visits via platforms such as Google Analytics is not affected by the new laws. However, if you process that data within the platform via segmentation or off the platform for analysis then it is affected and you’ll need to make changes to Google Analytics to tell GA how long to retain data. You’ll also have to outline the data retention in either your Privacy Policy, Cookie Statement or both.
Don’t be intimidated by this last section on website visits. Chances are you are only doing this is you are a larger organisation in which case your legal teams have probably alerted you already.
If you use any kind of marketing agency who processes your data, make sure they are compliant as well as the onus to ensure your supply chain is clean remains with you!
What we’ve covered here should get you well on the way to being a GDPR expert. For those of you who want to dive further here’s a couple of links to excellent resources to move you further along. GDPR does not have to be a headache but for Aussie artists and music businesses with global ambitions compliance is a must.
Please note: This article does not constitute legal advice. Whilst this guide will cover most artists, management companies and indie labels, if you conduct substantial amounts of business with EU citizens which includes data processing your situation might be more complex than for the average, so if in doubt, please speak to your legal advisor.
Resources:
A super-detailed guide to the GDPR by the UK Information Commissioners Office.
This article originally appeared on The Industry Observer, which is now part of The Music Network.