What is the GDPR?
GDPR or the General Data Protection Regulation will be enforceable from May 2018. Any failure to abide by the compliance will not only lead to loss of business reputation but also the risk of being fined up to 20 million euro. Needless to say, the change will not be easy, but every business will have to begin somewhere. So what is it exactly?
Simply put, the GDPR is a regulation that strengthens the terms of usage of personal/private data and its misuse.
From the perspective of a business therefore, it is necessary to take precautionary steps. This is especially true for businesses in the habit of purchasing email lists and other marketing data.
So, let us have a quick look at how businesses can start preparing themselves for the changes to be brought about by GDPR.
“By failing to prepare, you are preparing to fail.” – Benjamin Franklin
When you speak with professional marathon runners or even coaches, they will tell you how the mind and body needs to be prepared for the run. There are also several apps available that will guide and monitor your performance through a detailed 10 to 16 week plan. Whether it is a marathon or GDPR compliance, your business will need to prepare for it. It requires a systematic approach, processes in place and a defined timeline for completion.
In this article, we will discuss some of the key considerations on preparing for GDPR.
1. The GDPR checklist
Gartner predicts that almost 50% of businesses will not be fully GDPR compliant by May 2018. If you don’t want your business to be one of them, then start by having a checklist ready for the implementation of GDPR. The checklist can contain every minute detail that is necessary for its implementation and smooth functioning.
For instance, the checklist may contain the appointment of the Data Protection Officer (DPO) who will be responsible for implementing rules of data-privacy and have thorough understanding of the laws on data protection. Another checklist can include the appointment of teams/personnel for spreading awareness and training on general EU GDPR overview.
2. Level of Company GDPR readiness
Though the GDPR has been put forward by the European Union Parliament for protecting the privacy of its citizens, it has a global mandate and its implications will be felt by businesses outside the UK and Europe as well. So even before starting to make your business GDPR ready, it is necessary to assess at what stage/level your business is in.
For instance, you can start by identifying the areas/divisions that will be affected directly by GDPR rules. You may also identify the organization’s current business practices and evaluate which practices are likely to be affected by GDPR norms and would require change as per organization needs and best practices. For instance, if data collected in the UK needs to be sent overseas for promotional and marketing purpose, this detail must be communicated to the customer, so as to acquire consent as per GDPR.
You may at this point tie up with an agency and create a GDPR readiness quiz to evaluate where your business is standing.
It has been identified through research that though most organizations are aware of GDPR, not many have a clearly defined procedure for consent on personal data collection, or the use of advanced technology to modify data on consent. Insights from these aspects will help your business to know where exactly you stand and where you should be beginning from.
3. Reviewing Inventory
Before adhering by GDPR compliances, it is advisable to go through your existing marketing data.
The focus on GDPR is to safeguard personal data. When you ask what is personal data under GDPR the explanation is quite vast. Personal data includes everything that can be used to identify an individual. As per GDPR rules therefore, consent for use is required. There should be controllers for recording the nature of consent, with the flexibility of the individual to withdraw consent.
Businesses not following these procedures (for instance maintaining a mandatory opt-in option in emails), will accordingly have to start incorporating GDPR rules and collate data accordingly.
Businesses also need to look at existing privacy policies, terms and conditions of usage, cookie policies etc. so as to keep it in accordance with GDPR policies.
Inventory would also require reviewing technology being used for maintaining data privacy.
4. Comprehending and updating breach detection
GDPR is all about safeguarding individual’s data and avoiding its misuse. In case of personal data, the GDPR has a defined timeline for reporting data breaches.
Organizations are required to have a data breach notification in place where customers and authorities are informed of the breach within 72 hours (a penalty of 10 million euro or 2% of annual worldwide revenue has been set). In the UK, the authority is the Information Commissioner’s Office.
5. Privacy by Design
The GDPR rules make it mandatory for organizations to have a procedure in place for upholding privacy by design. This comes with its own challenges as it means making changes to existing processes and solutions.
Ideally technology should be upgraded so that data can automatically be erased. As per the ‘right to be forgotten’ individuals can request for their data to be removed once its purpose is served. The controller should be the one to communicate the same with businesses.
Is GDPR good for businesses?
Absolutely! At the outset GDPR looks like a lot of work – which it actually is. But when you consider the benefits in the long run, it’s exemplary.
GDPR protects data, and from a marketing perspective it means that it makes targeted communications better.
So if you haven’t gone ahead with updating your customer database as per GDPR compliance, it is time to do so! Reach out to us and let us help in doing so.