
Marketing Best Practices – Kokoro Looks at GDPR
Here’s a look at some of the key GDPR (General Data Protection Regulation) topics for our industry. To my way of thinking, things pretty much fit into three main categories:
- Refreshing Consents
- Internal Procedures and Documentation
- External Documentation (including Privacy policy)
Read on for details…
1. Consent
Review and document how you get, record, and manage consent. For your marketing, consider these two areas:
- Documenting consent for existing contacts
- Documenting consent for new contacts
Trade Shows
Prior to exhibiting at a trade show you’ll want to verify that the trade show gets explicit consent from attendees when they register for the show. If they do not, you would want to get explicit consent from prospects who give you their contact info at your booth – you may want to do that in any case.
Existing Lists
Most of us have existing lists and databases of prospects and customers. The way we read the GDPR standard is that the company needs to have a record of how and when the person gave consent to be entered into the database and when they agreed to receive marketing emails. If your current consents don’t comply with the GDPR standard then you would need to refresh existing consents and document accordingly. You may need to contact people by email or phone and document that they want to receive marketing emails from you. There is also documentation that talks about how legitimate interests can be considered a lawful basis for processing data and if you think that may apply to you, read more about that here.
Opt-in / Sign-up Forms
When someone signs up for a white paper, for example, the form should have a country field and a checkbox for the person to tick to indicate if they want to receive marketing emails from you. All existing forms should be updated with country field and opt-in tick box. Consent must be explicit, it can’t be implied.
Opt-out
As ever, there needs to be a way for people to opt-out of marketing emails.
Here is how Consent is defined by the ICO (Information Commissioner’s Office)
2. Privacy Policy
Update your privacy policy if needed. It should be clear and easy to understand, explaining what data you collect and what you do with it. It should include your lawful basis for processing data. (E.g. they purchased a product from you, they asked you for marketing info by email.) See good and bad privacy policy examples from ICO here.
3. Person at Your Company in Charge of Data
Name a data lead or data officer for your company. This can be a person who works at your company or it could be an outside firm or attorney. Your data lead or data officer needs to know how data flows at your company and should have that documented, too. Check with your attorney if you have questions about GDPR compliance for your company.
4. What Else Should I Know?
Check out the links below for GDRP details, there’s a lot of info. GDPR pertains to all data collection, retention, and use for all areas of your company, not just the top marketing topics we covered here. You need to comply with GDPR if you have customers, prospects, or offices in the EU. Ask your attorney if you have questions about your GDPR compliance.
—–

Resources:
GDPR Webinar from Kokoro Marketing and NAB Show
ICO’s Guide to the General Data Protection Regulation (GDPR)
ICO’s Preparing for the GDPR: 12 Steps (includes the above infographic and more)
Consent – ICO’s Detailed Definition and Checklist
And specific to Infusionsoft users, here are a few more thoughts…
About refreshing consents
• At the most basic, you could simply send the Infusionsoft double opt-in (email confirmation) email to everyone. The system won’t send it if the person has already opted-in. The email text can be customized a little bit.

• Another way would be to analyze the data and note: 0) Contacts who have already double opted-in/clicked through an email confirmation, 1) contacts in the EU, 2) contacts not in the EU, and 3) contacts where we don’t know their country. In the case of 1 and possibly 3, you could create a campaign with a series of email asking to get them to opt-in, either using the Infusionsoft double opt-in email or using your own email with tags and custom fields.
As a company, you’ll need to decide how to proceed with contacts who don’t confirm their opt-in. You will also need to deal with data from customers who have purchased from you and document that, too.
• And we’re waiting to hear from Infusionsoft what they will roll out for GDRP. They indicated they will have some type of compliance dashboard or window to help us deal with all of this. I asked them again the other day for an update. We’ll update this post when new info is available.
Here are links to Infusionsoft’s new GDPR DPA (data protection agreement) details: