The European Union’s General Data Protection Regulation (GDPR) which comes into effect from May 25th, 2018 represents sweeping new legislation designed to protect data rights of EU residents. It affects every organization that interacts with an EU resident in any way, wherever that organization may be. Fines for failure to be GDPR compliant can be severe: 20 million euros or up to 4 percent of global revenues, whichever is greater.
While some organizations have already implemented processes and software and appointed DPOs to take care of their GDPR compliance, many organizations are still finding their way. Marketers, in particular, need to educate themselves on GDPR and take action to ensure they’re compliant in the ways they collect, manage, process and share information.
While every organization needs proper consultation and legal advice on being GDPR compliant, here are 10 things to do and consider as a framework for GDPR compliance to give you a head start on your own efforts, or to compare to the work you’ve already undertaken:
(1) Raise awareness and create alignment, educate all the company stakeholders so that they can anticipate the impact and potential risks of GDPR
(2) Map your information and perform a detailed data audit. In particular, you need to have answers to the following basic questions about your data:
- Who are our data subjects? Who has access to sensitive data?
- Where do we keep their personal data? Where do we transfer personal data to?
- Why is personal data under our control (for what legitimate purpose)? Why do we share it with third parties? Do third parties share it with other entities? If so, who, how many and to what purpose?
- When are we keeping personal data until? When do we share personal data with others?
- What mechanisms do we have in place to safeguard personal data?
- How is data being processed? How long should it be kept?
(3) Do a full review of current privacy notices and ensure that these will align with requirements under GDPR before it takes effect. At the minimum, the following points should be covered:
- The identity of the controller and of the data protection officer.
- Conservation period (how long data will be kept).
- The right of access, rectification, restriction, and objection.
- Right to lodge a complaint.
- Recipients and transfers of data.
- State the right to withdraw consent at any time.
- Explain the legitimate interest of the controller or of a third party (if relevant) in the collection of the data.
(4) For being GDPR compliant, organizations must be able to demonstrate that they can respond to a data subject’s personal data request, and generally, this must be done within 30 days.
(5) Perform a Privacy Impact Assessment (PIA) – review your data processing activities and identify and document the legal basis for each type ensuring that no personal data is collected beyond the minimum necessary for each specific purpose of the processing.
(6) Manage consent of data subjects and ensure that consent is sought, obtained and recorded according to new guidelines, and that you are able to respond to inquiries regarding consent.
(7) Ensure data security and implement a process to report data breaches by providing a mechanism(s) to pseudonymize, encrypt or otherwise secure personal data
(8) Privacy by design and default clause of GDPR compliance requires that all consumer interactions and touch points have privacy designed right into them and that their default mode is one of compliance. To implement this clause, plan, design and perform your data processing activities where by default, only personal data which is necessary for each specific purpose of the processing should be processed
(9) Appoint a Data Protection Officer (DPO) providing him/her with tools to maintain audit trails of processing activities to demonstrate accountability and compliance, liaise and assist supervisory authorities and monitor compliance with data protection laws
(10) Ensure that the data you’re collecting can be easily transferred or given back to consumers whenever they ask for it in a format that can easily be transferred to another data controller (this is known as “data portability”).
Where to start?
While all of the above-mentioned points are critical, if you want to kickstart your efforts, a good place to start is with information mapping and a data audit (#2 above). Not only will this help with GDPR compliance, it will also enable you to better understand your customers and make smarter choices when planning and allocating your 2018 budgets.
Technology has an important role to play as well in your endeavor to be GDPR compliant. Implement a tool like LuitBiz that has built-in GDPR compliance rules to manage all your data and documents using just one integrated and easy to use cloud-based software. This will help your organization not just compliant with GDPR but also better positioned to personalize your marketing activities for better ROI.