The deadline for GDPR (General Data Protection Regulations) is fast approaching. Your business needs to be compliant by 25th May 2018 or could face hefty fines. But it is not just about the potential fines, it’s about making sure you protect your data and keep the personal information you hold safe. Yes, the fines are going to be high but even if you manage to absorb them you might not survive the damage to your business reputation.
While there is a lot of good advice and help around to guide you through the process of GDPR compliance we have also seen a lot of scaremongering and not so good advice so check out the credentials of anyone you work with on your data protection and information privacy practices. A quick google search will find several results for events you can attend in your area providing advice on how to implement GDPR compliance, these range from free information events such as through your local Chamber of Commerce through to expensive training courses to help you fully prepare for the role of Data Protection Officer in your business.
But who can you really trust to help you get this right for your business? We recommend that you start by reading the guidance provided by the Information Commissioner’s Office (ICO) as they are the authority who will be enforcing the GDPR alongside the UK Data Protection Bill and ultimately be handing out the fines to those who don’t comply. Start with their ‘12 Steps to Preparing for GDPR’ guide which gives a good overview of what you need to do. The ICO already enforce the Data Protection Act and Privacy and Electronic Communications Regulations (PECR) but you’ve been complying properly with those already haven’t you?
GDPR needs to be embedded into your digital marketing strategy straight away. If you are collecting and using contact details to send promotional messages to past, present and potential customers, employees and associates there are a number of changes you might need to make before the deadline to ensure your business is compliant.
One of the biggest issues for marketers is that you need to maintain a record of any consent you obtain from your subscribers and contacts and this must comply with the GDPR requirements, irrespective of when that consent was obtained. Recital 171 of the GDPR indicates that you may continue to rely on any existing consent which meets the GDPR standards for consent. This means that it is not necessary to re-request consent from your subscribers or contacts when the GDPR goes into effect so long as you met all of the requirements of the GDPR when you initially obtained consent.
We will be cleaning up our own mailing list soon to double check our compliance with this and the PECR. This will involve sending different consent confirmation messages to segments of our existing list to ensure that past, present and prospective customers are aware of their right to opt-out from the list and giving previous subscribers (for whom we have recorded consent details) the same information. It also and more importantly will mean removing all contacts from our list for whom we don’t hold accurate consent information whilst providing them with a new subscribe link so they have the option to confirm their wish to receive any future marketing communications from us by email and using a double opt-in method which requires confirmation by email as well as the form submission.
Lots of our customers have expressed concerns about losing a large chunk of their mailing lists by doing this, however, we think this is a great opportunity to remove people who are just not interested and don’t read your content anyway. Genuinely interested customers will re-subscribe if they still want to receive your information and those who don’t resubscribe are not interested enough and therefore not worth wasting your time and efforts on. It is like sending direct mail in the post to people who are always going to put it straight in the bin as it arrives. Cleansing your list now will actually make your marketing efforts more targetted and effective in the future.
Google Web Retargeting Ads and Product Retargeting cookies are a great way to track certain activities of your subscribers and social media fans. You should ensure that you implement an appropriate cookie notice and consent mechanism with respect to your use of these cookies and related pixels as soon as possible.
Storing and Managing Data Securely
You should review your privacy statement and policies and ensure that they provide proper notice that the personal data of your subscribers or contacts will be transferred to third-party systems for data storage and/or advertising purposes. For example, you may want to consider updating your privacy statement to include language that specifically identifies the systems you are using to store data and clearly explain the methods you will use to collect, store, process and use any personal contact information in your marketing activities.
Most businesses use a public or private cloud to store their data online and many of these are managed by third parties such as Google, Amazon, Dropbox etc.. which are based in other parts of the world. A good first step would be to make sure that the systems you use are compliant with the EU-U.S. Privacy Shield framework and you are lawfully transferring any EU/EEA personal data to the U.S. in accordance with the Privacy Shield Certification. If you cannot prove the security and trustworthiness of the third parties you use for handling your data it may be time to think about changing to a new provider.
Individuals are entitled to ask for details of the information you store about them and how it is being processed. Having clear policies and procedures in place to explain this will help in regard to admin time responding to any requests. They could also ask to be removed from your list or see a copy of the information you hold about them and it is important that you respond to any such requests promptly. It is, therefore, a good idea to have a process in place to deal with this and train your employees in advance so they are aware of how to respond and have a good understanding of the reasons why this is necessary and important.
You will need to inform the ICO of a breach if the Information revealed is classed as high risk, for example, if it would cause problems, stress, loss of assets, etc by its release. If it would you also need to inform the data subject of the breach and what you intend to do to minimise the damage and risk. That must be done within 72 hours of the breach occurring. If there’s no real risk there’s no need to report it. Fines may be applied if the breach was caused by a deliberate or easily avoidable act by the company or one of its employees, if the same or similar breaches keep occurring despite having received warnings, if it was extremely harmful to the data subjects, etc.
If you do have a serious breach of security relating to the data you hold it is vital that you inform the ICO immediately. Failure to do so will result in much harsher penalties when the issue is discovered or reported. We recommend ensuring that your employees are trained to identify a data breach and understand the steps they should take in the event of an issue occurring.