GDPR – May The Enforcement Be With You
GDPR - the millennium bug of this decade.
In May 2018, after four years of discussion, the new General Data Protection Regulation (GDPR) will be rolled out. It will replace the existing Directive and a lot of EU businesses will have to take action to not only ensure they are compliant, but subsequently avoid the consequence of GDPR fines.
It has been almost impossible to miss the media hysteria surrounding the roll out. Some businesses have however turned a blind eye. But, as we entered the New Year, the GDPR compliance deadline has appeared on many more radars. It is now 2018: it is now the year the law changes.
Although regulation already exists, on the 25th May 2018, the marketing world will be turned on its head when GDPR is enforced throughout the whole of Europe.
Many are taking the ostrich approach and simply burying their heads in the sand. Others are over-compensating and over-speculating in a blind panic:
Are we or are we not GDPR Certified?
Will an officer one day come knocking on our door?
But make sure you remain calm – this is not the end of the world! Just ensure you follow our GDPR compliance checklist. These simple steps will ensure you are ready for the enforcement.
It’s a mundane task, but make sure you know the requirements of the regulation. The new laws affect any form of personal information – so it’s essential you understand the true meaning of ‘personal data’. It includes:
• Email address
• Mobile phone number
• Bank details
• Credit card number
• Drivers license/passport number
• Genetic or biometric data
Gone are the days when you could pass on a colleague or client’s details as you please. Marketers must now clearly indicate how they intend to use an individual’s data, with permission having to be obtained at the point of data collection.
Now, every customer you acquire has the right to gain access to information on how their data will be used and/or stored. This must be easy to find, easy to access, free of charge and most importantly, easy to understand.
You can comply by ensuring that your data subject is made aware of how their data is being used. You must also ensure they have consented to do so via a clear and concise page or section on your site. Play fair and don’t deceive your customers - they’re keeping your business afloat after all.
The Right to Rectification
Many companies will obtain incorrect or incomplete data in their storage systems. For example, there may be incorrect or incomplete form submissions, or perhaps mistakes may be made when the data is passed on to another department or processed into a different system.
Whatever personal data you store within your organisation, your data subject has the right to request that their data is corrected. You must also notify the subject when you pass this data to any third parties.
Make sure you have a dedicated employee/s to process such requests as soon as possible - don’t put this on the backburner.
Data Protection Officers (DPOs)
Organisations should, sooner rather than later, evaluate whether they need to appoint a DPO under the GDPR legislation. This could be someone already within your organisation, or an external hire. The role of the DPO is to ensure the business and their data holdings are completely GDPR compliant, as well as ensuring the workforce are trained and educated on the legislation.
They will also act as that all-important first point-of-contact for data processing and external assessments.
The Right To Be Forgotten
The new GDPR allows data owners to request that all of their information is erased at any point. However, this can often be a logistical nightmare because of the many ways data is now imported, used and stored. It is vital that your business uses an adequate marketing automation platform to enable full deletion. This platform should also provide evidence that the data has been erased.
The most effective way to ensure this is carried out is to hold all data in one central location – e.g. in a CRM solution. Exporting data from the chosen CRM and importing into a spreadsheet for an email send can however be messy. To avoid problems, marry up your CRM system with any other software which uses customer information. This integration will synchronise your data – making sure customer information is up-to-date across the whole organisation.
Be cautious: the request from the customer “to be forgotten” can come in the form of email, phone call or even SMS. Are you monitoring all of these channels? These requests should not only be fulfilled, but treated with urgency. Many businesses have successfully set-up automated responses to these requests, letting their customers know their request was received and will be dealt with accordingly.
Know Your Limits
Personal data is not allowed to be transferred to a country or territory outside the European Economic Area unless stated in the GDPR. If you are part of a global organisation, there are restrictions on what data can be transferred between countries.
Know your limits on where you can and can’t send data. The following countries have approved the sharing of data:
• Faroe Islands
• Isle of Man
• New Zealand
Make sure you regularly check this information, as these may change.
