Although GDPR has been around for a while now, it is still a term that scares marketers and causes them to tread lightly in their marketing activities for fear of not complying. The rules are buried so deep under technical jargon that it can be difficult to really understand what you can and cannot do as a medical device marketer.
Luckily, we’re here to clear a few things up and leave you feeling more confident in running your marketing campaigns.
As a medical device marketer, you need to be aware of both sets of regulations, so once you’re finished here, you can visit our incredibly comprehensive EU MDR article and download it.
The term GDPR refers to the General Data Protection Regulation of 2018. It was put in place to give consumers greater transparency about the collection and use of their personal data.
Although the EU drafted it, it still applies to companies outside the EU collecting data from its citizens. For example, a US-based company would still have to comply with GDPR if collecting data in France or Italy.
Organisations and companies that fail to comply with GDPR leave themselves open to facing vast fines of up to 20 million euros or 4% of annual global turnover, whichever is higher. Not only that, but the damage it can do to a brand’s image can be irreparable as clients and customers lose trust in the company. So, it’s best to get it right!
The official legal text with all the regulations is lengthy and technical, and a lot of it isn’t relevant to you as a medical device marketer. Often, the language used is ambiguous, so it is really important to justify everything that you do.
As an organisation that collects personal data of any kind, you must be able to comply with at least one of the six legal bases for processing personal data. These are:
As a marketer, the safest option is probably always to gain informed consent; that way, you can know with certainty that you are collecting and processing the data legally.
First of all, it is good to clarify what is meant by personal data. It can include the following: names, email addresses, location data, and a person’s physiological, genetic, mental, economic, cultural, or social identity.
When it comes to online information that you might collect, it includes IP addresses, cookies, devices, and search engines used.
It is essential to know that although all this information could be made available to you, a critical point in the General Data Protection Regulation is that you should only collect the information you need. Storing any data poses a risk, and that risk grows with the more data you hold, so you should only hold the minimum amount that you need.
You probably use an analysis tool like Google Analytics or SEMrush to check how your website is performing. You might look at traffic statistics or bounce rates, but whatever data you’re looking at is collected via cookies.
Cookies are small text files that websites use to collect data on users. If you would like to learn more about what they are, check out our article “What are website cookies?”.
Although they’re helpful to marketers, cookies can store a lot of personal information, and you will need to make that explicitly clear to your website visitors. They will need to opt in to be tracked by cookies. You can do this through a cookie banner or pop-up box, where you ask users to accept or refuse cookies.
You should also allow users to personalise their cookie settings; for example, if they want to allow some cookies but not others, they should be able to update their settings to do that. If you’re not sure how to do this or if you are compliant, you can talk to a developer to work with you and update your website.
As well as including a cookie banner or pop-up, you should also ensure that your website has a cookie and privacy policy that clearly lays out what data your website collects and why.
This should be written in an easy-to-understand way to ensure that readers have full knowledge of what they’re agreeing to.
Typically, you will find cookie and privacy policies either linked in the cookie banner or pop-up or in the website’s footer. This allows users to read about the website’s policies in depth, but there doesn’t need to be a huge part of the website dedicated to it.
Writing cookie and privacy policies doesn’t have to be complicated; in fact, there are templates available online if you do not feel able to draft them yourself, such as this template builder from Termly. If using a template, you need to ensure that it is personalised to your website and isn’t giving out any false information. Of course, if in doubt, you should consult a lawyer to ensure that you are 100% compliant.
When GDPR was first released, marketers feared that it would be the end of email marketing, but that hasn’t been true at all. In fact, the new rules have meant that you will only end up marketing to people who have agreed to be marketed to and are therefore more likely to be an engaged audience, so more likely to convert.
This way, you won’t waste time on prospects who have no interest in what you are offering.
If you are looking to build up a mailing list to send out campaigns to, whether it’s monthly newsletters or webinar invites, there are a few rules to follow, which are centred around consent and greater control for the data subject.
The major rule around email marketing is that you have to gain consent to contact your mailing list. Consent has to be explicit, so you cannot simply tell people they are signing up to join a mailing list in small print at the bottom of the page.
The best way to ensure that people know what they are signing up for is to create a box that users have to tick to join the mailing list, and the copy should state precisely what they are signing up for in no uncertain terms.
By having users complete an action, i.e. ticking a box, you will ensure that you have informed consent and, therefore, a legal basis for storing their data. Again, you should only store the necessary data to carry out your marketing duties, which will probably be their name and email address. As well as being more secure, you don’t risk people dropping out of the sign-up questionnaire because they cannot be bothered to answer so many questions.
As well as giving consent, your mailing list must allow people to have control of their data. This means that not only must you be transparent about what data you store and for how long, you must also delete people’s data if they ask you to.
Email campaigns should make it easy for people to be removed from your mailing list by having an unsubscribe button. Campaign builders such as MailerLite and Mailchimp make it easy to include unsubscribe functions. You can choose to delete the user’s data immediately or keep it. When you do delete the data, it is your company’s responsibility to ensure that the data is destroyed appropriately and cannot be gathered for fraudulent purposes, as you will be held accountable.
GDPR states that you shouldn’t keep data for too long, so your company should have policies in place to ensure that data is reviewed frequently to either delete it or regain consent. The amount of time you store data is debatable as the language surrounding it is ambiguous, stating that you cannot keep data “any longer than you need it”. How long you need to store data probably depends on your purpose for acquiring the data in the first place.
As a medical device marketer, your purpose for storing personal data is probably because that person is a customer or they are a prospect/lead. As long as someone remains a customer, you’ll want to keep their personal data to contact them, but if they stop being a customer, how long will you keep their data before deleting it? Likewise, how long do you store lead data before accepting that they will not convert to becoming a customer? This is up to your company to decide, but it is very important to have clear guidelines on it so that you can justify how long you store the data for.
As you can see, navigating the world of GDPR is no easy task. Sometimes it can be complicated, and the risk of not getting it right can be monumental.
The main thing you can do is keep it simple, always be transparent, and get permission. As long as your users know what is happening with their data, you are doing the right thing.