Although GDPR has been around for a while now, it is still a term that scares marketers and causes them to tread lightly in their marketing activities for fear of not complying. The rules are buried so deep under technical jargon that it can be difficult to really understand what you can and cannot do as a medical device marketer. Luckily, we're here to clear a few things up and leave you feeling more confident running your marketing campaigns.
GDPR is different to the EU MDR released in May 2021. As a medical device marketer, you need to be aware of both sets of regulations, so once you're finished here, you can visit our incredibly comprehensive EU MDR article and download.
What is GDPR?
The term GDPR refers to the General Data Protection Regulation of 2018. It was put in place to give consumers greater transparency about the collection and use of their personal data.
Although the EU drafted it, it still applies to companies outside the EU collecting data from its citizens. For example, a US-based company would still have to comply with GDPR if collecting data in France or Italy.
Organisations and companies that fail to comply with GDPR leave themselves open to facing vast fines of up to 20 million euros or 4% of annual global turnover, whichever is higher. Not only that, but the damage it can do to a brand's image can be irreparable as clients and customers lose trust in the company. So, it's best to get it right!
How to comply with GDPR
The official legal text with all of the regulations on it is lengthy and technical and a lot of it isn’t relevant to you as a medical device marketer. Often, the language used is ambiguous, so it is really important to justify everything that you do.
As an organisation that collects personal data of any kind, you must be able to comply with at least one of the six legal bases for processing personal data. These are:
Explicit consent – Someone should agree to have their data collected and stored without being tricked in any way.
Performance of a contract – Sometimes, you must collect data to create a contract
Legitimate interest – This is probably the most obscure basis. In general, this is when you use data because the subject would expect you to. You can find out more about legitimate interest from the ICO.
Vital interest – This might be used in processing health data to save someone's life.
Legal requirement – This is when there is a legal obligation to collect and process data; for example, employers need specific data on their employees.
Public interest – This is most likely to be used in civil service and governments.
As a marketer, the safest option is probably always to gain informed consent; that way, you can know with certainty that you are collecting and processing the data legally.
What counts as personal data?
First of all, it is good to clarify what is meant by personal data. It can include the following: names, email addresses, location data, a person's physiological details, genetic, mental, economic, cultural or social identity. When it comes to online information that you might collect, it includes IP addresses, cookies, devices and search engines used.
It is essential to know that although all of this information could be made available to you, a critical point in the General Data Protection Regulation is that you should only collect the information you need. Storing any data poses a risk, and that risk grows with the more data you hold, so you should only hold the minimum amount that you need.
Website data collection
You probably use an analysis tool like Google Analytics or SEMrush to check how your website is performing. You might look at traffic statistics or bounce rate, but whatever data you're looking at is collected via cookies.
Cookies are small text files that websites use to collect data on users. If you would like to learn more about what they are, check out our article "What are website cookies?".
You should also allow users to personalise their cookies settings; for example, if they want to allow some cookies but not others, they should be able to update their settings so that they can do that. If you're not sure how to do this or if you are compliant, you can talk to a developer to work with you and update your website.
Data and privacy policies
Typically, you will find cookie and privacy policies either linked in the cookie banner or pop up or in the website's footer. This allows users to read about the website's policies in-depth, but there doesn't need to be a huge part of the website dedicated to it.
Writing cookie and privacy policies doesn't have to be complicated; in fact, there are templates available online if you do not feel able to draft it for yourself, such as this template builder from Termly. If using a template, you need to ensure that it is personalised to your website and isn't giving out any false information. Of course, if in doubt, you should consult a lawyer to ensure that you are 100% compliant.
Email marketing data collection
When the GDPR was first released, marketers feared that it would be the end of email marketing, but that hasn't been true at all. In fact, the new rules have meant that you will only end up marketing to people who have agreed to be marketed to and are therefore more likely to be an engaged audience, so more likely to convert. This way, you won't waste time on prospects who have no interest in what you are offering.
If you are looking to build up a mailing list to send out campaigns to, whether it's monthly newsletters or webinar invites, there are a few rules to follow, which are centred around consent and greater control for the data subject.
The major rule around email marketing is that you have to gain consent to contact your mailing list. Consent has to be explicit, so you cannot simply tell people they are signing up to join a mailing list in small print at the bottom of the page.
The best way to ensure that people know what they are signing up for you should create a box that users have to tick to join the mailing list, and the copy should state precisely what they are signing up for in no uncertain terms.
By having users complete an action, i.e. ticking a box, you will ensure that you have informed consent and, therefore, a legal basis for storing their data. Again, you should only store the necessary data to carry out your marketing duties, which will probably be their name and email address. As well as being more secure, you don't risk people dropping out of the signing up questionnaire because they cannot be bothered to answer so many questions.
As well as giving consent, your mailing list, you must allow people to have control of their data. This means that not only must you be transparent about what data you store and for how long, you must also delete people's data if they ask you to.
Email campaigns should make it easy for people to be removed from your mailing list by having an unsubscribe button. Campaign builders such as MailerLite and Mailchimp make it easy to include unsubscribe functions. You can choose to delete the user's data immediately or keep it. When you do delete the data, it is your company’s responsibility to ensure that data is destroyed appropriately and cannot be gathered for fraudulent purposes as you will be held accountable.
Regularly review data
The GDPR states that you shouldn't keep data for too long, so your company should have policies in place to ensure that data is reviewed frequently to either delete it or regain consent. The amount of time you store data for is debatable as the language surrounding it is ambiguous, stating that you cannot keep data “any longer than you need it”. How long you need to store data probably depends on your purpose for acquiring the data in the first place.
As a medical device marketer your purpose for storing personal data is probably because that person is a customer, or they are a prospect/lead. As long as someone remains a customer, you’ll want to keep their personal data to contact them, but if they stop being a customer, how long will you keep their data before deleting it? Likewise, how long do you store a leads data before accepting that they will not convert to becoming a customer. This is up to your company to decide, but it is very important to have clear guidelines on it, so that you can justify how long you store the data for.
Our top tips for staying on top of GDPR
Develop a set of policies to cover how you are going to stay on top of adhering to the regulations. This should include how much data it is necessary to store and how frequently you are going to review data.
Having a customer relationship management system (CRM) will help you to keep track of your customers and the data you have stored on them, making it much easier to control.
Utilise social media. Information on social media is publicly available, so if you want to reach out to prospects individually, social media is a great way to do it!
Keep it simple and transparent!
As you can see, navigating the world of GDPR is no easy task. Sometimes it can be complicated, and the risk of not getting it right can be monumental. The main thing you can do is keep it simple, always be transparent and get permission. As long as your users know what is happening with their data, you are doing the right thing.
About Podymos Podymos is a dedicated medical device marketing agency. We are passionate about sharing relevant knowledge to expand our clients’ capabilities. If you would like to find out more about what we do, you can visit our services page, or get in contact with us.
And don’t forget to follow us on social media