Does a customer want to find a better deal elsewhere? Then you now must allow them to move, transfer or copy their data from one digital platform to another - conveniently and efficiently. This principle aims to give individuals stronger control over their personal data by allowing them to transfer their data over to other service providers.
Before the GDPR fully comes into play, ensure your platform has the technical capabilities to deal with these portability requests. You must then advertise this option - highlighting to your customers that, if required, they can exercise this right.
Again, to keep things simple, hold all your company’s data in one central source of storage – for example, in a Customer Relationship Management solution (CRM). This makes the syncing, exporting, importing and amendments of data more streamlined.
Customers have the explicit right to object to any direct marketing activity. You must allow your recipients to opt out via an automated system. The silver lining of this process is that it will leave you with a database of prospective and existing customers who are genuinely interested in receiving your emails and similar content.
In the case of direct marketing and similar outgoing communications, the individual’s right to object/opt out must be explicitly brought to their attention before, or as, the first communication is made. This information must be clearly shown and stated in separation from the rest of the communication/content, usually at the bottom of the email or web page. In other words, no small print!
Once again, if your CRM is integrated with your marketing channels (i.e. website, email service), any opt-out requests will automatically change the customer’s status on all platforms - in real time. This means that your data is always up-to-date. If you do not have this process automated, ensure someone is assigned to the task of completing all opt-outs across all the relevant systems and platforms that your company uses.
To Automate or Not to Automate
Automated decisions are, simply, decisions made without any human involvement. For example, a website has awarded a customer a loan, but purely using algorithms and automatic credit searching.
Some instances can however be considered automatic but do involve human interaction. For example, an employee is issued with a warning after being consistently late to work. Despite the fact the employer’s clocking-in system flagged the tardiness, it was the manager’s reviewing of this data which lead to the warning being issued.
What does the GDPR say about Automated Decisions?
Under the new legislation, an individual will have the following rights:
• The right to be told when such a decision has been made
• The right to see the reasons behind these decisions
• The right to request no automatic decisions are made using their personal information
• The right to reconsider such a decision
There are instances when automated decisions result in negative profiling. These safeguards are here to protect subjects from such an outcome. If you do have automated processes or decisions related to individuals, you must inform them why and the reasons behind it, as per their rights above.
However, this right will not apply if:
• The automation is required for entering into a contract between your company and themselves
• The decision is made on the basis of explicit consent of the individual
• The automation is authorised by EU or UK law.
Determine whether your company uses automated decisions and consider if this is still necessary. You should then make the appropriate changes to these decisions and subsequently document these updated policies so your team can follow.
And there you have it.
These considerations will ensure you are on the road to GDPR compliance. However, if there are any grey areas, or processes you are unsure about, we would advise you to contact an expert for further consideration. The threatened fees of GDPR are simply not worth the risk.
Staying ahead of the game doesn’t have to be stressful. If you require expert guidance, get in touch with Software Advisory Service on 020 3640 8094 today. We can provide expert advice alongside a shortlist of GDPR specialists in your industry and area.
The WannaCry NHS Malware Attack
As if the NHS hadn't been under enough strain these past few years, computer services of the h...
You Are Now Responsible for IR35
The law is changing. Tax will now be your responsibility – not the contractor’s. Do you know t...
How GDPR Will Affect Marketing
Despite all the talk of Brexit, it looks as if the UK will still be affected by the General Da...
Oracle Acquires NetSuite in $9.3b Deal
Here you can read all you need to know about Oracle acquiring NetSuite.
Tighter Regulations Could Render Hootsui
In lieu of this data breach, Facebook has tightened their restrictions in an attempt to regain...
VoIP The Voice of the Future
VoIP, short for Voice over Internet Protocol, sometimes called Voice over Networks (VoN) or Vo...
Pokemon Go and Big Data
You’ve seen them. For the past few weeks, people have been wandering around their towns and ci...
Have You Published Your Gender Pay Gap
More than 1,000 firms have made their salaries public ahead of April’s deadline. Of these firm...