Unless you have had your head buried in the sand, it is impossible for you not to have heard about the General Data Protection Regulation (GDPR), but have you started preparing for the GDPR?
The GDPR is coming and will take effect from 25 May 2018. The date is getting closer, which means it is time to stop talking about the changes and, actually, start taking action to make your business compliant.
What is the GDPR?
The GDPR will supersede the outdated Data Protection Act (DPA) and will bring in tighter rules concerning the processing of data. People will have more say over what businesses can do with their details, which will affect how you use customer and prospect information. The GDPR will also address electronic data storage and will introduce tough fines for non-compliance and breaches.
The GDPR will apply to all personal and sensitive data as a way to safeguard and give more choice to individuals. Going forward, you will be required to provide opt-in options to all customers and prospects and make it clear during this process what their information will be used for. You must also have ‘evidence’ that you can contact an individual before doing so.
The government has also introduced several new principles including the “right to be forgotten” and the “right to object” clause, which will allow individuals to object to their details being used, shared, transferred or held. Upon request, you must remove an individual from all communications immediately.
Preparing for the GDPR
Failure to comply can result in businesses being fined up to €20million or four percent of the business’ worldwide turnover. In order to avoid this becoming a possibility, there are several processes you must become acquainted with. To prepare for the changes:
- Only use the medium you are authorised to use: You are obligated to only contact an individual using the channel they have opted in to.
- Unsubscribes are not to be contacted: If an individual has actively asked to unsubscribe, it is important to refrain from contacting them again. You should never contact them to ask if they wish to be subscribed back to your content.
- Alert everyone: Make sure that everyone in your business, especially those who have access to your data are aware of the GDPR. Otherwise you will be held directly responsible if your employees are still emailing contacts or breaching the law.
- Re-consent your active users: Using the medium that the individual has consented to, ask them if they would like to remain on your database. You can, however, use this as an opportunity to ask if they would like to be kept up to date via other forms of communication. (Please note, if you do not have evidence that you can contact an individual, be careful about asking them to opt in as this is still seen as a method of processing data, which is illegal if the person has not authorised it).
- Data Protection Officers (DPOs): You must appoint a DPO if you:
- are a public authority
- carry out large scale systematic monitoring of individuals (e.g. processing personal data
for behavioural advertising)
- carry out large scale processing of special categories (e.g. sensitive personal data, such as ethnic origins, religious beliefs etc.)
- If you are not required to appoint a DPO you should keep records of all your decision making processes in regards to the GDPR.
- Safety, encryption and risk: With data protection soon to be stricter, so should your internal processes. You should take extra precaution to ensure that data is safeguarded and make sure regular tests take place. We also recommend you have a breach response plan in place.
- Establish retention periods: Over the course of time, some users will become inactive or unresponsive. Establish retention periods so you can keep your data accurate and your database responsive.
By May 2018 it is important that you can demonstrate that you have been preparing for the GDPR, that you are abiding by the new regulations and can show a process/ plan you have put in place to make your company compliant. It is those companies that have not even thought about the GDPR by May 2018 who may suffer the consequences.
Fines will not be as harsh for those that have a plan in place and show genuine intent of making changes.
Final guidance is expected shortly, but we advise you don’t wait for this. It is clear what changes will be implemented so it is better for you to begin planning sooner rather than later.
We recommend that you carry out an initial audit (data map) to see what your business’ processes currently are. You also need to begin asking the following questions: Do we send mail shots to individuals? Do we have evidence that individuals have subscribed? Where do we store all our data? etc...
You then need to develop a strategy to make your business compliant for the GDPR and ensure you document everything you are doing.
Going forward, you will need to put in place privacy notices and clearly communicate to your prospects and customers what data you are capturing and why.
To learn more about preparing for the GDPR join us at our webinar on Wednesday 13 December. Register here.