The Litmus Preference Center makes it easy to choose communications and opt out

4. Revamp Your Referral Program

This is a common question we’ve been hearing lately:

Is GDPR going to kill my referral program?

Many fear that referral programs could be on their way out because there’s no way to get upfront consent from the people being referred.

Fortunately, it may be possible to manage referrals in a compliant way. But it may require some changes to how you manage your referral data.

Will Gregorian, Chief Information and Security Officer at Iterable, explains,

“Under GDPR, technically, the referral notification is not considered a promotional message. Meaning, if someone were to refer me to a product using a referral program, I would be notified and required to confirm the opt-in, which is mechanically considered to be GDPR compliant.”

Historically, one of the biggest problems with refer-a-friend programs has been that companies abuse them by creating a profile for the friend, storing their personal information, and sending marketing emails without approval. For obvious reasons, this is not GDPR compliant.

To stay compliant, only send one referral message to the friend on the referrer’s behalf. Do this without storing any of the friend’s personal information or data, unless they’ve clearly consented to participate in the referral program. Do not create a profile for the friend or send any marketing messages to them. In the referral notification, let them know you will not store their data or market to them unless they choose to opt-in.

Why Activation and Retention Will Be Even More Important Under GDPR

One of the most talked about changes coming into force with GDPR is people’s “right to erasure.” Also called the “right to be forgotten,” this privacy requirement allows people to ask companies to erase all personal data they’ve collected on them “without undue delay,” and the companies have to be ready to comply. (Read more in Article 17 of the GDPR.)

When asked about the implications of this part of the new data protection law, Andrew Michael of Hotjar contends,

“Resurrection is one of the areas most impacted by the GDPR. Currently, a lot of companies ask churning customers why they’re leaving - maybe they have a budget issue, or a project has finished. Then, based on their answers, the company will test resurrection strategies to win them back a few months later.

Now, with GDPR, if someone cancels their account, you don't have a legitimate business reason to store any of their information, which makes pretty much every reactivation initiative obsolete. This even applies to retargeting churned customers with ads.”

As growth practitioners, what are we supposed to do when an entire growth strategy is wiped out?

In this case, we need to turn back to activation and retention. They’ve always been the foundation for growth, but the “right to be forgotten” makes nailing both all the more critical. This means figuring out how to get users to actually create ingrained habits with our products during onboarding. It also means building churn prediction models and running re-engagement tests at the right time to intercept users before they quit our products for good.

Why? Because once a user churns, it becomes much harder, if not impossible, to hold on to their data and re-engage them later under GDPR.

Next Steps for Growth Practitioners

At the end of my discussion with both Michael and Gregorian I asked them each the same question:

What advice do you have for growth practitioners on next steps for GDPR compliance?

Combining insights from both, I’ve distilled the learnings into 3 key next steps:

De-silo your growth and legal teams so they can work together to: Define your company’s tolerance for risk when it comes to GDPR

Mitigate risk while still supporting growth initiatives

Create team-wide policies for GDPR governance and compliance

Guide the team in policy implementation Conduct an audit of each tool to decide: Which data is necessary to collect and which is not

Whether you will rely on consent or legitimate interests to justify data collection, storage, and processing activities

How you will collect, process and store different types of data in a compliant way Create processes for educating your team on GDPR compliance to: Help them understand the risks of non-compliance

Prevent them from inadvertently running non-compliant growth experiments

Empower them to execute growth strategies and tests in a GDPR compliant way

We’ve put together a few resources below to help you navigate the process - a glossary of the key terms relevant for growth and a reading list of articles to learn more about the new data protection rules.

Since there’s so little known yet about how the Supervisory Authorities will enforce GDPR, there’s no formula out there for becoming GDPR compliant. This post has probably brought up a lot of questions, but I hope that it has prompted you to ask more informed questions as you work closely with your legal and compliance teams to update how you approach data privacy and data security for your users.

Good luck on your GDPR journey!

Resources

Glossary of GDPR Terms Growth People Need to Know

Below are the definitions and principles of GDPR that are most important for growth and marketing - any emphasis is mine. And here is a complete list of definitions.

Personal data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Online Identifier (as explained in Recital 30)

Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Processing

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Data processor

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Consent

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Legitimate interests (as referenced in Article 6.1)

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Profiling

‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Personal Data Breach

A breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data.

Data Protection Officer (DPO) (as referenced in Article 37)

A data controller or processor must designate a data protection officer in any case where their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

GDPR Reading List:

The Basics:

GDPR and Marketing:

Consent and Legitimate Interests:

Tracking and Analytics:

The Right to Be Forgotten: