5 Takeaways from Preparing to Comply with the GDPR as a CDMO

Amber RileyIndustry

A few months ago, I had never heard of the General Data Protection Regulation (GDPR). Fast forward to May, GDPR became one of the prominent acronyms in my vocabulary. As a US based, small company, an EU law took some time to hear about. But once we did, we knew we needed to work on being compliant, for our clients, potential clients, and because protecting privacy is the right thing to do. Besides, with all the discussions currently on privacy, the US is sure to follow suit in the near future. California is already beginning with a privacy law that will take effect in 2020. Now is the time to get ahead of the process.

First, what is GDPR? On a high-level, the General Data Protection Regulation dictates having explicit consent to keep and use European Union residents’ or employees of EU companies’ personal information while ensuring the privacy and security of that information. Hefty fines and/or lawsuits can be levied on those organizations not in compliance.

As I scoped various tools and resources to find what Singota needed to do to be compliant, here are some lessons I learned:

1. Don’t spam your entire list of contacts for their “explicit consent”

This advice is probably too late for many organizations. For marketing purposes, you should already have consent to send emails. If you don’t have that explicit consent via a checkbox on your contact forms, or something similar, then you should at the very least know there is “legitimate interest” in what you are sending. This is considered a soft opt-in. Sending a mass opt-in email because that is what everyone was doing was a great way to be a small fish in the large school in the giant ocean for email. People got tired of seeing twenty “Hey! Click here to keep receiving our emails!” emails and eventually started deleting them before they opened them. If you waited, now is a great time to send an email to your cleaned-up list of contacts (see item 2), letting them know you care about their privacy (see item 3) and would like to continue to send them emails. You could also include additional information in the email that is of interest to them, so they can see the value in continuing to receive emails from you.

2. Clean up your lists

Old, outdated lists are not doing anyone a favor. There’s a good chance some of those contacts on your list are probably cold leads, no longer work for that company, etc. If you haven’t had contact in a while, reach out on a personal level. If you have sent them a few marketing emails and they haven’t clicked or even opened, they are not engaged and unfortunately not interested. Keep a list of those people that you know are simply not interested and do not send to them in the future. No sense in wasting your time trying to pursue them!

3. Update your privacy policy

When was the last time you reviewed your website privacy policy? The policy should be written in terms a visitor to your website can understand, therefore not full of legal jargon. Make sure your internal team reviews for information relevant to your groups in IT, HR, Marketing, Business Development, and all other functions that need to be involved. When you finally have a draft your team is happy with, talk to a lawyer. Have someone with a legal background review to make sure you are presenting information accurately and are complying with any applicable laws including GDPR. You can view Singota’s privacy policy here.

4. Ask industry friends for advice

Much of the great advice I received from asking friends in the industry. What were they doing that we were not? Did they have any lessons learned that we could apply? Many of the people I talked to had been establishing a strategy for managing the GDPR regulations. Most of the work we do in the CMO space can easily cross over to the EU and other parts of the world. Sharing information about strategies that protect a business in general, that does not compromise confidential information, is always a big help!

5. Do research

One thing I learned from research online was we should have a Data Protection Team. This was excellent advice because it helped keep all departments in the know, as well as made the load of being compliant more manageable. After asking industry colleagues, I discovered some other tools that were helpful. For example, Indiana Health Industry Forum (IHIF) offered information on a webinar event hosted by Faegre Baker Daniels regarding GDPR compliance. This is where I received some helpful facts that were backed by lawyers versed in this subject. But beware, when you are doing research on a topic with so much buzz, it’s important to note the sources! There is almost too much information out there. It is best to go to the original source to verify the various suggestions picked up along the way. If you would like to view the official EU website for GDPR rules, visit: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

Singota is in a highly-regulated industry—the work we perform here is overseen by several governing bodies and our clients. The European Union’s GDPR rules seek to offer protection to their citizens and offer them more control over who can save data about them. While the GDPR scope may not fall on our inside operations, Singota is a company that values transparency and accountability.

About the Author
Amber Riley

Amber Riley

Amber is the Associate Marketing Manager at Singota Solutions. Before joining the life sciences industry in 2014, Amber’s previous experience was brand management with a consumer packaged goods company. She received her Bachelor of Science degree in Marketing from Indiana University’s Kelley School of Business.